W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Third parties should not pretend to be first parties

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 29 Feb 2012 18:00:12 -0800
Cc: Tom Lowenthal <tom@mozilla.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <F0DA92A9-9E36-4DE8-8EB0-8E6B5EB6E0BD@stanford.edu>
To: "Roy T. Fielding" <fielding@gbiv.com>
The provisions on outsourcing are not "overly simplistic" in the slightest.  The group worked through them at Santa Clara, on the list, and on multiple calls.  We've talking through myriad hypotheticals, including service providers like a cloud computing platform.

Unless you have a new use case, I think this is all long since closed.


On Feb 29, 2012, at 5:54 PM, Roy T. Fielding wrote:

> On Feb 29, 2012, at 5:11 PM, Jonathan Mayer wrote:
>> Roy,
>> In the text I've seen, when a first party outsources to a third party, it remains a third party.
>> That's not a linguistic quibble.  First, outsourcing allows a third party to act like a first party in many ways, but it must respect significant siloing constraints.  Second, as far as user perceptions go, I don't think it's right to think of an outsourcing service as "the same party."  Third, for the sake of analytical clarity, it's best to avoid conflating what we allow outsourcing services to do and what we allow first parties to do.  Maybe those two will be coextensive—but we should be very explicit about it.
>> Jonathan
> As far as I can tell, most of the text on "third-party" has been overly
> simplistic regarding how websites actually work.  When a user accesses
> Netflix, is Amazon the first-party?  I would think not.  I wouldn't expect
> the user to think so either.  But Netflix is hosted on AWS
> http://techblog.netflix.com/2010/12/5-lessons-weve-learned-using-aws.html
> which makes Amazon the operator (most of the time) and the entity
> responsible for collecting data and adhering to their contractual
> agreement with Netflix regarding its use, siloing, etc.  I see no
> reason for Amazon to be considered as a party at all in this
> interchange other than via the constraints on acting as a first-party.
> ....Roy
Received on Thursday, 1 March 2012 02:00:53 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:46 UTC