RE: ACTION-273/ISSUE-181 (. . . multiple first parties) and ISSUE-10 (what is a first party?)

Justin, I just disagree with you on this one.  I actually went to Macy’s page on Facebook.  I don’t see how anyone wouldn’t think they were interacting with Macy’s and Facebook on that page.  There is clear branding.  If I don’t like how my data is being used, I clearly know who to contact and/or avoid in the future.  I clearly have a direct relationship with Macy’s.  Just seems preposterous not to allow the content creator (Macy’s) to be a first party in this situation.

From: Justin Brookman [mailto:jbrookman@cdt.org]
Sent: Wednesday, March 06, 2013 11:41 AM
To: public-tracking@w3.org
Subject: Re: ACTION-273/ISSUE-181 (. . . multiple first parties) and ISSUE-10 (what is a first party?)

No, when I visit Macy's page on Facebook, I think of myself of Facebook.  Likewise, when I visit Vinay's page on Facebook, I don't expect Vinay to know that I went there, but Facebook, sure, because it's their service.

Facebook is the first party, but that doesn't preclude information sharing under Facebook's terms.  If I click on certain content, Facebook's terms could dictate that that goes to Macy's and up on my newsfeed.  If I use Facebook mail or messenger to send Vinay a note, Facebook is the first party for the network interaction, but the service is configured to share with others per my consent.  Presumably, Facebook could even configure their service to allow passive/frictionless sharing with Macy's (and all my friends) whenever I just visit Facebook/Macys.  Whether that's permissible or not depends on whether Facebook got my consent to do so.  Alan may want to write a very prescriptive UI for how Facebook needs to message all the potential sharing, but I'm fine leaving that to a general exception for consent :)
________________________________
From: Vinay Goel [mailto:vigoel@adobe.com]
To: Justin Brookman [mailto:jbrookman@cdt.org]
Cc: public-tracking@w3.org<mailto:public-tracking@w3.org> [mailto:public-tracking@w3.org]
Sent: Wed, 06 Mar 2013 10:57:09 -0500
Subject: Re: ACTION-273/ISSUE-181 (. . . multiple first parties) and ISSUE-10 (what is a first party?)
In this use case, doesn't Macy's own the content on Facebook.com<http://Facebook.com>?  As a user, I expect to communicate / hear from Macy's when on that page.  I would interpret a user visiting Macy's Facebook page as interaction.

Vinay

Sent from my phone

On Mar 6, 2013, at 8:34 AM, "Justin Brookman" <jbrookman@cdt.org<mailto:jbrookman@cdt.org>> wrote:
First, I have revised the definitions of first and third parties based on our discussions last week.  They are included in the Editors' Draft which is now the operative document after Cambridge and which will hopefully be linked from the W3C site shortly.

http://www.w3.org/2011/tracking-protection/drafts/EditorsStrawmanComp.html


On multiple first parties, I still think the simplest and most intuitive solution is that the owner of the domain visible in the address bar is the only first party absent deliberate interaction with a branded widget.  I think the platform question is a close case, but I still think we're confusing passive tracking with deliberate information providing.  So on Facebook.com/Macys<http://Facebook.com/Macys>, I think Facebook should be the first party and Macy's (and everyone else) a third party.  If someone posts on the page, likes something, etc., that's a communication to Facebook, but Facebook has the ability to share that information with Macy's and my friends, consistent with my privacy settings.  I just visited Facebook.com/Macys<http://Facebook.com/Macys> --- my expectation going there is that Facebook might know that I as a logged-in user went to the page, but I sure don't expect Macys to know I went there based on a passive visit.

On Github.com/Lauren<http://Github.com/Lauren>, Github is the first party, and Lauren is a third party.  Lauren would not be able to passively track my clicks around her page(s) on Github if DNT:1 is on, but Github as the site owner and operator could.  Similarly, on Twitter.com/JustinBrookman<http://Twitter.com/JustinBrookman>, Twitter can see which of my tweets a user clicks on to see if it's been favorited or retweeted (unlikely), but I cannot --- which is consistent with users' understanding of how that service works.

HOWEVER.  If the group is insistent upon allowing multiple first parties for the exceedingly edge case of a true joint site, it needs to be drafted very carefully to account for the obvious potential abuses that Lauren and others (and me) have pointed out.  Here is my effort at that:

In most network interactions, there will be only first party with which the user intends to interact.  However, in some cases, a network resource will be jointly operated by two or more parties, and a user would reasonably expect to communicate with all of them by accessing that resource.  User understanding that multiple parties operate a particular resource could be accomplished through inclusion of multiple parties' brands in a URI, or prominent branding on the resource indicating that multiple parties are responsible for the primary content of the resource.  Branding of a party that only provides secondary or support functionality for a resource will not be sufficient to make that party a first party in any particular network interaction.




________________________________
From: Rob Sherman [mailto:robsherman@fb.com]
To: Justin Brookman [mailto:justin@cdt.org], public-tracking@w3.org<mailto:public-tracking@w3.org> [mailto:public-tracking@w3.org]
Sent: Tue, 05 Mar 2013 17:57:02 -0500
Subject: Re: DNT: Agenda for Call March 6
Thanks, Justin.  When we discussed this in the group, as I recall Aleecia invited anyone who was interested in working on improving my text proposal to do so.  Rigo was the only person who volunteered, and we worked to address his concerns.  I think most of us have a roughly similar idea about what we mean in the multiple first parties scenario — particularly, my proposal was not intended to suggest that branding or the presence of a privacy policy alone creates a first party, or, to Lauren's point, a situation in which a single entity operates a website and simply puts the logos of a few others on it, making each of them a first party.  If my proposal reads in a way that is inconsistent with that, we should fix it.

