W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Third parties should not pretend to be first parties

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 29 Feb 2012 17:11:34 -0800
Cc: Tom Lowenthal <tom@mozilla.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <0EB5C7B0-6CB5-490D-997E-B7587D1C4DE3@stanford.edu>
To: "Roy T. Fielding" <fielding@gbiv.com>

In the text I've seen, when a first party outsources to a third party, it remains a third party.

That's not a linguistic quibble.  First, outsourcing allows a third party to act like a first party in many ways, but it must respect significant siloing constraints.  Second, as far as user perceptions go, I don't think it's right to think of an outsourcing service as "the same party."  Third, for the sake of analytical clarity, it's best to avoid conflating what we allow outsourcing services to do and what we allow first parties to do.  Maybe those two will be coextensive—but we should be very explicit about it.


On Feb 29, 2012, at 4:58 PM, Roy T. Fielding wrote:

> On Feb 29, 2012, at 4:10 PM, Tom Lowenthal wrote:
>> The aim is to prohibit anyone who isn't a first party from using the
>> first-party options in the URI/Tk header, which even outsourced service
>> providers shouldn't do. Perhaps we should add more detail to the
>> outsourcing exception to deal with this case?
> I've never understood why outsourced services should be considered
> a different party if they adhere to the "acting as a first-party"
> constraints.  They are, by contract and by practice and by view
> of the user, the same party -- the only reason they differ at all
> is because of the ownership/control definition in first-party.
> If we just add outsourcing (or data processor) to the first-party
> definition, we are done.
> ....Roy
Received on Thursday, 1 March 2012 01:12:03 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:46 UTC