W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Third parties should not pretend to be first parties

From: David Singer <singer@apple.com>
Date: Wed, 29 Feb 2012 17:34:03 -0800
Message-id: <A534139B-3E7D-4CA5-ACAB-7716AD76CA2E@apple.com>
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>

On Feb 29, 2012, at 17:11 , Jonathan Mayer wrote:

> Roy,
> 
> In the text I've seen, when a first party outsources to a third party, it remains a third party.
> 
> That's not a linguistic quibble.  First, outsourcing allows a third party to act like a first party in many ways, but it must respect significant siloing constraints.  Second, as far as user perceptions go, I don't think it's right to think of an outsourcing service as "the same party."  Third, for the sake of analytical clarity, it's best to avoid conflating what we allow outsourcing services to do and what we allow first parties to do.  Maybe those two will be coextensive—but we should be very explicit about it.
> 
> Jonathan

I agree, I think there are differences between a site that is 'part of' a 1st party, and a site that is 'acting for' the 1st party.  In the first case, data-flow can be two-way, in the second, it is one-way;  and the silo constraints on the 3rd-party 'acting for' the first need stating, as does the ownership of responsibility for the data.

> 
> On Feb 29, 2012, at 4:58 PM, Roy T. Fielding wrote:
> 
>> On Feb 29, 2012, at 4:10 PM, Tom Lowenthal wrote:
>> 
>>> The aim is to prohibit anyone who isn't a first party from using the
>>> first-party options in the URI/Tk header, which even outsourced service
>>> providers shouldn't do. Perhaps we should add more detail to the
>>> outsourcing exception to deal with this case?
>> 
>> I've never understood why outsourced services should be considered
>> a different party if they adhere to the "acting as a first-party"
>> constraints.  They are, by contract and by practice and by view
>> of the user, the same party -- the only reason they differ at all
>> is because of the ownership/control definition in first-party.
>> If we just add outsourcing (or data processor) to the first-party
>> definition, we are done.
>> 
>> ....Roy
>> 
> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Thursday, 1 March 2012 01:34:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC