Re: proposed short-term changes to TCS from Roy T. Fielding on 2013-09-28 (public-tracking@w3.org from September 2013)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sat, 28 Sep 2013 16:51:24 -0700
To: "Tracking Protection WG" <public-tracking@w3.org>
Message-Id: <3A8BCDB6-4D92-492D-810C-C8C1317B111E@gbiv.com>
ISSUE-10

Since it is unclear what (if any) short-term changes will be made,
I have added the below party-related definitions (with rationale and
some minor tweaks) to

http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Party_Definitions

....Roy

On Sep 20, 2013, at 4:20 PM, Roy T. Fielding wrote:

>>  2.4 Party
>> 
>>   A party is any commercial, nonprofit, or governmental organization, a
>>   subsidiary or unit of such an organization, or a person. For unique
>>   corporate entities to qualify as a common party with respect to this
>>   document, those entities MUST be commonly owned and commonly controlled
>>   and MUST provide easy discoverability of affiliate organizations. A list
>>   of affiliates MUST be available through a single user interaction from
>>   each page, for example, by following a single link, or through a single
>>   click.
> 
> Replace with:
> 
>  A party is either a person or a set of legal entities that share a
>  common owner, controller, and public identity that is easily
>  discoverable by a user.
> 
> The type of organization is irrelevant unless we intend to exclude some types.
> This is a definition -- there is no need to qualify. There is no page here.
> Requirements belong in later sections, where they can be associated with
> specific situations (like the website, where pages exist).
> 
...
>>  2.6 First Party
>> 
>>   In the context of a specific network interaction, the first party is the
>>   party with which the user intentionally interacts. In most cases on a
>>   traditional web browser, the first party will be the party that owns and
>>   operates the domain visible in the address bar.
> 
> The second sentence is incorrect and should be deleted.
> 
> First, the address bar isn't relevant until a page is rendered,
> which may be several requests after the initial request caused by a
> user interaction.  The first party needs to be known to the user
> before they do their action; otherwise, they can't possibly have
> an intention.
> 
> Second, a first party is *a* party that the user believes it will
> be interacting with as a result of making an action, and thus has more
> to do with the content that evoked the desire to make a given action
> rather than the end-result of that action.  If the user is presented
> with a logo for Tennessee Fried Bunnies overlaid with a hypertext
> link, the user's intention when selecting that link will be to get
> more information about TFB.  They might, as a result of that intention,
> be aware that the link is to search.example.com, which is presenting
> the link in a page of search results, and that selecting the link will
> make a first party request to search.example.com that results in a
> redirect pointing to a resource owned by TFB, to which the user agent
> will make another first party request to a domain unknown to the user
> that they will later find out (via the address bar) to be
> "http://www.tennessee-fried-bunnies.com/order/".  In other words,
> there will often be multiple first parties for a single user action.
> 
> Third. "owns and operates" assumes that the first party is operating
> its own service, which isn't true in general unless we include the
> first party's service providers inside the definition of first party.
> Since this spec does not do so, it cannot say that the first party
> is operating anything.
> 
>>   The party that owns and operates or has control over a branded or labeled
>>   embedded widget, search box, or similar service with which a user
>>   intentionally interacts is also considered a first party. If a user merely
>>   mouses over, closes, or mutes such content, that is not sufficient
>>   interaction to render the party a first party.
> 
> I don't know what this first sentence is trying to say that isn't already
> said in the first paragraph above it.  Branded to whom?  Labeled how?
> Delete the first sentence and replace the second with
> 
>  Merely mousing over, muting, or closing a given piece of content
>  does not constitute an intended interaction.
> 
>>   In most network interactions, there will be only one first party with
>>   which the user intends to interact. ...
> 
> No, usually there are two (the current page owner and the destination
> of the action).
> 
>>  2.7 Third Party
>> 
>>   A third party is any party other than a first party, service provider, or
>>   the user.
> 
> This is stated as if these are existence classifications (person, cat,
> horse) rather than roles with regard to data collected as a result of
> a specific network interaction.  In other words, what it should say is:
> 
>  For any data collected as a result of one or more network interactions
>  between a given user and a first party, a Third Party is any party other
>  than that user, that first party, or a service provider acting on behalf
>  of that user or that first party.
Received on Saturday, 28 September 2013 23:51:48 UTC