Re: Party definition, was: Re: proposed short-term changes to TCS

On Sep 21, 2013, at 6:09 AM, Walter van Holst wrote:
> On 21/09/2013 01:20, Roy T. Fielding wrote:
> 
>>>  2.4 Party
>>> 
>>>   A party is any commercial, nonprofit, or governmental organization, a
>>>   subsidiary or unit of such an organization, or a person. For unique
>>>   corporate entities to qualify as a common party with respect to this
>>>   document, those entities MUST be commonly owned and commonly controlled
>>>   and MUST provide easy discoverability of affiliate organizations. A list
>>>   of affiliates MUST be available through a single user interaction from
>>>   each page, for example, by following a single link, or through a single
>>>   click.
>> 
>> Replace with:
>> 
>>  A party is either a person or a set of legal entities that share a
>>  common owner, controller, and public identity that is easily
>>  discoverable by a user.
> 
> Dear Roy,
> 
> Your definition is a substantial improvement over the current text, so
> I'd prefer it regardless of whether the WG would accept the following
> tweaks:
> 
> A party is either a natural person, a legal entity or a set of legal
> entities that share (a) common owner(s), controller(s) or public
> identity that is easily discoverable by a user or which a user can be
> reasonably expected to be aware of. In the case of a set of legal
> entities the discoverability of their affiliation MUST be provided
> through a single user interaction from each page, for example by
> following a single link or through a single click.
> 
> The reason I'd like to retain the provisioning of affiliation of the
> original text is that it provides for an objective criterium whether the
> discoverability principle is upheld or not. Which is helpful for the
> transparency that this standard should contribute to.

Hi Walter,

Thanks for the input.  I understand your desire to add objective
criteria for discoverability, but there are three problems here:

First, we aren't talking about pages, so requiring something be
added to every page can only be responded to with "What page?".
A first party isn't required to have pages.
  
Second, I don't think it is appropriate for this standard to
require the addition of content to every page on the Internet.
I won't accept that as a requirement.  Requiring that information
be present in the privacy policy is sufficient, IMO, since that
is where data collectors will address relevant privacy concerns.

Third, this section is only attempting to define what is a
first party.  There is an entire section, later in the document,
for requirements on first party conformance.  If we are to make
such a requirement, it belongs there.  In other words, a site
is a first party whether or not it has such links, so what your
text is really saying is that the first party must have those
links in order to share the data across more than one site.
Hence, it is a conformance requirement on sharing, not part
of the definition of a first party.

In terms of phrasing, "a set of legal entities that share (a)
common owner(s), controller(s) or public identity" seems to make
that an OR choice (any one of), whereas I am pretty sure the other
WG members want it to be common ownership AND control AND a
discoverable.  Likewise, "or which a user can be reasonably
expected to be aware of" seems redundant and impossible to test.

The following is also fine with me:

  A party is a natural person, a legal entity, or a set of legal
  entities that share common owner(s), common controller(s), and
  a group identity that is easily discoverable by a user.


Cheers,

Roy T. Fielding                     <http://roy.gbiv.com/>
Senior Principal Scientist, Adobe   <https://www.adobe.com/>

Received on Monday, 23 September 2013 02:40:46 UTC