W3C home > Mailing lists > Public > public-tracking@w3.org > March 2013

Re: ACTION-273/ISSUE-181 (. . . multiple first parties) and ISSUE-10 (what is a first party?)

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 06 Mar 2013 11:41:24 -0500
To: public-tracking@w3.org
Message-ID: <20130306164124.b7ec76b2@mail.maclaboratory.net>
No, when I visit Macy's page on Facebook, I think of myself of Facebook.  Likewise, when I visit Vinay's page on Facebook, I don't expect Vinay to know that I went there, but Facebook, sure, because it's their service.


Facebook is the first party, but that doesn't preclude information sharing under Facebook's terms.  If I click on certain content, Facebook's terms could dictate that that goes to Macy's and up on my newsfeed.  If I use Facebook mail or messenger to send Vinay a note, Facebook is the first party for the network interaction, but the service is configured to share with others per my consent.  Presumably, Facebook could even configure their service to allow passive/frictionless sharing with Macy's (and all my friends) whenever I just visit Facebook/Macys.  Whether that's permissible or not depends on whether Facebook got my consent to do so.  Alan may want to write a very prescriptive UI for how Facebook needs to message all the potential sharing, but I'm fine leaving that to a general exception for consent :)
  _____  

From: Vinay Goel [mailto:vigoel@adobe.com]
To: Justin Brookman [mailto:jbrookman@cdt.org]
Cc: public-tracking@w3.org [mailto:public-tracking@w3.org]
Sent: Wed, 06 Mar 2013 10:57:09 -0500
Subject: Re: ACTION-273/ISSUE-181 (. . . multiple first parties) and ISSUE-10 (what is a first party?)


In this use case, doesn't Macy's own the content on Facebook.com?  As a user, I expect to communicate / hear from Macy's when on that page.  I would interpret a user visiting Macy's Facebook page as interaction. 


Vinay

Sent from my phone

On Mar 6, 2013, at 8:34 AM, "Justin Brookman" <jbrookman@cdt.org> wrote:


      
First, I have revised the definitions of first and third parties based on our discussions last week.  They are included in the Editors' Draft which is now the operative document after Cambridge and which will hopefully be linked from the W3C site shortly.


http://www.w3.org/2011/tracking-protection/drafts/EditorsStrawmanComp.html


On multiple first parties, I still think the simplest and most intuitive solution is that the owner of the domain visible in the address bar is the only first party absent deliberate interaction with a branded widget.  I think the platform question is a close case, but I still think we're confusing passive tracking with deliberate information providing.  So on Facebook.com/Macys, I think Facebook should be the first party and Macy's (and everyone else) a third party.  If someone posts on the page, likes something, etc., that's a communication to Facebook, but Facebook has the ability to share that information with Macy's and my friends, consistent with my privacy settings.  I just visited Facebook.com/Macys --- my expectation going there is that Facebook might know that I as a logged-in user went to the page, but I sure don't expect Macys to know I went there based on a passive visit.


On Github.com/Lauren, Github is the first party, and Lauren is a third party.  Lauren would not be able to passively track my clicks around her page(s) on Github if DNT:1 is on, but Github as the site owner and operator could.  Similarly, on Twitter.com/JustinBrookman, Twitter can see which of my tweets a user clicks on to see if it's been favorited or retweeted (unlikely), but I cannot --- which is consistent with users' understanding of how that service works.


HOWEVER.  If the group is insistent upon allowing multiple first parties for the exceedingly edge case of a true joint site, it needs to be drafted very carefully to account for the obvious potential abuses that Lauren and others (and me) have pointed out.  Here is my effort at that:


In most network interactions, there will be only first party with which the user intends to interact.  However, in some cases, a network resource will be jointly operated by two or more parties, and a user would reasonably expect to communicate with all of them by accessing that resource.  User understanding that multiple parties operate a particular resource could be accomplished through inclusion of multiple parties' brands in a URI, or prominent branding on the resource indicating that multiple parties are responsible for the primary content of the resource.  Branding of a party that only provides secondary or support functionality for a resource will not be sufficient to make that party a first party in any particular network interaction.




  _____  

From: Rob Sherman [mailto:robsherman@fb.com]
To: Justin Brookman [mailto:justin@cdt.org], public-tracking@w3.org [mailto:public-tracking@w3.org]
Sent: Tue, 05 Mar 2013 17:57:02 -0500
Subject: Re: DNT: Agenda for Call March 6

          
  
Thanks, Justin.  When we discussed this in the group, as I recall Aleecia invited anyone who was interested in working on improving my text proposal to do so.  Rigo was the only person who volunteered, and we worked to address his concerns.  I think most   of us have a roughly similar idea about what we mean in the multiple first parties scenario — particularly, my proposal was not intended to suggest that branding or the presence of a privacy policy alone creates a first party, or, to Lauren's point, a situation   in which a single entity operates a website and simply puts the logos of a few others on it, making each of them a first party.  If my proposal reads in a way that is inconsistent with that, we should fix it.    

    
If anyone wants to help work on this text, please reach out off-list and we'll work together to get it right.  
  

    
  

  Rob Sherman  

Facebook | Manager,   Privacy and Public Policy  

1155 F Street, NW Suite 475 | Washington, DC 20004  

office 202.370.5147 | mobile   202.257.3901        

      
  From: Justin Brookman <justin@cdt.org>
  Date: Tuesday, March 5, 2013 4:33 PM
  To: "public-tracking@w3.org" <public-tracking@w3.org>
  Subject: Re: DNT: Agenda for Call March 6
  Resent-From: <public-tracking@w3.org>
  Resent-Date: Tuesday, March 5, 2013 4:34 PM
    

    
  
  
I previously objected to this exception as too expansive and vague; here is what I wrote on this in September:
  
  http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0259.html
  
  I do not believe the November text sufficiently addresses my concerns.  "Branding" and/or "the presence of privacy policies" should not be sufficient to turn an otherwise third party into a first.  I have previously argued for one first party per interaction.    I could live with language that allows for multiple first parties in unique scenarios, but this remains an exception that could swallow the rule.
  

Justin Brookman  Director, Consumer Privacy  Center for Democracy & Technology  tel 202.407.8812  justin@cdt.orghttp://www.cdt.org  @JustinBrookman  @CenDemTech  On 3/5/2013 4:13 PM, Rob Sherman wrote:
      
  
  
Hi Rob,  

    
Sorry for the confusion on ACTION-273 / ISSUE-181.  The text that we'll be discussing was circulated in November of last year (http://lists.w3.org/Archives/Public/public-tracking/2012Nov/0075.html),   and I'm not proposing to change the text from what was previously circulated.  We had a discussion about this on our weekly call.  I think we worked through questions that were raised but didn't actually close the issue, and the issue didn't get brought back   to the agenda in subsequent calls.  So the purpose of the agenda item tomorrow is to give us an opportunity to resolve this.    

    
Peter also asked me to look into how, if at all, the approach we're taking here would be informed by the Gramm-Leach-Bliley Act in the United States.  We can talk about that as well but it does not change the text that people weighed in on in November.  

    
I hope this clarifies the agenda item.  

    
Rob  
  

    
  

  Rob Sherman  

  Facebook | Manager,   Privacy and Public Policy  

  1155 F Street, NW Suite 475 | Washington, DC 20004  

  office 202.370.5147 | mobile   202.257.3901        

      
  From: Rob van Eijk <rob@blaeu.com>
  Date: Tuesday, March 5, 2013 2:26 PM
  To: Peter Swire <peter@peterswire.net>, "public-tracking@w3.org WG" <public-tracking@w3.org>
  Subject: Re: DNT: Agenda for Call March 6
  Resent-From: <public-tracking@w3.org>
  Resent-Date: Tuesday, March 5, 2013 2:27 PM
    

    
  
            Peter,
  
  I have 3 procedural questions: 
  
  Action 273 is pending review, however the revised text has not been circulated to the list. I think it is fair to leave at least 1 week between text circulation on the mailing list and discussing it in the plenairy weekly calls to allow for discussion on the   list and to allow for the need to discuss text internally before taking an official position in a discussion. Is it possible to accomodate this?
  
  Likewise is action 368 with status open, and no text circulated. Ergo, no time/chance to prepare the discussion in time.
  
  Lastly, with regards to apparently scheduled discussions (eg . related append issues to action 368). I may have overlooked a URL, but if there are items planned ahead, it would be good to know. Please send a URL,  
  
  Regards,
  Rob
  
  
  
Peter Swire <peter@peterswire.net> wrote:      
  
  
  

  Wednesday call March 6, 2013  

     

  ---------------------------  

  Administrative  

     

  Chair:  Peter Swire  

  ---------------------------  

     

  1.  Confirmation of scribe – glad to accept volunteer in advance  

     

  2.  Offline-caller-identification:   

  If you intend to join the phone call, you must either associate your phone number with your IRC username once you've joined the call (command:   "Zakim, [ID] is [name]" e.g., "Zakim, ??P19 is schunter" in my case), or let Nick know your phone number ahead of  time. If you are not comfortable with the Zakim IRC syntax for associating your phone number, please email your name and phone number to npdoty@w3.org.   We want to reduce (in fact, eliminate) the time spent on the call identifying phone numbers. Note that if your number is not identified and you do not respond to off-the-phone reminders via IRC, you will be dropped from the call.  

    

   

  3. Update on next face-to-face.  

     

  ---------------------------  

  TPE: Matthias Schunter   

  ---------------------------  

    

   

  4.   TPE matters (15 minutes)  

     

  ---------------------------  

     

  Discuss Assigned Compliance Actions  

     

  ---------------------------  

     

  5.  Action 273 (Rob Sherman).   Rob has updated text for multiple first parties.   Discussion will include reference to “joint marketing” under Gramm-Leach-Bliley Act.  

    

   

  6. Action 368 (Chris Pedigo), update “service provider” or “data processor” definition.  (Discussion of related “append” issue is scheduled   to occur in two weeks).  

    

   

  7. Action 371 (Dan Auerbach).   Dan has circulated proposed text and non-normative language.  

     

  8.  Issue 10, definition of “first party.”   Text from the editors, with focus on clarity of writing rather than major discussion on scope.    

    

   

  9. If time, review of other outstanding assigned actions.   

     

  ---------------------------  

     

  10.  Announce next meeting & adjourn  

     

     

  ================ Infrastructure =================  

     

  Zakim teleconference bridge:  

  VoIP:    sip:zakim@voip.w3.org  

  Phone +1.617.761.6200 passcode TRACK (87225)  

  IRC Chat: irc.w3.org,   port 6665, #dnt  

     

  *****  

     

*****    

    

    

    
  
Professor Peter P. Swire  
  
C. William O'Neill Professor   of Law  
    Ohio State University  
240.994.4142  
www.peterswire.net          

      
  
    
  
  
  
  
  

           
  
  
  
  

    
  
  Professor Peter P. Swire  
  
  C. William O'Neill Professor of Law  
      Ohio State University  
  240.994.4142  
  www.peterswire.net                                
                
Received on Wednesday, 6 March 2013 16:41:54 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:07 UTC