W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

Re: ACTION-267 - Propose first/third party definitions from existing DAA documents

From: David Wainberg <david@networkadvertising.org>
Date: Thu, 11 Oct 2012 10:27:19 -0400
Message-ID: <5076D747.20406@networkadvertising.org>
To: Jeffrey Chester <jeff@democraticmedia.org>
CC: Mike Zaneis <mike@iab.net>, Thomas Roessler <tlr@w3.org>, Aleecia McDonald <aleecia@aleecia.com>, Matthias Schunter <mts-std@schunter.org>, Rachel Thomas <RThomas@the-dma.org>, Craig Spiezle <craigs@otalliance.org>, "public-tracking@w3.org" <public-tracking@w3.org>, Kimon Zorbas <vp@iabeurope.eu>

I've raised this several times before. You've not addressed it, and you 
continue to repeat the same thing. Tell me how focusing primarily on 
third parties is a compromise. With whom did you make this compromise? 
The third parties -- the primary targets of this standard -- do not see 
it as such and have serious concerns about the competitive effects of 
the direction this standard has been going.


On 10/11/12 8:22 AM, Jeffrey Chester wrote:
> Dear Mike:
> As you and colleagues know, the privacy advocates have been willing to 
> engage in compromise in pursuit of a standard that would effectively 
> protect privacy.  We were willing to focus primarily on Third parties, 
> consider supporting the no-default approach, etc.  Indeed, just 
> several weeks ago in DC I spoke to the DAA's lobbyist.  At that time 
> he praised the willingness to compromise by the privacy groups working 
> within the WC3.  He made it clear that the industry objected to 
> Microsoft's IE default.  I told him that I was willing to discuss this 
> issue (speaking only for my CDD) in the context of a deal offering a 
> stronger outcome (no unique cookies, etc).
> However, the recent actions by the DAA/IAB show the US online ad trade 
> groups are working to derail the W3C standards process.  The recent 
> strong-arm tactics against Microsoft taken by the ANA and DAA (with 
> IAB US support) are designed to intimidate companies trying to be 
> responsible on the privacy issue.  The move last week by the DAA to 
> have all marketing and advertising declared acceptable practices 
> ("/Marketing…is as American as apple pie") /illustrates the failure of 
> US online ad industry leaders to accept responsibility for its 
> pervasive data collection practices.
> If the W3C cannot develop a meaningful standard for DNT, the failure 
> to do so is due to the intransigent position of the DAA.  It is a lost 
> opportunity.
> Regards,
> Jeff
> Jeffrey Chester
> Center for Digital Democracy
> 1621 Connecticut Ave, NW, Suite 550
> Washington, DC 20009
> www.democraticmedia.org <http://www.democraticmedia.org>
> www.digitalads.org <http://www.digitalads.org>
> 202-986-2220
> On Oct 10, 2012, at 6:39 PM, Mike Zaneis wrote:
>> Jeff,
>> I really do enjoy revisiting the IE10/browser default/non-compliant 
>> DNT signal issue every couple of months because it gives me the 
>> opportunity to just recycle my old emails on the subject. Please see 
>> my previous email below on the matter, which references your previous 
>> agreement that we should not honor default "on" browser settings:
>> Jeff,
>> I hate to revisit an issue that has been closed at least twice 
>> before, the first time being way back in September, but you again 
>> raised the browser default setting issue and its place in the W3C 
>> standards process - 
>> http://www.chicagotribune.com/news/tribnation/chi-reporting-privacy-vs-profits-on-internet-browsers-20120726,0,5932169.story. 
>> The story is about the W3C TPE Working Group and how Microsoft has 
>> decided to ship IE10 with the DNT flag turned on.  I was extremely 
>> disappointed to see your quote that industry would face a “bloody 
>> virtual and real-world fight” if we did not honor such a default.  
>> That flies in the face of your statement from last month (see below 
>> to refresh your memory).
>> I have to question whether you are negotiating at the W3C in good 
>> faith.  If the industry is to be attacked and engaged in a bloody 
>> fight even if we develop and adopt a W3C standard, then what is the 
>> incentive for us to remain at the table?  Can you please clarify your 
>> position on this vitally important issue.
>> Mike Zaneis
>> SVP & General Counsel
>> Interactive Advertising Bureau
>> (202) 253-1466 <tel:%28202%29%20253-1466>
>> Follow me on Twitter @mikezaneis
>> *From:* Jeffrey Chester [mailto:jeff@democraticmedia.org]
>> *Sent:* Sunday, June 03, 2012 5:41 PM
>> *To:* Shane Wiley
>> *Cc:* Roy T. Fielding; Justin Brookman; public-tracking@w3.org 
>> <mailto:public-tracking@w3.org>
>> *Subject:* Re: ISSUE-4 and clarity regarding browser defaults
>> I support what the working group agreed to, with DNT not being 
>> shipped as on.  That is part of the set of compromises we have agreed 
>> to within the working group.  I was surprised as everyone else with 
>> Microsoft's announcement.  I was just responding the tone of some of 
>> the comments in the press where various industry players suggest that 
>> Microsoft is a digital Benedict Arnold.  That said, we need to 
>> conclude this work with agreement on definition for policy.  I still 
>> believe there is a win-win here that can be achieved.  If we can all 
>> agree on meaningful final policy, it will be the norm which everyone 
>> should abide.
>> So to be clear.  I am not trying to undo the agreement and urge us to 
>> stay in discussions.
>> But it sounds like there will be a lot of sleeplessness in Seattle! 
>>  Those Microsoft people better lock their doors!
>> Regards,
>> Jeff
>> Jeffrey Chester
>> Center for Digital Democracy
>> 1621 Connecticut Ave <x-apple-data-detectors://4>, NW, Suite 550
>> Washington, DC 20009 <x-apple-data-detectors://5>
>> www.democraticmedia.org <http://www.democraticmedia.org/>
>> www.digitalads.org <http://www.digitalads.org/>
>> 202-986-2220 <tel:202-986-2220>
>> On Jun 3, 2012, at 4:44 PM, Shane Wiley wrote:
>> Jeff,
>> I thought we had solved this issue sometime ago at the beginning of 
>> the working group:  opt-in vs. opt-out. By moving the UA to default 
>> to DNT:1 without an explicit user action, you’re creating an opt-in 
>> world.  I understand you like that end-point, but if you’re unwilling 
>> to move back to the originally agreed upon opt-out structure, I 
>> suspect industry participants may leave the working group.  A pure 
>> opt-in outcome will have devastating impact to the online ecosystem, 
>> will prompt many to develop overly inclusive opt-in approaches, and 
>> ultimately consumers lose after being barraged with a sea of opt-in 
>> requests.  I’m saddened by this sudden 180 on this very key 
>> perspective but hopefully saner minds will prevail.
>> In my opinion, we need to resolve this fundamentally core issue prior 
>> to moving forward on any other issues at the TPWG.  Please let me 
>> know if you agree.
>> Thank you,
>> Shane
>> *
>> *
>> Mike Zaneis
>> SVP & General Counsel, IAB
>> (202) 253-1466
>> On Oct 10, 2012, at 11:52 AM, "Jeffrey Chester" 
>> <jeff@democraticmedia.org <mailto:jeff@democraticmedia.org>> wrote:
>>> I have to say I am dismayed that colleagues from the US online 
>>> marketing community are trying to replace the W3C multistakeholder 
>>> process with a system devised exclusively by the online ad industry. 
>>>  As I mentioned during last week's f2f, NGOs and other civil society 
>>> groups across the Atlantic have criticized the DAA system as 
>>> inadequate.  Leading computer science and other researchers have 
>>> also repeatedly shown how lacking and ineffective it is.  Indeed, 
>>> just two weeks ago in DC I asked Ms. Thomas if there had been any 
>>> testing done for design and usability of the system--including by 
>>> independent bodies.  The answer was basically there was no such 
>>> usability and independent review.  As we all know, the user 
>>> experience online is tested and  "optimized" to move them through a 
>>> digital data collection funnel-- in order to achieve the required 
>>> "conversion."  Until such independent testing of the DAA system to 
>>> show that it can effectively inform and empower online users about 
>>> their privacy choices-- in the face of a purposefully powerful and 
>>> designed interactive experience--the W3C would be remiss adopting it 
>>> in all or in part.
>>> In addition, yesterday's announcement by the DAA that it would, in 
>>> essence, condone a boycott of DNT requests from users relying on the 
>>> IE browser (or other browsers adopting privacy by design 
>>> frameworks), suggests there is a political motivation that should be 
>>> addressed by the group and W3C (inc. Mr. Berners-Lee).  Instead of 
>>> developing the best technical standard through expert and objective 
>>> international standards work, we appear to now confront a political 
>>> agenda designed to maintain the data collection and user targeting 
>>> status quo.  The W3C needs to do better than be silent about these 
>>> recent developments.
>>> Jeffrey Chester
>>> Center for Digital Democracy
>>> 1621 Connecticut Ave, NW, Suite 550
>>> Washington, DC 20009
>>> www.democraticmedia.org <http://www.democraticmedia.org/>
>>> www.digitalads.org <http://www.digitalads.org/>
>>> 202-986-2220
>>> On Oct 10, 2012, at 10:57 AM, Kimon Zorbas wrote:
>>>> Dear all,
>>>> to add some European flavour, here what we use in our OBA 
>>>> Framework, matching European law. We call First Parties "Web Site 
>>>> Operators". W3C can of course use this wording, we have the full 
>>>> rights to it.
>>>> Third Party
>>>> An entity is a Third Party to the extent that it engages in Online 
>>>> Behavioural Advertising on a web site or web sites other than a web 
>>>> site or web sites it or a an entity under Common Control owns or 
>>>> operates.
>>>> Web Site Operator
>>>> A Web Site Operator is the owner, controller or operator of the web 
>>>> site with which the web user interacts.
>>>> Control
>>>> Control of an entity means that another entity (1) holds a majority 
>>>> of the voting rights in it, or (2) is a member of it and has the 
>>>> right to appoint or remove a majority of its board of directors, or 
>>>> (3) is a member of it and controls alone, pursuant to an agreement 
>>>> with other members, a majority of the voting rights in it, or (4) 
>>>> has placed obligations upon or otherwise controls the policies or 
>>>> activities of it by way of a legally binding contract, or (5) 
>>>> otherwise has the power to exercise a controlling influence over 
>>>> the management, policies or activities of it, and “Controlled” 
>>>> shall be construed accordingly.
>>>> Common Control
>>>> Entities or web sites under Common Control include ones which 
>>>> Control, for example parent companies, are Controlled by, such as 
>>>> subsidiaries, or are under common Control, such as group companies. 
>>>> They also include entities that are under a written agreement to 
>>>> process data for the controlling entity or entities, and do such 
>>>> processing only for and on behalf of that entity or entities and 
>>>> not for their own purposes or on their own behalf.
>>>> For other UA, we capture them through the following wording:
>>>> To the extent that Companies collect and use data via specific 
>>>> technologies or practices that are intended to harvest data from 
>>>> all or substantially all URLs traversed by a particular computer or 
>>>> device across multiple web domains and use such data for OBA, they 
>>>> should first obtain Explicit Consent.
>>>> Kind regards,
>>>> Kimon
>>>> From: Rachel Thomas <RThomas@the-dma.org <mailto:RThomas@the-dma.org>>
>>>> Date: Wednesday 10 October 2012 16:48
>>>> To: Craig Spiezle <craigs@otalliance.org 
>>>> <mailto:craigs@otalliance.org>>, "public-tracking@w3.org 
>>>> <mailto:public-tracking@w3.org>" <public-tracking@w3.org 
>>>> <mailto:public-tracking@w3.org>>
>>>> Subject: RE: ACTION-267 - Propose first/third party definitions 
>>>> from existing DAA documents
>>>> Resent-From: <public-tracking@w3.org <mailto:public-tracking@w3.org>>
>>>> Resent-Date: Wednesday 10 October 2012 16:43
>>>> Hi Craig, great question – let me try to clarify with some 
>>>> additional info from the DAA principles.  Below is the definition 
>>>> of “affiliate” as well as some commentary on the definition from 
>>>> the DAA’s Self-Regulatory Principles for Online Behavioral 
>>>> Advertising. (Also, please note that while there is not an explicit 
>>>> definition of “affiliate” included in the DAA’s Self-Regulatory 
>>>> Principles for Multi-Site Data, the same definition applies in that 
>>>> context as well).
>>>> *_AFFILIATE_*
>>>> *Definition:*An Affiliate is an entity that Controls, is Controlled 
>>>> by, or is under common Control with, another entity.
>>>> *Commentary (relating to definitions of both “affiliate” and 
>>>> “control”):*These terms set an objective test to separate related 
>>>> First Party entities from Third Parties and others. An Affiliate is 
>>>> defined as an entity that Controls, is Controlled by, or is under 
>>>> common Control with, another entity. The definition of Control sets 
>>>> out two alternative tests, which reflect a commonly understood 
>>>> definition of a single entity. The first alternative looks to 
>>>> whether one entity is under significant common ownership with the 
>>>> other entity. The second alternative looks to whether one entity 
>>>> has the power to exercise a controlling influence over the 
>>>> management or policies of the other. In addition, each entity must 
>>>> be subject to Online Behavioral Advertising policies that are not 
>>>> materially inconsistent with the other entity’s Online Behavioral 
>>>> Advertising policies. The combination of Control and governance by 
>>>> similar Online Behavioral Advertising policies renders the two 
>>>> entities Affiliates of each other.
>>>> The tests for Control are unrelated to brand names. As a result, 
>>>> different brands, if they otherwise meet one of the tests for 
>>>> Control, would be treated as Affiliates rather than Third Parties.
>>>> The starting point for whether two or more affiliated 
>>>> consumer-facing Web sites constitute a First Party under the 
>>>> Principles is whether the Web sites are the same company. The use 
>>>> of the term Affiliate is intended to allow affiliated companies 
>>>> that are in the same corporate family to share information within 
>>>> that family as if they are the same company, thereby benefitting 
>>>> from their collective assets. The treatment of Affiliates is not 
>>>> intended to create a means for companies that are in reality 
>>>> unrelated in corporate structure (and, therefore, that consumers 
>>>> would never expect would be sharing information,) to avoid 
>>>> providing the choice required under these Principles. In many cases 
>>>> companies can readily be transparent either in branding on the Web 
>>>> sites or through clarity in the privacy notices of their particular 
>>>> Affiliates. Assuming an entity otherwise meets the standard set 
>>>> forth in the definition of Control, such practices would clearly 
>>>> satisfy and permit inclusion in the definition of Affiliate. 
>>>> However, such branding on a Web site or inclusion in a privacy 
>>>> notice is not required under the Principles as in some instances 
>>>> the complexity of corporate affiliates driven by corporate legal 
>>>> principles pose practical operational challenges.
>>>> And very best,
>>>> Rachel
>>>> *From:*Craig Spiezle [mailto:craigs@otalliance.org]
>>>> *Sent:* Tuesday, October 09, 2012 11:58 PM
>>>> *To:* Rachel Thomas; public-tracking@w3.org 
>>>> <mailto:public-tracking@w3.org>
>>>> *Subject:* RE: ACTION-267 - Propose first/third party definitions 
>>>> from existing DAA documents
>>>> This is helpful.
>>>> Just so we are all on the same page can you clarify affiliate vs. 
>>>> non-affiliate.   Is it correct to assume affiliate means a wholly 
>>>> owned entity?
>>>> So a Third Party who collects data from an affiliate is not a third 
>>>> party. So this would or could mean a totally separate brand which 
>>>> the user has no knowledge of?
>>>> Thanks
>>>> *From:*Rachel Thomas [mailto:RThomas@the-dma.org] 
>>>> <mailto:[mailto:RThomas@the-dma.org]>
>>>> *Sent:* Tuesday, October 09, 2012 1:16 PM
>>>> *To:* public-tracking@w3.org <mailto:public-tracking@w3.org>
>>>> *Subject:* ACTION-267 - Propose first/third party definitions from 
>>>> existing DAA documents
>>>> Folks – As promised, I am submitting the Digital Advertising 
>>>> Alliance (DAA) definitions of “first party” and “third party” for 
>>>> consideration / inclusion in section 3.5 
>>>> <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#first-third-parties> 
>>>> (“First and Third Parties”) of the W3C TPWG "Tracking Compliance 
>>>> and Scope” document.  Below are both formal definitions and related 
>>>> commentary from the DAA Self-Regulatory Principles for Multi-Site 
>>>> Data 
>>>> <https://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf>.
>>>> *_FIRST PARTY_*
>>>> **
>>>> *Definition*: A First Party is the entity that is the owner of the 
>>>> Web site or has Control over the Web site with which the consumer 
>>>> interacts and its Affiliates.
>>>> *Commentary:*The actions of agents and other entities that 
>>>> similarly perform business operations of First Parties are treated 
>>>> as if they stand in the shoes of First Parties under these 
>>>> Principles and thus such actions are not included in Multi-Site Data.
>>>> **
>>>> *_THIRD PARTY_*
>>>> *Definition*: An entity is a Third Party to the extent that it 
>>>> collects Multi-Site Data on a non-Affiliate’s Web site.
>>>> *Commentary*:  As described in the OBA Principles, in certain 
>>>> situations where it is clear that the consumer is interacting with 
>>>> a portion of a Web site that is being operated by a different 
>>>> entity than the owner of the Web site, the different entity would 
>>>> not be a Third Party for purposes of the Principles, because the 
>>>> consumer would reasonably understand the nature of the direct 
>>>> interaction with that entity. The situation where this occurs most 
>>>> frequently today is where an entity through a “widget” or “video 
>>>> player” enables content on a Web site and it is clear that such 
>>>> content and that portion of the Web sites is provided by the other 
>>>> entity and not the First Party Web site. The other entity (e.g. the 
>>>> “widget” or “video player”) is directly interacting with the 
>>>> consumer and, from the consumer’s perspective, acting as a First 
>>>> Party. Thus, it is unnecessary to apply to these activities the 
>>>> Principles governing data collection and use by Third Parties with 
>>>> which the consumer is not directly interacting.
>>>> Very best,
>>>> Rachel**
>>>> **
>>>> *Rachel Nyswander Thomas*
>>>> Vice President, Government Affairs
>>>> Direct Marketing Association
>>>> (202) 861-2443 office
>>>> (202) 560-2335 cell
>>>> rthomas@the-dma.org <mailto:rthomas@the-dma.org>
>>>> *Join us at DMA2012 Conference and Exhibition*
>>>> The Global Event for Real-Time Marketers
>>>> October 13-18, 2012 | Las Vegas, NV
>>>> *Register NOW & SAVE up to $200*|www.dma12.org <http://www.dma12.org/>
Received on Thursday, 11 October 2012 14:27:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:39:07 UTC