W3C home > Mailing lists > Public > public-tracking@w3.org > March 2013

RE: ACTION-273/ISSUE-181 (. . . multiple first parties) and ISSUE-10 (what is a first party?)

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 06 Mar 2013 11:48:50 -0500
To: public-tracking@w3.org
Message-ID: <20130306164850.72811d6d@mail.maclaboratory.net>
Hmm, under my definition they could well be, but under my analysis of FB and Github, they shouldn't be.  In your example, I feel like YouTube should be the first party and Fox the third party.  Perhaps switching "multiple parties' brands in a URI" for "multiple parties' brands in a domain name" would help, but this I think points out how mere branding doesn't really message to a user that I'm communicating with a party.  A user going to this page thinks they're going to YouTube, not Fox.  Which makes me think "whoever owns the domain name" is still the best answer.
  _____  

From: Chris Pedigo [mailto:CPedigo@online-publishers.org]
To: Justin Brookman [mailto:jbrookman@cdt.org], public-tracking@w3.org [mailto:public-tracking@w3.org]
Sent: Wed, 06 Mar 2013 11:27:12 -0500
Subject: RE: ACTION-273/ISSUE-181 (. . . multiple first parties) and  ISSUE-10 (what is a first party?)

              
  

Justin, under your proposed definition, would Fox and YouTube be first parties in the case of  www.youtube.com/fox?  

   

   
  
  

From: Justin Brookman [mailto:jbrookman@cdt.org]  
  Sent: Wednesday, March 06, 2013 10:34 AM
  To: public-tracking@w3.org
  Subject: ACTION-273/ISSUE-181 (. . . multiple first parties) and ISSUE-10 (what is a first party?)      

   
  

First, I have revised the definitions of first and third parties based on our discussions last week.  They are included in the Editors' Draft which   is now the operative document after Cambridge and which will hopefully be linked from the W3C site shortly.    
  

     
  

http://www.w3.org/2011/tracking-protection/drafts/EditorsStrawmanComp.html    
  

     
  

On multiple first parties, I still think the simplest and most intuitive solution is that the owner of the domain visible in the address bar is   the only first party absent deliberate interaction with a branded widget.  I think the platform question is a close case, but I still think we're confusing passive tracking with deliberate information providing.  So on Facebook.com/Macys, I think Facebook   should be the first party and Macy's (and everyone else) a third party.  If someone posts on the page, likes something, etc., that's a communication to Facebook, but Facebook has the ability to share that information with Macy's and my friends, consistent   with my privacy settings.  I just visited Facebook.com/Macys --- my expectation going there is that Facebook might know that I as a logged-in user went to the page, but I sure don't expect Macys to know I went there based on a passive visit.    
  

     
  

On Github.com/Lauren, Github is the first party, and Lauren is a third party.  Lauren would not be able to passively track my clicks around her   page(s) on Github if DNT:1 is on, but Github as the site owner and operator could.  Similarly, on Twitter.com/JustinBrookman, Twitter can see which of my tweets a user clicks on to see if it's been favorited or retweeted (unlikely), but I cannot --- which   is consistent with users' understanding of how that service works.    
  

     
  

HOWEVER.  If the group is insistent upon allowing multiple first parties for the exceedingly edge case of a true joint site, it needs to be drafted   very carefully to account for the obvious potential abuses that Lauren and others (and me) have pointed out.  Here is my effort at that:    
  

     
  

In most network interactions, there will be only first party with which the user intends to interact.  However, in some cases, a network resource   will be jointly operated by two or more parties, and a user would reasonably expect to communicate with all of them by accessing that resource.  User understanding that multiple parties operate a particular resource could be accomplished through inclusion   of multiple parties' brands in a URI, or prominent branding on the resource indicating that multiple parties are responsible for the primary content of the resource.  Branding of a party that only provides secondary or support functionality for a resource   will not be sufficient to make that party a first party in any particular network interaction.    
  

     

     
      _____  

    

From: Rob Sherman [mailto:robsherman@fb.com]
  To: Justin Brookman [mailto:justin@cdt.org],  public-tracking@w3.org [mailto:public-tracking@w3.org]
  Sent: Tue, 05 Mar 2013 17:57:02 -0500
  Subject: Re: DNT: Agenda for Call March 6  
  
  

Thanks, Justin.  When we discussed this in the group, as I recall Aleecia invited anyone who was interested in working on improving my text proposal   to do so.  Rigo was the only person who volunteered, and we worked to address his concerns.  I think most of us have a roughly similar idea about what we mean in the multiple first parties scenario — particularly, my proposal was not intended to suggest that   branding or the presence of a privacy policy alone creates a first party, or, to Lauren's point, a situation in which a single entity operates a website and simply puts the logos of a few others on it, making each of them a first party.  If my proposal reads   in a way that is inconsistent with that, we should fix it.      
  

     
  

If anyone wants to help work on this text, please reach out off-list and we'll work together to get it right.    
  
  

     
  

Rob Sherman  

Facebook | Manager,   Privacy and Public Policy  

1155 F Street, NW Suite 475 | Washington, DC 20004  

office 202.370.5147 | mobile 202.257.3901        
  

     
  

From:  Justin Brookman <justin@cdt.org>
  Date: Tuesday, March 5, 2013 4:33 PM
  To: "public-tracking@w3.org" <public-tracking@w3.org>
  Subject: Re: DNT: Agenda for Call March 6
  Resent-From: <public-tracking@w3.org>
  Resent-Date: Tuesday, March 5, 2013 4:34 PM    
  

     
  
  
  

I previously objected to this exception as too expansive and vague; here is what I wrote on this in September:
  
  http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0259.html
  
  I do not believe the November text sufficiently addresses my concerns.  "Branding" and/or "the presence of privacy policies" should not be sufficient to turn an otherwise third party into a first.  I have previously argued for one first party per interaction.    I could live with language that allows for multiple first parties in unique scenarios, but this remains an exception that could swallow the rule.  

