Re: First-Party sets and the potential application of the JournalList trust.txt specification from Robin Berjon on 2022-01-13 (public-privacycg@w3.org from January 2022)

From: Robin Berjon <robin@berjon.com>
Date: Thu, 13 Jan 2022 17:44:01 -0500
To: "Zucker-Scharff, Aram" <Aram.Zucker-Scharff@washpost.com>
Cc: "public-privacycg@w3.org" <public-privacycg@w3.org>, Scott Yates <scott@journallist.net>
Message-ID: <dbb3cde6-f72c-b459-d03c-5aee06c1bd1b@berjon.com>

Hi all,

On 2022-01-13 12:52, Zucker-Scharff, Aram wrote:
> I’ll be upfront here and note that I don’t think FPS is a specification 
> that is generally desirable to achieve, if doing so is even possible. 
> There is a lot of interesting stuff in there, but I don’t think the idea 
> of an independent entity that oversees this stuff is maintainable nor do 
> I think it is a good use of resources. I think that the likely better 
> way to accomplish FPS’s goals is to force domains to no longer be 
> separated, but instead run off a single TLD, if they want to share data. 
> This sucks for a lot of reasons we all could talk to for days, but I 
> think if the goal is to create a way for sites to share data that users 
> can understand and interact with, no way is clearer to users than 
> looking up at the URL and seeing the domain of the entity they are 
> interacting with. That said, I’m going to note the issues I see here 
> with the assumption that work on FPS will continue to move forward:

Just to clarify my position: I only meant to indicate that I don't think 
that FPS provides the magic GDPR data sharing pixie dust that people 
seem to think it would. I thought that was worth mentioning because it's 
a hope I've heard people express in various places. And even forgetting 
the GDPR (which isn't universal) and just proceeding from first 
principles, it's still a privacy issue and untrustworthy behaviour.

Where FPS more generally is concerned, I have a slightly milder take 
than Aram's. I see some value in the use case of needing shared 
credentials for a separate user-provider content domain, but FPS seems 
overkill for that. The other use cases strike me as things that could be 
supported with better identity management in the browser (built for 
users more than for the benefit of the browser vendor's identity 
ecosystem), no?

-- 
Robin Berjon
VP Data Governance
The New York Times Company

Received on Thursday, 13 January 2022 22:44:15 UTC