W3C home > Mailing lists > Public > public-tracking@w3.org > April 2012

Re: first party resource

From: Nicholas Doty <npdoty@w3.org>
Date: Tue, 10 Apr 2012 23:58:00 -0400
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <D4656575-B908-473B-AFC2-45BB421E4155@w3.org>
To: Roy T. Fielding <fielding@gbiv.com>
On Apr 10, 2012, at 5:00 PM, Roy T. Fielding wrote:

> I am unsatisfied by all of the first-party definitions because I don't consider
> them to be implementable (e.g., neither "can infer with high probability that the
> user knowingly and intentionally" nor "the party that owns the Web site or has
> control over the Web site" can be determined programmatically).

Is there some reason that this specification can only be implemented if a user agent can determine programmatically the breadth of a first-party?

Your 5-step list also seems to include non-programmatically-determinable definitions ("share sufficient context ... such that the user has a reasonable expectation that data ... might be shared or combined"). Is your concern just that based on whatever definition of first-party we decide on, parties should assert their claims about their own breadth in the machine-readable tracking status resource? (That sounds like a laudable aim to me, and much what we had in mind for the dnt-sites list proposal from Brussels.)

> I suggest that we simply state:
> 
>  1) A first-party resource is a resource that has been designed for direct
>     interaction with a user.

Is this more programmatically determinable or more reasonable than the "meaningful interaction" test in the Compliance Editor's Draft? (The "Discoverability" alternative also refers to widgets "with which a consumer interacts".) If a Facebook Like button embedded on a newspaper website has been designed for direct interaction with a user but hasn't yet been clicked, should it get first-party privileges to track the request that loaded it?

>  2) When a user interacts with a given first-party resource, all subrequests
>     made to that first-party's domain or to any of the domains listed in the
>     same-party array within the first-party's tracking status resource are
>     also considered first-party resources; all other subrequests are considered
>     third-party resources.
> 
>  3) The same-party array MUST be limited to domains that are owned or controlled
>     by the same legal entity that owns or controls the first-party as well as
>     domains that qualify as third parties acting on behalf of this first party.
> 
>  4) The same-party array SHOULD be limited to domains that share sufficient
>     context with the first-party, such that the user has a reasonable expectation
>     that data provided to any of these domains might be shared or combined with
>     data provided to the other same-party domains.

These sound to me like nice summaries of the affiliates and user expectations definitions, respectively. (With the notable difference that outsourcing parties seem to be defined as the same party in your text.) Are you proposing that first parties have a hard requirement to meet the affiliates rule and a soft suggestion to meet the user expectations rule?

>  5) Data provided to first-party resources is subject to first-party compliance
>     requirements; data provided to third-party resources is subject to third-party
>     compliance requirements.
> 
> ....Roy
Received on Wednesday, 11 April 2012 03:58:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:27 UTC