- From: Rigo Wenning <rigo@w3.org>
- Date: Wed, 26 Sep 2012 14:31:50 +0200
- To: public-tracking@w3.org
- Cc: Mike O'Neill <michael.oneill@baycloud.com>
Mike, On Wednesday 26 September 2012 12:34:02 Mike O'Neill wrote: > I read the same-party member as being a list of 3rd party elements > on the 1st party page that can be taken as also 1st party, i.e. > if an ad from webmail.com gets hit when someone visits a > bigisp.net page they can track because they say they are joint > 1st party. That was the initial use case. So yes, that's the current meaning. We can either extend that meaning or create another element if that would be one solution to your use-case, but I have doubts about my own suggestion now. > If the meaning was expanded so as to apply also to > sites not referenced by elements on any page, it might work, > though the list could get very long (one of the Multibrand-Incs I > know has over 2000 sites). I suppose a new same-party list could > add to an existing one in the grants db, but how would you match > them up? >From an implementation point of view, you would give them a unique ID. From a specification point of view, I wouldn't proscribe anything. > > It also bypasses the same-origin security model, which I think is > a good aspect of the present TPE spec. If that was avoided here > there would be no point in keeping it. This is, I think, a decisive argument against my suggestion. But as your use case is valuable, what are the alternatives? With 2000 sites belonging to the same entity, we are also at the limit of what notice & choice, let alone data self determination, can do. A user will not understand this. What a user would understand is a message saying: "This site belongs to example Inc. You have already agreed to share data with example Inc in your decision on example.com, proceed?" But that is annoying the user too much. Creative ideas welcome. We could though have the exception dialog mention the legal entity and shoot a list of domains to the user agent that contains all the sites belonging to that same entity. But that kills the nice simplicity of the protocol and the model. > > I think the use case also applies outside the EU context. I agree. Shane had taken that up with web-wide exceptions of third parties. Shane's use case is one (third party) in conjunction with many (first parties). Here you want a format to express that those many are really only one. A list helping the browser to understand would help. But this requirement would not oblige the browser to do something with it. It could just use it to determine whether to prompt or not. This could be done in the exception mechanism or in the WKL discovery. If it is just an offer for information for a user agent, it would also not break the same-origin security model. Question is whether the browser folks find that useful and implementable. Rigo
Received on Wednesday, 26 September 2012 12:32:16 UTC