RE: ISSUE-10 First party definition, ISSUE-60, ACTION-? from Alexander Hanff on 2013-02-27 (public-tracking@w3.org from February 2013)

From: Alexander Hanff <a.hanff@think-privacy.com>
Date: Wed, 27 Feb 2013 18:37:28 +0100
To: <public-tracking@w3.org>
Message-ID: <00e101ce1511$1d380140$57a803c0$@think-privacy.com>
I don't see why you find this so difficult to understand Justin - it doesn't
matter a jot whether or not User A clicked on a Facebook Like button for an
article on NYT - clicking on a "Like" button is not the same as saying "OK
Facebook, you can track that I have read this article and use that data to
add to my behavioural profile for targeted ads" irrespective of whether or
not the next site places Facebook back into the "3rd party" bucket.

 

It really isn't difficult to grasp - where is it specifically that you don't
understand the point?

 

Alexander Hanff

 

 

 

From: Justin Brookman [mailto:justin@cdt.org] 
Sent: 27 February 2013 18:27
To: public-tracking@w3.org
Subject: Re: ISSUE-10 First party definition, ISSUE-60, ACTION-?

 

Let me spell this out, since you seem to not understand.

 

If a person clicks on a Like button, or Tweet button or uses a "Search this
site with Google" widget or any other 3rd party widget, that does not mean
they consent to being tracked.  Their purpose in using the widget is to do
what one logically assumes the widget is for, "Like", "Tweet" or "Search" -
so frankly your defence that these only become first party if a user
interacts is completely irrelevant.

Thank you for spelling things out, but I still may not understand you.
Clicking a Like button once does not mean persistent consent to track.  It
means in that specific network interaction, DNT does not apply to FB because
the user intended to communicate with FB.  So if I click "like" on a NYT
story, FB learns that I assert to like that story.  That's it.  The next
page I go to with a like button, FB is back to being a third party again.
Does that make sense?



 

You are forcing consent on users based on a completely fabricated premise.

 

Alexander Hanff

 

From: Justin Brookman [mailto:justin@cdt.org] 
Sent: 27 February 2013 18:10
To: public-tracking@w3.org
Subject: Re: ISSUE-10 First party definition, ISSUE-60, ACTION-?

 

On 2/27/2013 11:48 AM, Alexander Hanff wrote:

The issue in question is not whether or not people will be aware that by
clicking on a Like button it will post something to their timeline - that is
not the purpose of Do Not Track.  The issue in question is whether or not
someone accepts or consents to Facebook tracking their online behaviour if
they click on a like button and do so across all web sites where those
buttons exists - furthermore, just clicking on the button is not an accurate
description of how this tracking works.

 

My understanding is that if a user is currently logged in to Facebook or has
any Facebook cookies on their machine, merely loading a page with the "Like"
button script embedded is enough for Facebook to be able to track that user
across sites with the widget.

For the sole purpose of deterring you from spreading further misinformation
about me and this working group, I will point out that the standard does not
define widgets with which a user does *not* interact as first parties.  So
if there's a Tweet button on a NYTimes page that I do *not* click, Twitter
is not a first party in that interaction.  This has been agreed within the
group for months and is obvious from the plain language of the text.  Again,
as with the discussion of deidentification, I would appreciate some modicum
of effort on your part to understand this group's work before flinging
around ungrounded insults and misplaced anger.




 

From: Justin Brookman [mailto:justin@cdt.org] 
Sent: 27 February 2013 17:34
To: public-tracking@w3.org
Subject: Re: ISSUE-10 First party definition, ISSUE-60, ACTION-?

 

There is no consensus definition of "first party" --- there are three
separate ones in the text.  I believe they all say much the same thing and I
was merely trying to merge them. :)

I believe the group is at consensus that if someone clicks a "Like" button,
then it is reasonable to expect that Facebook is going to receive
information that falls outside the scope of Do Not Track (namely, that the
user 'likes' some particular page or pbject, and now FB can display that in
Newsfeed and Timeline consistent with the user's privacy settings).  If
anyone in the working group disagrees with that, feel free to speak up.
Alexander, if you want to comb through the mailing list to see our previous
exhaustive discussions on this, you may find them informative.  Or you may
not, I don't know.

However, you do, obliquely, get to a relevant point --- that perhaps the
definition should include be revised to say "clearly branded" before
"embedded widget" in order to make sure that the user knows what she's
clicking on.  I believe the group had discussed something similar
previously.  I would be fine with a discussion on what constitutes clear
branding (I would say things like the Like, Tweet, and +1 buttons qualify)
in an appendix.






Justin Brookman
Director, Consumer Privacy
Center for Democracy & Technology
tel 202.407.8812
justin@cdt.org
http://www.cdt.org
@JustinBrookman
@CenDemTech

On 2/27/2013 11:01 AM, Alexander Hanff wrote:

Why is the group second guessing what consumers think?  The definition of
first party already exists, there is no need to redefine it in a light which
makes it easier for exceptions to be made for tracking widgets.

 

Many users will not be remotely aware that a "Like" button is actually
hosted by Facebook, they would assume it is hosted on the domain they are
visiting.  To assume otherwise is absurd and further weakens the validity of
this DNT process.

 

Alexander Hanff

 

From: Justin Brookman [mailto:justin@cdt.org] 
Sent: 27 February 2013 16:52
To: public-tracking@w3.org
Subject: ISSUE-10 First party definition, ISSUE-60, ACTION-?

 

Peter asked me to try to combine the three definitions of "first party" in
the current text in consultation with Heather.  The existing definitions are
all very close, and I don't think there are major substantive disagreements
here.  Anyway, here is my best effort (Heather provided feedback, but she's
not around this morning, so I don't know if she blesses this):

 

In a specific network interaction, if a party can reasonably conclude with
high probability that the user intends to communicate with it, that party is
a <dfn>first party</dfn>.  In most cases on a traditional web browser, the
first party will be the party that owns and operates the domain visible in
the address bar.  A first party also includes a party that owns and operates
an embedded widget, search box, or similar service with which a user
intentionally interacts.  If a user merely mouses over, closes, or mutes
such content, that is not sufficient interaction to render the party a first
party. 

 

Rob Sherman is separately working on text regarding multiple first parties.

 

Chris Pedigo and Vinay Goel are separately working on text regarding data
processors that stand in the shoes of their controllers, party-wise.

-- 
Justin Brookman
Director, Consumer Privacy
Center for Democracy & Technology
tel 202.407.8812
justin@cdt.org
http://www.cdt.org
@JustinBrookman
@CenDemTech
Received on Wednesday, 27 February 2013 17:37:51 UTC