W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Third parties should not pretend to be first parties

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 29 Feb 2012 17:54:44 -0800
Cc: Tom Lowenthal <tom@mozilla.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <55C2FED8-E77D-4C18-A220-F8D0606D5328@gbiv.com>
To: Jonathan Mayer <jmayer@stanford.edu>
On Feb 29, 2012, at 5:11 PM, Jonathan Mayer wrote:

> Roy,
> 
> In the text I've seen, when a first party outsources to a third party, it remains a third party.
> 
> That's not a linguistic quibble.  First, outsourcing allows a third party to act like a first party in many ways, but it must respect significant siloing constraints.  Second, as far as user perceptions go, I don't think it's right to think of an outsourcing service as "the same party."  Third, for the sake of analytical clarity, it's best to avoid conflating what we allow outsourcing services to do and what we allow first parties to do.  Maybe those two will be coextensive—but we should be very explicit about it.
> 
> Jonathan

As far as I can tell, most of the text on "third-party" has been overly
simplistic regarding how websites actually work.  When a user accesses
Netflix, is Amazon the first-party?  I would think not.  I wouldn't expect
the user to think so either.  But Netflix is hosted on AWS

 http://techblog.netflix.com/2010/12/5-lessons-weve-learned-using-aws.html

which makes Amazon the operator (most of the time) and the entity
responsible for collecting data and adhering to their contractual
agreement with Netflix regarding its use, siloing, etc.  I see no
reason for Amazon to be considered as a party at all in this
interchange other than via the constraints on acting as a first-party.

....Roy
Received on Thursday, 1 March 2012 01:55:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC