Re: ACTION-267 - Propose first/third party definitions from existing DAA documents

Jeff,

I've raised this several times before. You've not addressed it, and you 
continue to repeat the same thing. Tell me how focusing primarily on 
third parties is a compromise. With whom did you make this compromise? 
The third parties -- the primary targets of this standard -- do not see 
it as such and have serious concerns about the competitive effects of 
the direction this standard has been going.

-David


On 10/11/12 8:22 AM, Jeffrey Chester wrote:
> Dear Mike:
>
> As you and colleagues know, the privacy advocates have been willing to 
> engage in compromise in pursuit of a standard that would effectively 
> protect privacy.  We were willing to focus primarily on Third parties, 
> consider supporting the no-default approach, etc.  Indeed, just 
> several weeks ago in DC I spoke to the DAA's lobbyist.  At that time 
> he praised the willingness to compromise by the privacy groups working 
> within the WC3.  He made it clear that the industry objected to 
> Microsoft's IE default.  I told him that I was willing to discuss this 
> issue (speaking only for my CDD) in the context of a deal offering a 
> stronger outcome (no unique cookies, etc).
>
> However, the recent actions by the DAA/IAB show the US online ad trade 
> groups are working to derail the W3C standards process.  The recent 
> strong-arm tactics against Microsoft taken by the ANA and DAA (with 
> IAB US support) are designed to intimidate companies trying to be 
> responsible on the privacy issue.  The move last week by the DAA to 
> have all marketing and advertising declared acceptable practices 
> ("/Marketing…is as American as apple pie") /illustrates the failure of 
> US online ad industry leaders to accept responsibility for its 
> pervasive data collection practices.
>
> If the W3C cannot develop a meaningful standard for DNT, the failure 
> to do so is due to the intransigent position of the DAA.  It is a lost 
> opportunity.
>
> Regards,
>
> Jeff
>
>
>
> Jeffrey Chester
> Center for Digital Democracy
> 1621 Connecticut Ave, NW, Suite 550
> Washington, DC 20009
> www.democraticmedia.org <http://www.democraticmedia.org>
> www.digitalads.org <http://www.digitalads.org>
> 202-986-2220
>
> On Oct 10, 2012, at 6:39 PM, Mike Zaneis wrote:
>
>> Jeff,
>>
>> I really do enjoy revisiting the IE10/browser default/non-compliant 
>> DNT signal issue every couple of months because it gives me the 
>> opportunity to just recycle my old emails on the subject. Please see 
>> my previous email below on the matter, which references your previous 
>> agreement that we should not honor default "on" browser settings:
>>
>>
>> Jeff,
>> I hate to revisit an issue that has been closed at least twice 
>> before, the first time being way back in September, but you again 
>> raised the browser default setting issue and its place in the W3C 
>> standards process - 
>> http://www.chicagotribune.com/news/tribnation/chi-reporting-privacy-vs-profits-on-internet-browsers-20120726,0,5932169.story. 
>> The story is about the W3C TPE Working Group and how Microsoft has 
>> decided to ship IE10 with the DNT flag turned on.  I was extremely 
>> disappointed to see your quote that industry would face a “bloody 
>> virtual and real-world fight” if we did not honor such a default.  
>> That flies in the face of your statement from last month (see below 
>> to refresh your memory).
>> I have to question whether you are negotiating at the W3C in good 
>> faith.  If the industry is to be attacked and engaged in a bloody 
>> fight even if we develop and adopt a W3C standard, then what is the 
>> incentive for us to remain at the table?  Can you please clarify your 
>> position on this vitally important issue.
>> Mike Zaneis
>> SVP & General Counsel
>> Interactive Advertising Bureau
>> (202) 253-1466 <tel:%28202%29%20253-1466>
>> Follow me on Twitter @mikezaneis
>> *From:* Jeffrey Chester [mailto:jeff@democraticmedia.org]
>> *Sent:* Sunday, June 03, 2012 5:41 PM
>> *To:* Shane Wiley
>> *Cc:* Roy T. Fielding; Justin Brookman; public-tracking@w3.org 
>> <mailto:public-tracking@w3.org>
>> *Subject:* Re: ISSUE-4 and clarity regarding browser defaults
>> I support what the working group agreed to, with DNT not being 
>> shipped as on.  That is part of the set of compromises we have agreed 
>> to within the working group.  I was surprised as everyone else with 
>> Microsoft's announcement.  I was just responding the tone of some of 
>> the comments in the press where various industry players suggest that 
>> Microsoft is a digital Benedict Arnold.  That said, we need to 
>> conclude this work with agreement on definition for policy.  I still 
>> believe there is a win-win here that can be achieved.  If we can all 
>> agree on meaningful final policy, it will be the norm which everyone 
>> should abide.
>> So to be clear.  I am not trying to undo the agreement and urge us to 
>> stay in discussions.
>> But it sounds like there will be a lot of sleeplessness in Seattle! 
>>  Those Microsoft people better lock their doors!
>> Regards,
>> Jeff
>> Jeffrey Chester
>> Center for Digital Democracy
>> 1621 Connecticut Ave <x-apple-data-detectors://4>, NW, Suite 550
>> Washington, DC 20009 <x-apple-data-detectors://5>
>> www.democraticmedia.org <http://www.democraticmedia.org/>
>> www.digitalads.org <http://www.digitalads.org/>
>> 202-986-2220 <tel:202-986-2220>
>> On Jun 3, 2012, at 4:44 PM, Shane Wiley wrote:
>>
>>
>> Jeff,
>> I thought we had solved this issue sometime ago at the beginning of 
>> the working group:  opt-in vs. opt-out. By moving the UA to default 
>> to DNT:1 without an explicit user action, you’re creating an opt-in 
>> world.  I understand you like that end-point, but if you’re unwilling 
>> to move back to the originally agreed upon opt-out structure, I 
>> suspect industry participants may leave the working group.  A pure 
>> opt-in outcome will have devastating impact to the online ecosystem, 
>> will prompt many to develop overly inclusive opt-in approaches, and 
>> ultimately consumers lose after being barraged with a sea of opt-in 
>> requests.  I’m saddened by this sudden 180 on this very key 
>> perspective but hopefully saner minds will prevail.
>>
>> In my opinion, we need to resolve this fundamentally core issue prior 
>> to moving forward on any other issues at the TPWG.  Please let me 
>> know if you agree.
>> Thank you,
>> Shane
>> *
>> *
>>
>> Mike Zaneis
>> SVP & General Counsel, IAB
>> (202) 253-1466
>>
>>
>>
>> On Oct 10, 2012, at 11:52 AM, "Jeffrey Chester" 
>> <jeff@democraticmedia.org <mailto:jeff@democraticmedia.org>> wrote:
>>
>>> I have to say I am dismayed that colleagues from the US online 
>>> marketing community are trying to replace the W3C multistakeholder 
>>> process with a system devised exclusively by the online ad industry. 
>>>  As I mentioned during last week's f2f, NGOs and other civil society 
>>> groups across the Atlantic have criticized the DAA system as 
>>> inadequate.  Leading computer science and other researchers have 
>>> also repeatedly shown how lacking and ineffective it is.  Indeed, 
>>> just two weeks ago in DC I asked Ms. Thomas if there had been any 
>>> testing done for design and usability of the system--including by 
>>> independent bodies.  The answer was basically there was no such 
>>> usability and independent review.  As we all know, the user 
>>> experience online is tested and  "optimized" to move them through a 
>>> digital data collection funnel-- in order to achieve the required 
>>> "conversion."  Until such independent testing of the DAA system to 
>>> show that it can effectively inform and empower online users about 
>>> their privacy choices-- in the face of a purposefully powerful and 
>>> designed interactive experience--the W3C would be remiss adopting it 
>>> in all or in part.
>>>
>>> In addition, yesterday's announcement by the DAA that it would, in 
>>> essence, condone a boycott of DNT requests from users relying on the 
>>> IE browser (or other browsers adopting privacy by design 
>>> frameworks), suggests there is a political motivation that should be 
>>> addressed by the group and W3C (inc. Mr. Berners-Lee).  Instead of 
>>> developing the best technical standard through expert and objective 
>>> international standards work, we appear to now confront a political 
>>> agenda designed to maintain the data collection and user targeting 
>>> status quo.  The W3C needs to do better than be silent about these 
>>> recent developments.
>>>
>>>
>>>
>>>
>>> Jeffrey Chester
>>> Center for Digital Democracy
>>> 1621 Connecticut Ave, NW, Suite 550
>>> Washington, DC 20009
>>> www.democraticmedia.org <http://www.democraticmedia.org/>
>>> www.digitalads.org <http://www.digitalads.org/>
>>> 202-986-2220
>>>
>>> On Oct 10, 2012, at 10:57 AM, Kimon Zorbas wrote:
>>>
>>>> Dear all,
>>>>
>>>> to add some European flavour, here what we use in our OBA 
>>>> Framework, matching European law. We call First Parties "Web Site 
>>>> Operators". W3C can of course use this wording, we have the full 
>>>> rights to it.
>>>>
>>>> Third Party
>>>> An entity is a Third Party to the extent that it engages in Online 
>>>> Behavioural Advertising on a web site or web sites other than a web 
>>>> site or web sites it or a an entity under Common Control owns or 
>>>> operates.
