Re: DNT: Agenda for Call March 6 from Edward W. Felten on 2013-03-06 (public-tracking@w3.org from March 2013)

From: Edward W. Felten <felten@CS.Princeton.EDU>
Date: Wed, 6 Mar 2013 10:25:54 -0500
To: Rob Sherman <robsherman@fb.com>
Cc: Rob van Eijk <rob@blaeu.com>, JC Cannon <jccannon@microsoft.com>, John Simpson <john@consumerwatchdog.org>, Lauren Gelman <gelman@blurryedge.com>, Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CANZBoGjs7=vBB-_e0zQYPfHQjtwxHPy3LotSoE=0qcMT324m1Q@mail.gmail.com>

The github example is a nice illustration about why introducing multiple
first parties makes things a lot more complicated.  Rob believes that a
user visiting github.com/Lauren would expect to be interacting with Lauren
(whoever that is).  As a frequent github user, my expectation would be
exactly the opposite, that Lauren would not be notified if I view
github.com/Lauren.

In any case, even if Lauren is a first party, how am I and my User Agent
supposed to find out if Lauren is compliant with DNT, or whether she thinks
she has my consent to share data with third parties?  For github (which is
clearly a first party) I can answer these questions by looking at the
Tracking Status Resource, which lives at a well-known URI within github.com.
 But for Lauren, where is the Tracking Status Resource?  What is the
well-known URI?


On Wed, Mar 6, 2013 at 9:45 AM, Rob Sherman <robsherman@fb.com> wrote:

>    Rob,
>
>  I think it would be hard to conclude that Facebook.com is not a third
> party, given that Facebook is named in the URL, is branded on the page,
> users have logged into a Facebook account (and agree to Facebook's TOS) in
> order to access it, the Facebook privacy policy is listed there and applies
> to data collection on the page, Facebook has developed and operates the
> software that displays the page, and Facebook runs the servers. I am hard
> pressed to believe that a user who navigates to Facebook.com (or
> Facebook.com/Macys) does not believe that they are communicating with
> Facebook.
>
>  Lauren may be right that it is better to migrate to a non-Facebook
> example, in part because Facebook's relationship with users makes this a
> clearer argument (at least in my view) than Etsy or Github.
>
>  In those cases, it seems most intuitive that when I go to
> Github.com/Lauren I expect to be communicating with both Github and
> Lauren (if it is obvious she controls that space -- even if Github also
> controls a portion of it, provides content and functionality, etc.). And I
> would expect Lauren to be able to see what I write on her page.
>
>  On John's point -- I should clarify that in the Macy's example my view
> is that Macy's would be a first party only on Facebook.com/Macys and
> subsidiary pages, where obviously it needs to be able to see what people
> write on its pages, etc. -- meaning that it would be a third party if it
> were allowed to collect data elsewhere. I did not mean to suggest that
> everyone who has a page on Facebook is a first party everywhere on
> Facebook.com. That result does not seem intuitive to me.
>
>  Hope this helps -- and I look forward to talking more today.
>
>  Rob
>
> On Mar 6, 2013, at 3:36 AM, "Rob van Eijk" <rob@blaeu.com> wrote:
>
>
> JC, interesting observation. Let me coin another view. Can FB be
> considered a first party, taking into account it is all about Macy's in
> this context.
>
> RobvE
>
> JC Cannon <jccannon@microsoft.com> wrote:
>>
>>  I feel that is a different issue. Can Macy’s be considered a first
>> party even though they are hosted on FB?
>>
>>
>>
>> JC
>>
>>
>>
>>  *From:* John Simpson [mailto:john@consumerwatchdog.org<john@consumerwatchdog.org>]
>>
>> *Sent:* Tuesday, March 5, 2013 4:33 PM
>> *To:* JC Cannon
>> *Cc:* Lauren Gelman; Rob Sherman; Justin Brookman; public-tracking@w3.org
>> *Subject:* Re: DNT: Agenda for Call March 6
>>
>>
>>
>> Isn't the issue whether Facebook could share all of the data it has
>> gathered elsewhere on the Facebook  platform with Macy's?
>>
>>
>>
>>
>>
>> On Mar 5, 2013, at 4:24 PM, JC Cannon <jccannon@microsoft.com> wrote:
>>
>>
>>
>>    Is it people’s opinion that if I go to a vendor page on FB such as
>> https://www.facebook.com/Macys, the user’s interaction with the page
>> should be treated as third party? As a consumer that would not seem
>> practical to me. I would feel that I’m interacting with Macy’s. If I left a
>> message I would hope that the people at Macy’s could retrieve it. Am I
>> missing something?
>>
>>
>>
>>   Thanks,
>>
>>   JC
>>
>>
>>
>>


-- 
Edward W. Felten
Professor of Computer Science and Public Affairs
Director, Center for Information Technology Policy
Princeton University
609-258-5906           http://www.cs.princeton.edu/~felten

Received on Wednesday, 6 March 2013 15:26:40 UTC