- From: Edward W. Felten <felten@CS.Princeton.EDU>
- Date: Wed, 6 Mar 2013 10:25:54 -0500
- To: Rob Sherman <robsherman@fb.com>
- Cc: Rob van Eijk <rob@blaeu.com>, JC Cannon <jccannon@microsoft.com>, John Simpson <john@consumerwatchdog.org>, Lauren Gelman <gelman@blurryedge.com>, Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <CANZBoGjs7=vBB-_e0zQYPfHQjtwxHPy3LotSoE=0qcMT324m1Q@mail.gmail.com>
The github example is a nice illustration about why introducing multiple first parties makes things a lot more complicated. Rob believes that a user visiting github.com/Lauren would expect to be interacting with Lauren (whoever that is). As a frequent github user, my expectation would be exactly the opposite, that Lauren would not be notified if I view github.com/Lauren. In any case, even if Lauren is a first party, how am I and my User Agent supposed to find out if Lauren is compliant with DNT, or whether she thinks she has my consent to share data with third parties? For github (which is clearly a first party) I can answer these questions by looking at the Tracking Status Resource, which lives at a well-known URI within github.com. But for Lauren, where is the Tracking Status Resource? What is the well-known URI? On Wed, Mar 6, 2013 at 9:45 AM, Rob Sherman <robsherman@fb.com> wrote: > Rob, > > I think it would be hard to conclude that Facebook.com is not a third > party, given that Facebook is named in the URL, is branded on the page, > users have logged into a Facebook account (and agree to Facebook's TOS) in > order to access it, the Facebook privacy policy is listed there and applies > to data collection on the page, Facebook has developed and operates the > software that displays the page, and Facebook runs the servers. I am hard > pressed to believe that a user who navigates to Facebook.com (or > Facebook.com/Macys) does not believe that they are communicating with > Facebook. > > Lauren may be right that it is better to migrate to a non-Facebook > example, in part because Facebook's relationship with users makes this a > clearer argument (at least in my view) than Etsy or Github. > > In those cases, it seems most intuitive that when I go to > Github.com/Lauren I expect to be communicating with both Github and > Lauren (if it is obvious she controls that space -- even if Github also > controls a portion of it, provides content and functionality, etc.). And I > would expect Lauren to be able to see what I write on her page. > > On John's point -- I should clarify that in the Macy's example my view > is that Macy's would be a first party only on Facebook.com/Macys and > subsidiary pages, where obviously it needs to be able to see what people > write on its pages, etc. -- meaning that it would be a third party if it > were allowed to collect data elsewhere. I did not mean to suggest that > everyone who has a page on Facebook is a first party everywhere on > Facebook.com. That result does not seem intuitive to me. > > Hope this helps -- and I look forward to talking more today. > > Rob > > On Mar 6, 2013, at 3:36 AM, "Rob van Eijk" <rob@blaeu.com> wrote: > > > JC, interesting observation. Let me coin another view. Can FB be > considered a first party, taking into account it is all about Macy's in > this context. > > RobvE > > JC Cannon <jccannon@microsoft.com> wrote: >> >> I feel that is a different issue. Can Macy’s be considered a first >> party even though they are hosted on FB? >> >> >> >> JC >> >> >> >> *From:* John Simpson [mailto:john@consumerwatchdog.org<john@consumerwatchdog.org>] >> >> *Sent:* Tuesday, March 5, 2013 4:33 PM >> *To:* JC Cannon >> *Cc:* Lauren Gelman; Rob Sherman; Justin Brookman; public-tracking@w3.org >> *Subject:* Re: DNT: Agenda for Call March 6 >> >> >> >> Isn't the issue whether Facebook could share all of the data it has >> gathered elsewhere on the Facebook platform with Macy's? >> >> >> >> >> >> On Mar 5, 2013, at 4:24 PM, JC Cannon <jccannon@microsoft.com> wrote: >> >> >> >> Is it people’s opinion that if I go to a vendor page on FB such as >> https://www.facebook.com/Macys, the user’s interaction with the page >> should be treated as third party? As a consumer that would not seem >> practical to me. I would feel that I’m interacting with Macy’s. If I left a >> message I would hope that the people at Macy’s could retrieve it. Am I >> missing something? >> >> >> >> Thanks, >> >> JC >> >> >> >> -- Edward W. Felten Professor of Computer Science and Public Affairs Director, Center for Information Technology Policy Princeton University 609-258-5906 http://www.cs.princeton.edu/~felten
Received on Wednesday, 6 March 2013 15:26:40 UTC