>>>>
>>>> Web Site Operator
>>>> A Web Site Operator is the owner, controller or operator of the web 
>>>> site with which the web user interacts.
>>>>
>>>> Control
>>>> Control of an entity means that another entity (1) holds a majority 
>>>> of the voting rights in it, or (2) is a member of it and has the 
>>>> right to appoint or remove a majority of its board of directors, or 
>>>> (3) is a member of it and controls alone, pursuant to an agreement 
>>>> with other members, a majority of the voting rights in it, or (4) 
>>>> has placed obligations upon or otherwise controls the policies or 
>>>> activities of it by way of a legally binding contract, or (5) 
>>>> otherwise has the power to exercise a controlling influence over 
>>>> the management, policies or activities of it, and “Controlled” 
>>>> shall be construed accordingly.
>>>>
>>>> Common Control
>>>> Entities or web sites under Common Control include ones which 
>>>> Control, for example parent companies, are Controlled by, such as 
>>>> subsidiaries, or are under common Control, such as group companies. 
>>>> They also include entities that are under a written agreement to 
>>>> process data for the controlling entity or entities, and do such 
>>>> processing only for and on behalf of that entity or entities and 
>>>> not for their own purposes or on their own behalf.
>>>>
>>>>
>>>> For other UA, we capture them through the following wording:
>>>> To the extent that Companies collect and use data via specific 
>>>> technologies or practices that are intended to harvest data from 
>>>> all or substantially all URLs traversed by a particular computer or 
>>>> device across multiple web domains and use such data for OBA, they 
>>>> should first obtain Explicit Consent.
>>>>
>>>> Kind regards,
>>>> Kimon
>>>>
>>>> From: Rachel Thomas <RThomas@the-dma.org <mailto:RThomas@the-dma.org>>
>>>> Date: Wednesday 10 October 2012 16:48
>>>> To: Craig Spiezle <craigs@otalliance.org 
>>>> <mailto:craigs@otalliance.org>>, "public-tracking@w3.org 
>>>> <mailto:public-tracking@w3.org>" <public-tracking@w3.org 
>>>> <mailto:public-tracking@w3.org>>
>>>> Subject: RE: ACTION-267 - Propose first/third party definitions 
>>>> from existing DAA documents
>>>> Resent-From: <public-tracking@w3.org <mailto:public-tracking@w3.org>>
>>>> Resent-Date: Wednesday 10 October 2012 16:43
>>>>
>>>> Hi Craig, great question – let me try to clarify with some 
>>>> additional info from the DAA principles.  Below is the definition 
>>>> of “affiliate” as well as some commentary on the definition from 
>>>> the DAA’s Self-Regulatory Principles for Online Behavioral 
>>>> Advertising. (Also, please note that while there is not an explicit 
>>>> definition of “affiliate” included in the DAA’s Self-Regulatory 
>>>> Principles for Multi-Site Data, the same definition applies in that 
>>>> context as well).
>>>> *_AFFILIATE_*
>>>> *Definition:*An Affiliate is an entity that Controls, is Controlled 
>>>> by, or is under common Control with, another entity.
>>>> *Commentary (relating to definitions of both “affiliate” and 
>>>> “control”):*These terms set an objective test to separate related 
>>>> First Party entities from Third Parties and others. An Affiliate is 
>>>> defined as an entity that Controls, is Controlled by, or is under 
>>>> common Control with, another entity. The definition of Control sets 
>>>> out two alternative tests, which reflect a commonly understood 
>>>> definition of a single entity. The first alternative looks to 
>>>> whether one entity is under significant common ownership with the 
>>>> other entity. The second alternative looks to whether one entity 
>>>> has the power to exercise a controlling influence over the 
>>>> management or policies of the other. In addition, each entity must 
>>>> be subject to Online Behavioral Advertising policies that are not 
>>>> materially inconsistent with the other entity’s Online Behavioral 
>>>> Advertising policies. The combination of Control and governance by 
>>>> similar Online Behavioral Advertising policies renders the two 
>>>> entities Affiliates of each other.
>>>> The tests for Control are unrelated to brand names. As a result, 
>>>> different brands, if they otherwise meet one of the tests for 
>>>> Control, would be treated as Affiliates rather than Third Parties.
>>>> The starting point for whether two or more affiliated 
>>>> consumer-facing Web sites constitute a First Party under the 
>>>> Principles is whether the Web sites are the same company. The use 
>>>> of the term Affiliate is intended to allow affiliated companies 
>>>> that are in the same corporate family to share information within 
>>>> that family as if they are the same company, thereby benefitting 
>>>> from their collective assets. The treatment of Affiliates is not 
>>>> intended to create a means for companies that are in reality 
>>>> unrelated in corporate structure (and, therefore, that consumers 
>>>> would never expect would be sharing information,) to avoid 
>>>> providing the choice required under these Principles. In many cases 
>>>> companies can readily be transparent either in branding on the Web 
>>>> sites or through clarity in the privacy notices of their particular 
>>>> Affiliates. Assuming an entity otherwise meets the standard set 
>>>> forth in the definition of Control, such practices would clearly 
>>>> satisfy and permit inclusion in the definition of Affiliate. 
