Privacy/TPWG/Change Proposals on link shorteners and ID providers
Proposal 5: Silence
(via WileyS on 2014-07-23 call)
The document should not speak to this. WG should not focus time on this edge case.
Proposal 6: redirection or framed content
Consolidated text from Walter, Mike, Nick.
- Network interactions and subrequests related to a given user action may not constitute intentional interaction when, for example, the user is unaware or only transiently informed of redirection or framed content.
By Walter van Holst
Add the following sentence after the first sentence of the first party definition:
Accessing a particular URI does not necessarily imply intent to interact with the URI-provider, especially when that URI-provider provides a transparent conduit or to other parties' content, as would be the case for content delivery networks, link shorteners and similar service providers and third parties. In such cases the URI-provider is, from a user perspective, a non-obvious participant in the network interaction.
With respect to a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content, or being redirected via a party of which the user is unaware, does not constitute a user's intent to interact with another party.
Accessing a particular URI does not necessarily imply intent to interact with the URI-provider, especially when that URI-provider, from a user perspective, only provides a transiently noticeable conduit to other parties' content, as would be the case for content delivery networks, link shorteners and similar service providers and third parties. In such cases the URI-provider is, from a user perspective, a non-obvious participant in the network interaction.
npdoty: Add the following non-normative example to the end of the definition of a first party to a given user action. (Could be in addition to or instead of any definitional changes.)
By Ian Fette
"If a site offers users the choice to log in with an identity provider, via means such as OpenID, OAuth, or other conceptually similar mechanisms, the identity provider is considered a first party for the current transactions and subsequent transactions for which the user remains authenticated to the site via the identity provider."
By Rob van Eijk
Identity providers must not use user data beyond the purpose of identification and authentication unless this user data is needed for a legitimate business interest like for example fraudulent login attempts across multiple third party sites.