If anyone wants to help work on this text, please reach out off-list and we'll work together to get it right.

Rob Sherman
Facebook | Manager, Privacy and Public Policy
1155 F Street, NW Suite 475 | Washington, DC 20004
office 202.370.5147 | mobile 202.257.3901

From: Justin Brookman <justin@cdt.org<mailto:justin@cdt.org>>
Date: Tuesday, March 5, 2013 4:33 PM
To: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: DNT: Agenda for Call March 6
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Tuesday, March 5, 2013 4:34 PM

I previously objected to this exception as too expansive and vague; here is what I wrote on this in September:

http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0259.html


I do not believe the November text sufficiently addresses my concerns.  "Branding" and/or "the presence of privacy policies" should not be sufficient to turn an otherwise third party into a first.  I have previously argued for one first party per interaction.  I could live with language that allows for multiple first parties in unique scenarios, but this remains an exception that could swallow the rule.

Justin Brookman

Director, Consumer Privacy

Center for Democracy & Technology

tel 202.407.8812

justin@cdt.org<mailto:justin@cdt.org>http://www.cdt.org


@JustinBrookman

@CenDemTech
On 3/5/2013 4:13 PM, Rob Sherman wrote:
Hi Rob,

Sorry for the confusion on ACTION-273 / ISSUE-181.  The text that we'll be discussing was circulated in November of last year (http://lists.w3.org/Archives/Public/public-tracking/2012Nov/0075.html), and I'm not proposing to change the text from what was previously circulated.  We had a discussion about this on our weekly call.  I think we worked through questions that were raised but didn't actually close the issue, and the issue didn't get brought back to the agenda in subsequent calls.  So the purpose of the agenda item tomorrow is to give us an opportunity to resolve this.

Peter also asked me to look into how, if at all, the approach we're taking here would be informed by the Gramm-Leach-Bliley Act in the United States.  We can talk about that as well but it does not change the text that people weighed in on in November.

I hope this clarifies the agenda item.

Rob

Rob Sherman
Facebook | Manager, Privacy and Public Policy
1155 F Street, NW Suite 475 | Washington, DC 20004
office 202.370.5147 | mobile 202.257.3901

From: Rob van Eijk <rob@blaeu.com<mailto:rob@blaeu.com>>
Date: Tuesday, March 5, 2013 2:26 PM
To: Peter Swire <peter@peterswire.net<mailto:peter@peterswire.net>>, "public-tracking@w3.org<mailto:public-tracking@w3.org> WG" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: DNT: Agenda for Call March 6
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Tuesday, March 5, 2013 2:27 PM

Peter,

I have 3 procedural questions:

Action 273 is pending review, however the revised text has not been circulated to the list. I think it is fair to leave at least 1 week between text circulation on the mailing list and discussing it in the plenairy weekly calls to allow for discussion on the list and to allow for the need to discuss text internally before taking an official position in a discussion. Is it possible to accomodate this?

Likewise is action 368 with status open, and no text circulated. Ergo, no time/chance to prepare the discussion in time.

Lastly, with regards to apparently scheduled discussions (eg . related append issues to action 368). I may have overlooked a URL, but if there are items planned ahead, it would be good to know. Please send a URL,

Regards,
Rob

Peter Swire <peter@peterswire.net<mailto:peter@peterswire.net>> wrote:
Wednesday call March 6, 2013

---------------------------
Administrative

Chair:  Peter Swire
---------------------------

1.  Confirmation of scribe – glad to accept volunteer in advance

2.  Offline-caller-identification:
If you intend to join the phone call, you must either associate your phone number with your IRC username once you've joined the call (command: "Zakim, [ID] is [name]" e.g., "Zakim, ??P19 is schunter" in my case), or let Nick know your phone number ahead of  time. If you are not comfortable with the Zakim IRC syntax for associating your phone number, please email your name and phone number to npdoty@w3.org<mailto:npdoty@w3.org>. We want to reduce (in fact, eliminate) the time spent on the call identifying phone numbers. Note that if your number is not identified and you do not respond to off-the-phone reminders via IRC, you will be dropped from the call.


3. Update on next face-to-face.

---------------------------
TPE: Matthias Schunter
---------------------------


4.   TPE matters (15 minutes)

---------------------------

Discuss Assigned Compliance Actions

---------------------------

5.  Action 273 (Rob Sherman).  Rob has updated text for multiple first parties.  Discussion will include reference to “joint marketing” under Gramm-Leach-Bliley Act.


6. Action 368 (Chris Pedigo), update “service provider” or “data processor” definition.  (Discussion of related “append” issue is scheduled to occur in two weeks).


7. Action 371 (Dan Auerbach).  Dan has circulated proposed text and non-normative language.

8.  Issue 10, definition of “first party.”  Text from the editors, with focus on clarity of writing rather than major discussion on scope.


9. If time, review of other outstanding assigned actions.

---------------------------

10.  Announce next meeting & adjourn


================ Infrastructure =================

Zakim teleconference bridge:
VoIP:    sip:zakim@voip.w3.org<file:///\\sip\zakim@voip.w3.org>
Phone +1.617.761.6200 passcode TRACK (87225)
IRC Chat: irc.w3.org<http://irc.w3.org/>, port 6665, #dnt

*****

*****



Professor Peter P. Swire
C. William O'Neill Professor of Law
    Ohio State University
240.994.4142
www.peterswire.net<http://www.peterswire.net>




Professor Peter P. Swire
C. William O'Neill Professor of Law
    Ohio State University
240.994.4142
www.peterswire.net<http://www.peterswire.net>

Received on Wednesday, 6 March 2013 16:49:54 UTC