- From: Rigo Wenning <rigo@w3.org>
- Date: Wed, 27 Feb 2013 22:03:35 +0100
- To: public-tracking@w3.org
- Cc: Alexander Hanff <a.hanff@think-privacy.com>, 'John Simpson' <john@consumerwatchdog.org>
The distinction between first party cookies and third party cookies was first broadly used by Microsoft in its P3P implementation 2002. IE6 refused third party cookies unless there was an acceptable P3P Policy. The first/third party in DNT comes from a distinction made by the FTC in some case 2 years or so ago (can somebody come up with a name?). DNT wanted to reflect that. It is well known that I'm against that distinction. In most regulated systems, that distinction doesn't exist. --Rigo On Wednesday 27 February 2013 20:46:30 Alexander Hanff wrote: > Hi John, > > > > RFC's relating to cookies (where the talk of 1st and 3rd party > entities began in 1997) are RFC 2109 (1997), RFC 2965 (2000) and RFC > 6265 (2011) where it is made pretty clear that a first party is an > entity that exists within the requested URI (either directly or a > sub-domain of the requested URI) anything else is third party. > > > > It is actually quite interesting that we have come full circle to the > RFCs because there was an incredibly aggressive debate at the time > whether or not to block 3rd party cookies completely because of the > privacy concerns (back in 1997) - predictions which have since come > true. The 2000 discussion was more relaxed and agreed to allow third > party cookies but to give users controls to block them if my memory > serves me correctly (which is why we have 3rd party cookie options in > web browsers to this day). The 2011 discussions were equally > concerned about the privacy issues with 3rd party cookies but allowed > leverage on how browsers handle them. > > > > However when talking about first and third party, this was first > discussed in the 1997 RFC with the requested URI definition to my > knowledge - I am willing to read any earlier definitions if someone > has one to hand? > > > > Regards, > > > > Alexander Hanff > > > > From: John Simpson [mailto:john@consumerwatchdog.org] > Sent: 27 February 2013 20:25 > To: Alexander Hanff > Cc: public-tracking@w3.org > Subject: Re: ISSUE-10 First party definition, ISSUE-60, ACTION-? > > > > Hi Alexander, > > > > Can you please point me to the RFC definitions to which you refer? > > Thanks, > > John > > --------- > > John M. Simpson > > Privacy Project Director > > Consumer Watchdog > > 2701 Ocean Park Blvd., Suite 112 > > Santa Monica, CA, 90405 > > Tel: 310-392-7041 > > Cell: 310-292-1902 > > www.ConsumerWatchdog.org > > john@consumerwatchdog.org > > > > On Feb 27, 2013, at 8:48 AM, Alexander Hanff > <a.hanff@think-privacy.com> wrote: > > > > > > The issue in question is not whether or not people will be aware that > by clicking on a Like button it will post something to their timeline > - that is not the purpose of Do Not Track. The issue in question is > whether or not someone accepts or consents to Facebook tracking their > online behaviour if they click on a like button and do so across all > web sites where those buttons exists - furthermore, just clicking on > the button is not an accurate description of how this tracking works. > > > > My understanding is that if a user is currently logged in to Facebook > or has any Facebook cookies on their machine, merely loading a page > with the "Like" button script embedded is enough for Facebook to be > able to track that user across sites with the widget. > > > > This redefinition is not within the scope of TPWG - TPWG's purpose is > not to redefine existing RFCs (1st/3rd party definition has existed > in RFC for ooo about a decade or more) - TPWG's purpose is to come up > with a standard and compliance specification to deal with 3rd party > tracking consent mechanisms. > > > > How any of you can sit there with a straight face and say it is ok to > redefine a technical term that has existed for over a decade is beyond > me. This "new" definition goes against the very premise of DNT which > is to send a signal about not being tracked; by making some of the > most invasive and widespread tracking technologies immune to the > standard simply by redefining 1st party to put them out of scope, is > reprehensible. > > > > Alexander Hanff > > > > From: Justin Brookman [mailto:justin@ <http://cdt.org> cdt.org] > Sent: 27 February 2013 17:34 > To: <mailto:public-tracking@w3.org> public-tracking@w3.org > Subject: Re: ISSUE-10 First party definition, ISSUE-60, ACTION-? > > > > There is no consensus definition of "first party" --- there are three > separate ones in the text. I believe they all say much the same thing > and I was merely trying to merge them. :) > > I believe the group is at consensus that if someone clicks a "Like" > button, then it is reasonable to expect that Facebook is going to > receive information that falls outside the scope of Do Not Track > (namely, that the user 'likes' some particular page or pbject, and > now FB can display that in Newsfeed and Timeline consistent with the > user's privacy settings). If anyone in the working group disagrees > with that, feel free to speak up. Alexander, if you want to comb > through the mailing list to see our previous exhaustive discussions > on this, you may find them informative. Or you may not, I don't > know. > > However, you do, obliquely, get to a relevant point --- that perhaps > the definition should include be revised to say "clearly branded" > before "embedded widget" in order to make sure that the user knows > what she's clicking on. I believe the group had discussed something > similar previously. I would be fine with a discussion on what > constitutes clear branding (I would say things like the Like, Tweet, > and +1 buttons qualify) in an appendix. > > > > > > Justin Brookman > Director, Consumer Privacy > Center for Democracy & Technology > tel 202.407.8812 > <mailto:justin@cdt.org> justin@cdt.org > <http://www.cdt.org> http://www.cdt.org > @JustinBrookman > @CenDemTech > > On 2/27/2013 11:01 AM, Alexander Hanff wrote: > > Why is the group second guessing what consumers think? The definition > of first party already exists, there is no need to redefine it in a > light which makes it easier for exceptions to be made for tracking > widgets. > > > > Many users will not be remotely aware that a "Like" button is actually > hosted by Facebook, they would assume it is hosted on the domain they > are visiting. To assume otherwise is absurd and further weakens the > validity of this DNT process. > > > > Alexander Hanff > > > > From: Justin Brookman [ <mailto:justin@cdt.org> mailto:justin@cdt.org] > Sent: 27 February 2013 16:52 > To: <mailto:public-tracking@w3.org> public-tracking@w3.org > Subject: ISSUE-10 First party definition, ISSUE-60, ACTION-? > > > > Peter asked me to try to combine the three definitions of "first > party" in the current text in consultation with Heather. The > existing definitions are all very close, and I don't think there are > major substantive disagreements here. Anyway, here is my best effort > (Heather provided feedback, but she's not around this morning, so I > don't know if she blesses this): > > > > In a specific network interaction, if a party can reasonably conclude > with high probability that the user intends to communicate with it, > that party is a <dfn>first party</dfn>. In most cases on a > traditional web browser, the first party will be the party that owns > and operates the domain visible in the address bar. A first party > also includes a party that owns and operates an embedded widget, > search box, or similar service with which a user intentionally > interacts. If a user merely mouses over, closes, or mutes such > content, that is not sufficient interaction to render the party a > first party. > > > > Rob Sherman is separately working on text regarding multiple first > parties. > > > > Chris Pedigo and Vinay Goel are separately working on text regarding > data processors that stand in the shoes of their controllers, > party-wise.
Received on Wednesday, 27 February 2013 21:04:00 UTC