W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

Re: Multiple First Parties

From: Rigo Wenning <rigo@w3.org>
Date: Sun, 23 Sep 2012 22:09 +0200
To: public-tracking@w3.org
Cc: Rob Sherman <robsherman@fb.com>, Chris Pedigo <CPedigo@online-publishers.org>, Justin Brookman <justin@cdt.org>
Message-ID: <3541031.ai1VkB8yrK@hegel.sophia.w3.org>
Rob, 

On Friday 21 September 2012 07:01:52 Rob Sherman wrote:
> Thanks very much for all of this feedback.  As I understand it,
> the group generally agrees that the party responsible for a
> website that a user visits is a first party on that
> website.  Text in the existing draft acknowledges that, in some
> circumstances, there may be more than one party responsible.

If we have multiple parties responsible, we have the everybody and 
nobody problem. This is very nicely exemplified by the yahoo/att 
example. Does Yahoo take responsibility of the ATT part and vice 
versa? How can the user determine where the data goes? I think there 
are serious holes in that bucket where data sprays out.

I think we should analyze where the first HTTP request goes. And 
this site can than take responsibility and declare "same-party" 
relations if they have a co-branding. But there must be one initial 
entity responsible. Responsible means also to which extend data is 
shared.

Having very few requirements for first parties means low protection 
despite the fact that information goes to multiple parties with the 
ability to share that data between them. This is going away from the 
siloing concept we have elsewhere. Taking into account our initial 
threat-model I don't see how your definition wouldn't mean the end 
of the "third-party" concept and continued information sharing 
between all those first parties. And the gain would be what? DNT for 
the sake of using more bandwidth with headers?

If multiple first parties are on the site, do they share information 
with each other? And how would you distinguish ATT content on a 
Yahoo site from Google adds on my homepage? In both scenarios, the 
other party is clearly identified. And as Google allows my to say 
"powered by Google ads" it is co-branding and people could 
reasonably expect to communicate with me and Google. I simply don't 
see how you could maintain a third party concept with your 
definition. 

Obviously, this reveals that I'm rather in favor of the second 
option (registrant of domain, currently in the spec) as this can be 
determined with rather high precision and everybody more or less 
knows where they stand. My experience with laws tells me that the 
gain in clarity outweighs the gain in expanding first party rights. 
Because the uncertainty has two sides: One may perhaps trespass and 
declare oneself one of multiple first parties. But the lack of 
clarity means that somebody else may have a well justified differing 
opinion and thus a liability risk lurks. 

Rigo
Received on Sunday, 23 September 2012 20:09:28 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:34 UTC