Re: ISSUE-10 First party definition, ISSUE-60, ACTION-? from Justin Brookman on 2013-02-27 (public-tracking@w3.org from February 2013)

From: Justin Brookman <justin@cdt.org>
Date: Wed, 27 Feb 2013 12:27:00 -0500
To: public-tracking@w3.org
Message-ID: <512E41E4.7010500@cdt.org>
> Let me spell this out, since you seem to not understand.
>
> If a person clicks on a Like button, or Tweet button or uses a "Search 
> this site with Google" widget or any other 3^rd party widget, that 
> does not mean they consent to being tracked.  Their purpose in using 
> the widget is to do what one logically assumes the widget is for, 
> "Like", "Tweet" or "Search" -- so frankly your defence that these only 
> become first party if a user interacts is completely irrelevant.
>
Thank you for spelling things out, but I still may not understand you.  
Clicking a Like button once does not mean persistent consent to track.  
It means /in that specific network interaction/, DNT does not apply to 
FB because the user intended to communicate with FB.  So if I click 
"like" on a NYT story, FB learns that I assert to like that story.  
That's it.  The next page I go to with a like button, FB is back to 
being a third party again.  Does that make sense?
>
> You are forcing consent on users based on a completely fabricated premise.
>
> Alexander Hanff
>
> *From:*Justin Brookman [mailto:justin@cdt.org]
> *Sent:* 27 February 2013 18:10
> *To:* public-tracking@w3.org
> *Subject:* Re: ISSUE-10 First party definition, ISSUE-60, ACTION-?
>
> On 2/27/2013 11:48 AM, Alexander Hanff wrote:
>
>     The issue in question is not whether or not people will be aware
>     that by clicking on a Like button it will post something to their
>     timeline -- that is not the purpose of Do Not Track.  The issue in
>     question is whether or not someone accepts or consents to Facebook
>     tracking their online behaviour if they click on a like button and
>     do so across all web sites where those buttons exists --
>     furthermore, just clicking on the button is not an accurate
>     description of how this tracking works.
>
>     My understanding is that if a user is currently logged in to
>     Facebook or has any Facebook cookies on their machine, merely
>     loading a page with the "Like" button script embedded is enough
>     for Facebook to be able to track that user across sites with the
>     widget.
>
> For the sole purpose of deterring you from spreading further 
> misinformation about me and this working group, I will point out that 
> the standard does not define widgets with which a user does *not* 
> interact as first parties.  So if there's a Tweet button on a NYTimes 
> page that I do *not* click, Twitter is not a first party in that 
> interaction.  This has been agreed within the group for months and is 
> obvious from the plain language of the text.  Again, as with the 
> discussion of deidentification, I would appreciate some modicum of 
> effort on your part to understand this group's work before flinging 
> around ungrounded insults and misplaced anger.
>
> *From:*Justin Brookman [mailto:justin@cdt.org]
> *Sent:* 27 February 2013 17:34
> *To:* public-tracking@w3.org <mailto:public-tracking@w3.org>
> *Subject:* Re: ISSUE-10 First party definition, ISSUE-60, ACTION-?
>
> There is no consensus definition of "first party" --- there are three 
> separate ones in the text.  I believe they all say much the same thing 
> and I was merely trying to merge them. :)
>
> I believe the group is at consensus that if someone clicks a "Like" 
> button, then it is reasonable to expect that Facebook is going to 
> receive information that falls outside the scope of Do Not Track 
> (namely, that the user 'likes' some particular page or pbject, and now 
> FB can display that in Newsfeed and Timeline consistent with the 
> user's privacy settings).  If anyone in the working group disagrees 
> with that, feel free to speak up.  Alexander, if you want to comb 
> through the mailing list to see our previous exhaustive discussions on 
> this, you may find them informative.  Or you may not, I don't know.
>
> However, you do, obliquely, get to a relevant point --- that perhaps 
> the definition should include be revised to say "clearly branded" 
> before "embedded widget" in order to make sure that the user knows 
> what she's clicking on.  I believe the group had discussed something 
> similar previously.  I would be fine with a discussion on what 
> constitutes clear branding (I would say things like the Like, Tweet, 
> and +1 buttons qualify) in an appendix.
>
>
>
> Justin Brookman
> Director, Consumer Privacy
> Center for Democracy & Technology
> tel 202.407.8812
> justin@cdt.org  <mailto:justin@cdt.org>
> http://www.cdt.org
> @JustinBrookman
> @CenDemTech
>
> On 2/27/2013 11:01 AM, Alexander Hanff wrote:
>
>     Why is the group second guessing what consumers think?  The
>     definition of first party already exists, there is no need to
>     redefine it in a light which makes it easier for exceptions to be
>     made for tracking widgets.
>
>     Many users will not be remotely aware that a "Like" button is
>     actually hosted by Facebook, they would assume it is hosted on the
>     domain they are visiting.  To assume otherwise is absurd and
>     further weakens the validity of this DNT process.
>
>     Alexander Hanff
>
>     *From:*Justin Brookman [mailto:justin@cdt.org]
>     *Sent:* 27 February 2013 16:52
>     *To:* public-tracking@w3.org <mailto:public-tracking@w3.org>
>     *Subject:* ISSUE-10 First party definition, ISSUE-60, ACTION-?
>
>     Peter asked me to try to combine the three definitions of "first
>     party" in the current text in consultation with Heather.  The
>     existing definitions are all very close, and I don't think there
>     are major substantive disagreements here.  Anyway, here is my best
>     effort (Heather provided feedback, but she's not around this
>     morning, so I don't know if she blesses this):
>
>     *In a specific network interaction, if a party can reasonably
>     conclude with high probability that the user intends to
>     communicate with it, that party is a <dfn>first party</dfn>.  In
>     most cases on a traditional web browser, the first party will be
>     the party that owns and operates the domain visible in the address
>     bar.  A first party also includes a party that owns and operates
>     an embedded widget, search box, or similar service with which a
>     user intentionally interacts.  If a user merely mouses over,
>     closes, or mutes such content, that is not sufficient interaction
>     to render the party a first party.*
>
>     Rob Sherman is separately working on text regarding multiple first
>     parties.
>
>     Chris Pedigo and Vinay Goel are separately working on text
>     regarding data processors that stand in the shoes of their
>     controllers, party-wise.
>
>     -- 
>
>     Justin Brookman
>
>     Director, Consumer Privacy
>
>     Center for Democracy & Technology
>
>     tel 202.407.8812
>
>     justin@cdt.org  <mailto:justin@cdt.org>
>
>     http://www.cdt.org
>
>     @JustinBrookman
>
>     @CenDemTech
>
Received on Wednesday, 27 February 2013 17:27:30 UTC