- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Wed, 29 Feb 2012 17:11:34 -0800
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Tom Lowenthal <tom@mozilla.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Roy, In the text I've seen, when a first party outsources to a third party, it remains a third party. That's not a linguistic quibble. First, outsourcing allows a third party to act like a first party in many ways, but it must respect significant siloing constraints. Second, as far as user perceptions go, I don't think it's right to think of an outsourcing service as "the same party." Third, for the sake of analytical clarity, it's best to avoid conflating what we allow outsourcing services to do and what we allow first parties to do. Maybe those two will be coextensive—but we should be very explicit about it. Jonathan On Feb 29, 2012, at 4:58 PM, Roy T. Fielding wrote: > On Feb 29, 2012, at 4:10 PM, Tom Lowenthal wrote: > >> The aim is to prohibit anyone who isn't a first party from using the >> first-party options in the URI/Tk header, which even outsourced service >> providers shouldn't do. Perhaps we should add more detail to the >> outsourcing exception to deal with this case? > > I've never understood why outsourced services should be considered > a different party if they adhere to the "acting as a first-party" > constraints. They are, by contract and by practice and by view > of the user, the same party -- the only reason they differ at all > is because of the ownership/control definition in first-party. > If we just add outsourcing (or data processor) to the first-party > definition, we are done. > > ....Roy >
Received on Thursday, 1 March 2012 01:12:03 UTC