Justin Brookman  

Director, Consumer Privacy  

Center for Democracy & Technology  

tel 202.407.8812  

justin@cdt.orghttp://www.cdt.org  

@JustinBrookman  

@CenDemTech  

On 3/5/2013 4:13 PM, Rob Sherman wrote:      
  
  
  

Hi Rob,    
  

     
  

Sorry for the confusion on ACTION-273 / ISSUE-181.  The text that we'll be discussing was circulated in November of last year (http://lists.w3.org/Archives/Public/public-tracking/2012Nov/0075.html),   and I'm not proposing to change the text from what was previously circulated.  We had a discussion about this on our weekly call.  I think we worked through questions that were raised but didn't actually close the issue, and the issue didn't get brought back   to the agenda in subsequent calls.  So the purpose of the agenda item tomorrow is to give us an opportunity to resolve this.      
  

     
  

Peter also asked me to look into how, if at all, the approach we're taking here would be informed by the Gramm-Leach-Bliley Act in the United States.    We can talk about that as well but it does not change the text that people weighed in on in November.    
  

     
  

I hope this clarifies the agenda item.    
  

     
  

Rob    
  
  

     
  

Rob Sherman  

Facebook | Manager,   Privacy and Public Policy  

1155 F Street, NW Suite 475 | Washington, DC 20004  

office 202.370.5147 | mobile 202.257.3901        
  

     
  

From:  Rob van Eijk <rob@blaeu.com>
  Date: Tuesday, March 5, 2013 2:26 PM
  To: Peter Swire <peter@peterswire.net>, "public-tracking@w3.org WG" <public-tracking@w3.org>
  Subject: Re: DNT: Agenda for Call March 6
  Resent-From: <public-tracking@w3.org>
  Resent-Date: Tuesday, March 5, 2013 2:27 PM    
  

     
  
  

Peter,
  
  I have 3 procedural questions: 
  
  Action 273 is pending review, however the revised text has not been circulated to the list. I think it is fair to leave at least 1 week between text circulation on the mailing list and discussing it in the plenairy weekly calls to allow for discussion on the   list and to allow for the need to discuss text internally before taking an official position in a discussion. Is it possible to accomodate this?
  
  Likewise is action 368 with status open, and no text circulated. Ergo, no time/chance to prepare the discussion in time.
  
  Lastly, with regards to apparently scheduled discussions (eg . related append issues to action 368). I may have overlooked a URL, but if there are items planned ahead, it would be good to know. Please send a URL,  
  
  Regards,
  Rob
  
    
  

Peter Swire <peter@peterswire.net> wrote:    
  
  
  

Wednesday call March 6, 2013  

   

---------------------------  

Administrative  

   

Chair:  Peter Swire  

---------------------------  

   

1.  Confirmation of scribe – glad to accept volunteer in advance  

   

2.  Offline-caller-identification:   

If you intend to join the phone call, you must either associate your phone number with your IRC username once you've joined the call   (command: "Zakim, [ID] is [name]" e.g., "Zakim, ??P19 is schunter" in my case), or let Nick know your phone number ahead of  time. If you are not comfortable with the Zakim IRC syntax for associating your phone number, please email your name and phone number   to npdoty@w3.org. We want to reduce (in fact, eliminate)   the time spent on the call identifying phone numbers. Note that if your number is not identified and you do not respond to off-the-phone reminders via IRC, you will be dropped from the call.  

   

3. Update on next face-to-face.  

   

---------------------------  

TPE: Matthias Schunter   

---------------------------  

   

4.   TPE matters (15 minutes)  

   

---------------------------  

   

Discuss Assigned Compliance Actions  

   

---------------------------  

   

5.  Action 273 (Rob Sherman).  Rob has updated text for multiple first parties.  Discussion will include reference to “joint marketing”   under Gramm-Leach-Bliley Act.  

   

6. Action 368 (Chris Pedigo), update “service provider” or “data processor” definition.  (Discussion of related “append” issue is   scheduled to occur in two weeks).  

   

7. Action 371 (Dan Auerbach).  Dan has circulated proposed text and non-normative language.  

   

8.  Issue 10, definition of “first party.”  Text from the editors, with focus on clarity of writing rather than major discussion on   scope.   

   

9. If time, review of other outstanding assigned actions.   

   

---------------------------  

   

10.  Announce next meeting & adjourn  

   

   

================ Infrastructure =================  

   

Zakim teleconference bridge:  

VoIP:    sip:zakim@voip.w3.org  

Phone +1.617.761.6200 passcode TRACK (87225)  

IRC Chat: irc.w3.org,   port 6665, #dnt  

   

*****  

   

*****    
  

     
  

     
  

     
  
  

Professor Peter P. Swire    
  
  

C. William O'Neill Professor of Law    
  

    Ohio State University    
  

240.994.4142    
  

www.peterswire.net            
  

     
  
  
  
  
  
  
  

         
  
  
  
  
  

     
  
  

Professor Peter P. Swire    
  
  

C. William O'Neill Professor of Law    
  

    Ohio State University    
  

240.994.4142    
  

www.peterswire.net                                

                 
Received on Wednesday, 6 March 2013 16:49:20 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:07 UTC