>>>> However, such branding on a Web site or inclusion in a privacy 
>>>> notice is not required under the Principles as in some instances 
>>>> the complexity of corporate affiliates driven by corporate legal 
>>>> principles pose practical operational challenges.
>>>> And very best,
>>>> Rachel
>>>> *From:*Craig Spiezle [mailto:craigs@otalliance.org]
>>>> *Sent:* Tuesday, October 09, 2012 11:58 PM
>>>> *To:* Rachel Thomas; public-tracking@w3.org 
>>>> <mailto:public-tracking@w3.org>
>>>> *Subject:* RE: ACTION-267 - Propose first/third party definitions 
>>>> from existing DAA documents
>>>> This is helpful.
>>>> Just so we are all on the same page can you clarify affiliate vs. 
>>>> non-affiliate.   Is it correct to assume affiliate means a wholly 
>>>> owned entity?
>>>> So a Third Party who collects data from an affiliate is not a third 
>>>> party. So this would or could mean a totally separate brand which 
>>>> the user has no knowledge of?
>>>> Thanks
>>>> *From:*Rachel Thomas [mailto:RThomas@the-dma.org] 
>>>> <mailto:[mailto:RThomas@the-dma.org]>
>>>> *Sent:* Tuesday, October 09, 2012 1:16 PM
>>>> *To:* public-tracking@w3.org <mailto:public-tracking@w3.org>
>>>> *Subject:* ACTION-267 - Propose first/third party definitions from 
>>>> existing DAA documents
>>>> Folks – As promised, I am submitting the Digital Advertising 
>>>> Alliance (DAA) definitions of “first party” and “third party” for 
>>>> consideration / inclusion in section 3.5 
>>>> <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#first-third-parties> 
>>>> (“First and Third Parties”) of the W3C TPWG "Tracking Compliance 
>>>> and Scope” document.  Below are both formal definitions and related 
>>>> commentary from the DAA Self-Regulatory Principles for Multi-Site 
>>>> Data 
>>>> <https://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf>.
>>>> *_FIRST PARTY_*
>>>> **
>>>>
>>>> *Definition*: A First Party is the entity that is the owner of the 
>>>> Web site or has Control over the Web site with which the consumer 
>>>> interacts and its Affiliates.
>>>>
>>>> *Commentary:*The actions of agents and other entities that 
>>>> similarly perform business operations of First Parties are treated 
>>>> as if they stand in the shoes of First Parties under these 
>>>> Principles and thus such actions are not included in Multi-Site Data.
>>>>
>>>> **
>>>> *_THIRD PARTY_*
>>>>
>>>> *Definition*: An entity is a Third Party to the extent that it 
>>>> collects Multi-Site Data on a non-Affiliate’s Web site.
>>>>
>>>> *Commentary*:  As described in the OBA Principles, in certain 
>>>> situations where it is clear that the consumer is interacting with 
>>>> a portion of a Web site that is being operated by a different 
>>>> entity than the owner of the Web site, the different entity would 
>>>> not be a Third Party for purposes of the Principles, because the 
>>>> consumer would reasonably understand the nature of the direct 
>>>> interaction with that entity. The situation where this occurs most 
>>>> frequently today is where an entity through a “widget” or “video 
>>>> player” enables content on a Web site and it is clear that such 
>>>> content and that portion of the Web sites is provided by the other 
>>>> entity and not the First Party Web site. The other entity (e.g. the 
>>>> “widget” or “video player”) is directly interacting with the 
>>>> consumer and, from the consumer’s perspective, acting as a First 
>>>> Party. Thus, it is unnecessary to apply to these activities the 
>>>> Principles governing data collection and use by Third Parties with 
>>>> which the consumer is not directly interacting.
>>>>
>>>> Very best,
>>>> Rachel**
>>>> **
>>>> *Rachel Nyswander Thomas*
>>>> Vice President, Government Affairs
>>>> Direct Marketing Association
>>>> (202) 861-2443 office
>>>> (202) 560-2335 cell
>>>> rthomas@the-dma.org <mailto:rthomas@the-dma.org>
>>>> *Join us at DMA2012 Conference and Exhibition*
>>>> The Global Event for Real-Time Marketers
>>>> October 13-18, 2012 | Las Vegas, NV
>>>> *Register NOW & SAVE up to $200*|www.dma12.org <http://www.dma12.org/>
>>>
>