W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: [ISSUE-60] Will a recipient know if it itself is a 1st or 3rd party?

From: Kevin Trilli <ktrilli@truste.com>
Date: Sun, 16 Oct 2011 22:08:33 -0700
To: Bjoern Hoehrmann <derhoermi@gmx.net>, Kevin Smith <kevsmith@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <189BD417-992E-4DB2-94C8-789EEFD3F3C0@truste.com>

> I agree that formulating some algorithm that would deterministically answer who in some particular situation is first party and who is not, that suits everybody in all circumstances is probably impossible, but I also do not see why that would be a requirement or why that could not be met by changing the status quo. If browser can know who is 1st and who is 3rd party, they can put that information into their requests, for instance. If the group wishes to discriminate between 1st and 3rd party requests, I would not regard such a requirement as out of scope either.


One approach could be that a given 1st party, who is ultimately responsible for all tracking that occurs on its website and who understands the context of any alleged first party behavior on the site, could create a machine readable file, as part of their privacy policy, of all 1st party domains under their affiliation.  The site can also include any 3rd party domains acting on their behalf (service provider, data processor) that might exist either in their own domain or in the 1st parties domain.  This external file can be certified and/or monitored to confirm integrity if desired.

At run-time, this file can serve as a filter to identify any third parties present on the site such that appropriate DNT interactions can occur.  Any domain not listed as a first party is considered a third party and processed as such (including exemptions).

This to some degree occurs in privacy policies today, where policies that cover multiple domains are identified as such, so this seems like some simple housekeeping to add to the process of policy creation, which I would assume already happens somewhere already in the first party's company.  But, there are some maintenance issues associated with such an approach as sites can be dynamic.

A number of uncertain operational issues probably exist, that I am far from an expert on.  But this approach would at least provide a foundation for providing the mechanism for 1st party registration to provide a basis for determining third party status.






On Oct 15, 2011, at 9:32 PM, Kevin Smith wrote:

>> If it is relatively easy to establish that you are the first party, you can assume that when you do not positively establish that, then you are the third party; that would make both determinations >equally "easy" even if the determinations might not be equally as accurate.
> 
> I worded this poorly.  I was not suggesting that it was actually easier to determine 1st party than 3rd, but rather that 'technical' rules could more easily be defined that would show that it was a 1st party.  However, as I have stated in other parts of the thread now, I think the service will usually know what party it is, even when it cannot be 'proven' by looking at the request.  However, I think it's reasonable that if a service is ever unsure of its party, it should assume that it's a 3rd.
> 
>> If browser can know who is 1st and who is 3rd party, they can put that information into their requests, for instance. If the group wishes to discriminate between 1st and 3rd party requests, I would >not regard such a requirement as out of scope either.
> 
> The browser would not know what party it is, but they would know whether the request domain matched the site's domain, which may be helpful in determining party.  I would be interested in hearing from the browser guys whether they think this type of information would be appropriate to be passed to an embedded request, especially in cases like iframes where info about the surrounding environment is intentionally limited.  I personally think that since this does not really solve the problem anyway, it might complicate things more than it helps.
> 
> 
> -----Original Message-----
> From: Bjoern Hoehrmann [mailto:derhoermi@gmx.net] 
> Sent: Saturday, October 15, 2011 7:18 PM
> To: Kevin Smith
> Cc: public-tracking@w3.org
> Subject: Re: [ISSUE-60] Will a recipient know if it itself is a 1st or 3rd party?
> 
> * Kevin Smith wrote:
>> In Boston, we talked about how in some cases such as iFrames, a site or 
>> service may not know whether it was 1st or 3rd party.  As I thought 
>> more about this, I think the problem might actually be much more 
>> widespread than iframes.  I do not think there is any generic way to 
>> determine if even a normal request is a 3rd or 1st party request, 
>> because the server does not know what domain or site the user is actually on.
> 
> You can't tell from an arbitrary HTTP request where the top-level window in a user's browser is from in all cases, that is correct. Reasons in- clude that the HTTP request might not be coming from a user agent that has a concept of a top-level window. With the "differently-branded" con- cept, I myself as a citizen would not be able to tell 1st and 3rd party apart either. Is flickr a 1st party when I read my Yahoo! mails? Is some foo.example.com host 1st party from www.example.com even if the former is mapped to some "obviously" 3rd party host?
> 
>> In other words, it's much easier to say "this is a 1st party than "this 
>> is not a 1st party", although even that may be inaccurate sometimes.
> 
> If it is relatively easy to establish that you are the first party, you can assume that when you do not positively establish that, then you are the third party; that would make both determinations equally "easy" even if the determinations might not be equally as accurate.
> 
>> Consequently, I do not think its technically feasible to come up with a 
>> method or combination of methods that would always accurately determine 
>> party.  And if it were possible, it is probably outside the scope of 
>> this document.
> 
> I agree that formulating some algorithm that would deterministically answer who in some particular situation is first party and who is not, that suits everybody in all circumstances is probably impossible, but I also do not see why that would be a requirement or why that could not be met by changing the status quo. If browser can know who is 1st and who is 3rd party, they can put that information into their requests, for instance. If the group wishes to discriminate between 1st and 3rd party requests, I would not regard such a requirement as out of scope either.
> --
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
> 
Received on Monday, 17 October 2011 05:09:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC