RE: Third parties should not pretend to be first parties from Kevin Smith on 2012-03-01 (public-tracking@w3.org from March 2012)

From: Kevin Smith <kevsmith@adobe.com>
Date: Thu, 1 Mar 2012 10:38:16 -0800
To: David Singer <singer@apple.com>
CC: Shane Wiley <wileys@yahoo-inc.com>, "Roy T. Fielding" <fielding@gbiv.com>, Jonathan Mayer <jmayer@stanford.edu>, Tom Lowenthal <tom@mozilla.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <6E120BECD1FFF142BC26B61F4D994CF3064CC1F881@nambx07.corp.adobe.com>

Aside from UA automation, I see no difference in your example.  If website 'a' employs analytics company 'b' to collect site usage statistics entirely for 'a's use, and 'b' is only employed exactly how, when, and where 'a' chooses to use them, and all functionality of the data collected is used for 'a' in creating, maintaining, and improving its site - to a visiting user, this is the same as if 'a' had written their own analytics and hosted their own databases.

In fact, many analytics and other service providers have both hosted and on-premise solutions.  The primary difference is just which server the tool lives on.  So again, to me, these seem like identical scenarios.

-kevin

-----Original Message-----
From: David Singer [mailto:singer@apple.com] 
Sent: Thursday, March 01, 2012 11:31 AM
To: Kevin Smith
Cc: Shane Wiley; Roy T. Fielding; Jonathan Mayer; Tom Lowenthal; public-tracking@w3.org
Subject: Re: Third parties should not pretend to be first parties

On Mar 1, 2012, at 10:23 , Kevin Smith wrote:

> David, 
> 
> How are they different?  They seem very similar to me.
> 
> 
>> It does seem that 'outsourcing some services' (e.g. analytics) and 'outsourcing the hosting' (service provider) are rather different, though they have some similarities.
>> 
> 

If I visit a site that's hosted by another party, the user thinks they are visiting 'a' when the actual server is owned by 'b'.  As long as we're careful with the definitions, we should be able to maintain 'a' as the 'first party', in this case.

When using an outsource service (e.g. analytics) there really are two (or more) distinct organizations involved in the actual network transactions, visibly (e.g. by different IP address), whereas when everything is hosted, there may well be only one.  So in the first case there is some 'clue' to the UA, whereas in the second there may be very little (beyond recognizing an IP address as being that of a hosting service, for example).

Again, with careful definition, these might not matter.

Finally, they may be different enough in people's minds to make it worth spelling them out in the document as two examples, even if the rules are written to be uniform across them.  We don't want lots of questions asking "where do hosting services fall into this?".

All possibly minor, I agree.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Thursday, 1 March 2012 18:38:49 UTC