Re: First-Party sets and the potential application of the JournalList trust.txt specification

> On 14Jan, 2022, at 11:28 , Nick Doty <ndoty@cdt.org> wrote:
> 
> For example, let's say that dobbsford.example and dobbstoyota.example are two car dealership sites, and users of both are aware of the common brand identity of the two sites. The Bob Dobbs who tells them "Bob Dobbs won't make you pay a lot for a Ford!" and the Bob Dobbs who tells them "Bob Dobbs won't make you pay a lot for a Toyota!" are the same recognizable advertising personality.
> 
> The two sites have the same design elements, shared copy, and privacy policy text. The two identical privacy policies state that the site will not allow your email address to be used for spam email if you provide it.
> 
> What was the user benefit here? As the user, did I want both dealerships to know what cars I was looking at on the other site without logging in?
> 

I think that the advantage of using a well-known-resource here is that at least the user, privacy researchers, and so on, can see and know that two sites are actually operated by the same entity, that they share data (and hence formal things like common data controller). Equating site in one-to-one in correspondence with responsibility is pretty fraught – the complexity of the PSL shows how hard it is to disambiguate “they appear to share a part of the hostname but that’s a public suffix so that can’t be taken to imply sharedness”, but we have no such structures to identify the opposite, as far as I know – sites that appear distinct but actually are not. Movie companies often spin up dedicated sites for a new movie, but people are expected to ‘know’ that BoringMovie2022.com is actually a site owned and operated by BoringFilmCompany.com.

Whether the actual sharing/commonality there is to the users’ advantage is another question, of course.


David Singer
Multimedia and Software Standards, Apple

singer@apple.com

Received on Friday, 14 January 2022 19:43:07 UTC