Re: first-party third-party

Agreed — this works for me too.  Thanks, Nick (and Mike and Chris).

Rob Sherman
Facebook | Deputy Chief Privacy Officer
1299 Pennsylvania Avenue, NW | Suite 800 | Washington, DC 20004 | 202.370.5147

From: Chris Pedigo <Chris@digitalcontentnext.org<mailto:Chris@digitalcontentnext.org>>
Date: Thursday, December 17, 2015 at 7:00 AM
To: Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>>, Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>>
Cc: Rob Sherman <robsherman@fb.com<mailto:robsherman@fb.com>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: first-party third-party

Nick, I’m fine with this language too.  Should be a useful clarification.

From: Nick Doty [mailto:npdoty@w3.org]
Sent: Wednesday, December 16, 2015 2:51 AM
To: Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>>
Cc: Rob Sherman <robsherman@fb.com<mailto:robsherman@fb.com>>; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: first-party third-party

I think we're agreed on not wanting to change the normative text. To Mike's latest suggestion, I think the simple proposal would be to add a non-normative note to the end of 2.5 Party saying:

When data pertaining to a user’s actions is collected as a result of one or more network interactions, a party acts in one of roles defined below, i.e. as a first party or as a third party to a given user action. These terms are not meant to denote the business practices of entities as a whole, but rather to describe a party’s role in a particular network interaction.

(Don't need to separately mention service provider as a separate role as the point of the service provider is that if it follows those requirements, then it acts like a first party or a third party to the given user action.)

I think that would be an accurate explanation. I'm not sure if adding such a note will clarify for readers or not.
—Nick


On Dec 10, 2015, at 6:29 AM, Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>> wrote:

Thanks Rob, I agree the idea is to clarify the distinction rather than reopen the issue.

One problem is the definition of Party refers to entities while First Party and Third Party refer to roles. ( A Service Provider is acting in the role of its contractee in the particular network interaction).

How about the following (I have taken your suggested wording and formatted it to be added as non-normative text to the Party definition, and renumbered the paragraphs describing dependant definitions):

2.5 Party

A party is a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user. Common branding or providing a list of affiliates that is available via a link from a resource where a party describes DNT practices are examples of ways to provide this discoverability.[no change]

When data pertaining to a user’s actions is collected as a result of one or more network interactions a Party acts in one of three roles defined below, i.e. as a Service Provider, as a First Party or as a Third Party. These terms are not meant to denote the business practices of entities as a whole, but rather to describe a party’s role in a particular network interaction. In each interaction an origin server (controlled by a Party)  determines in which of these roles it is operating and follows the relevant procedures described under [Server Compliance]

2.5.1 Service Provider

[same Definition as existing 2.6]

2.5.2 First Party

[same Definition as existing 2.7]

2.5.3 Third Party

[same Definition as existing 2.8]

From: Rob Sherman [mailto:robsherman@fb.com]
Sent: 10 December 2015 05:09
To: Mike O'Neill <michael.oneill@btinternet.com<mailto:michael.oneill@btinternet.com>>; public-tracking@w3.org<mailto:public-tracking@w3.org>
Cc: 'Nick Doty' <npdoty@w3.org<mailto:npdoty@w3.org>>
Subject: Re: first-party third-party

Mike,

I’m not sure that this text helps clarify, and it seems in some ways inconsistent with other provisions of the text that have been agreed upon by the Working Group.  For example, your proposal specifies that there can only be a single first party in a particular network interaction, whereas Section 2.7 envisions that in some cases there may be multiple first parties to a given network interaction.  Likewise, the standard you specify below (“the entity that a user deliberately intended, in any particular action, to interact with”) is different from the language that’s specified in the agreed-upon text.  I don’t think it’s necessary or appropriate to redefine these terms, especially after so much detailed discussion of these issues over the years within the Working Group — and I worry that doing so in this way could introduce multiple definitions, which could increase confusion rather than solve it.

If I’m understanding correctly, the main misunderstanding is that some people who haven’t been actively involved in our discussions may believe that the terms “first party” and “third party” are intended to characterize the business practices of particular entities as a whole, rather than to describe their roles in a particular network interaction.  Would making just that clarification in non-normative text help address the concern without reopening the substantive issue?

Rob


Rob Sherman
Facebook | Deputy Chief Privacy Officer
1299 Pennsylvania Avenue, NW | Suite 800 | Washington, DC 20004 | 202.370.5147

From: Mike O'Neill <michael.oneill@btinternet.com<mailto:michael.oneill@btinternet.com>>
Date: Thursday, November 26, 2015 at 9:50 AM
To: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Cc: Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>>
Subject: first-party third-party
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Thursday, November 26, 2015 at 9:51 AM

Here is some text aiming to clear up the evident misunderstandings about parties. It could go in the introduction of the TCS or in the Compliance paragraph

For the sake of clarity, a first party, as defined in the Definitions section of this document, is the entity that a user deliberately intended, in any particular action, to interact with. Other entities, whether or not they manage servers receiving DNT signals as part of that interaction, are third parties to that user action. The terms “first party” and “third party” is not meant to indicate a particular type of entity but only to differentiate between those that a user intended to interact with, and those they did not.