RE: [ISSUE-60] Will a recipient know if it itself is a 1st or 3rd party? from Kevin Smith on 2011-10-16 (public-tracking@w3.org from October 2011)

From: Kevin Smith <kevsmith@adobe.com>
Date: Sat, 15 Oct 2011 21:04:06 -0700
To: Matthias Schunter <mts@zurich.ibm.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <6E120BECD1FFF142BC26B61F4D994CF30635AEBB8E@nambx07.corp.adobe.com>

Matthias said:
> With this said, I agree that we need to define "the" single way of 'reliably determining' whether a site is acting as 1st or 3rd party.

I do not believe there is any single way or even collection of methods to accurately determine party.  I believe it is a logical question, not a technical question.  The service knows whether it's a 1st or a 3rd party based  on which of their services is being accessed or their sub-domain strategy or possibly even the SLA of the client using the service.  Much (if not most) of the time, the party will not be provable using a generic  methodology.

-----Original Message-----
From: public-tracking-request@w3.org [mailto:public-tracking-request@w3.org] On Behalf Of Matthias Schunter
Sent: Saturday, October 15, 2011 7:56 AM
To: public-tracking@w3.org
Subject: Re: [ISSUE-60] Will a recipient know if it itself is a 1st or 3rd party?

Hi Kevin,


thanks a lot for your valuable input.

I believe that from a privacy point of view, we must require:
  "1st party exemptions apply only if a site can reliably
    determine that it is acting as a 1st party."

With this said, I agree that we need to define "the" single way of 'reliably determining' whether a site is acting as 1st or 3rd party.

As a consequence, I see two questions:
 1. What are 'proven ways' / 'best practices' that work to determine
    whether you are 1st or 3rd party (you gave input here and
      I'll wiki-fy it)
 2. NEW: Are hints from the browser helpful and do they make
    determining 1st vs 3rd much simpler (in this case,
    we may add such hints to the DNT header)


Regards,
matthias

On 10/14/2011 11:31 PM, Kevin Smith wrote:
> With this in mind, I think the best approach is that we simply don't 
> define how to determine whether a request is 1^st or 3^rd party.  We 
> just define the difference between the two and how a 1^st or 3^rd 
> party must behave when it receives a DNT request header.  Then we 
> leave it to the service to use the approach or combination of 
> approaches that makes the most sense for them.

--
Dr. Matthias Schunter, MBA
IBM Zurich Research Laboratory,  Ph. +41 (44) 724-8329
Homepage: www.schunter.org, Email: schunter(at)acm.org
PGP Fingerprint    989AA3ED 21A19EF2 B0058374 BE0EE10D

Received on Sunday, 16 October 2011 04:04:47 UTC