- From: Tom Lowenthal <tom@mozilla.com>
- Date: Thu, 27 Oct 2011 15:22:49 -0700
- To: public-tracking@w3.org
- Message-ID: <4EA9D9B9.1020304@mozilla.com>
I find David's position quite persuasive: most sites most of the time know which party they are. There are times when it's less obvious whether a site is a first or third party, and I think that we may be able to leave it up to those sites to work it out In light of this, I thoroughly agree with Matthias: unless you know you're a first party, you must act as if you're a third party. It's you obligation to use a reliable heuristic and err on the side of respecting user privacy. On 10/18/2011 05:05 PM, David Singer wrote: > For the most part, I think that a first or third party (a) is easy to define and (b) easy to identify. > > For a user, the first party is the site they chose to visit, and that they see they are visiting (the address in the address bar); 3rd parties are all other sites. > > As said below, many services know that they are only ever 3rd parties. > > For other services, it's usually the case (and they can easily make it so if not) that when they are used as 3rd parties, the URL identifies that fact (not many users choose to load http://www.example.com/tracer/1x1.gif, or other pieces of content designed only to be embedded). And indeed, the browser could identify, if we really need it. > > The problematic cases I can see are (a) a site that is designed to be used both stand-alone and as a frame in another site or (b) frames that are designed to be included either in layup from the same site (whereupon they are first-party) or in a mash-up made on another site (whereupon they are 3rd). > > On Oct 16, 2011, at 4:55 , Jennifer Karan wrote: > >> Actually, I think that depending on the type of company, it might be easy to determine if you are a third party. For example, DoubleVerify (a verification company), would never be a 1st party. We are a technology company. Users do not come to us. For content companies, like Yahoo, this would not work, but ad servers, analytics, rich media, data collectors, ad exchanges, etc., I think would always and would only be a third party. If we can agree to this, then, maybe like first parties, we can have a conversation similar to the 1st party definitions which says "when you know that you are the 3rd party...". >> >> Jennifer > > David Singer > Multimedia and Software Standards, Apple Inc. > > On 10/15/2011 06:56 AM, Matthias Schunter wrote: > Hi Kevin, > > > thanks a lot for your valuable input. > > I believe that from a privacy point of view, we must require: > "1st party exemptions apply only if a site can reliably > determine that it is acting as a 1st party." > > With this said, I agree that we need to define "the" single way of > 'reliably determining' whether a site is acting as 1st or 3rd party. > > As a consequence, I see two questions: > 1. What are 'proven ways' / 'best practices' that work to determine > whether you are 1st or 3rd party (you gave input here and > I'll wiki-fy it) > 2. NEW: Are hints from the browser helpful and do they make > determining 1st vs 3rd much simpler (in this case, > we may add such hints to the DNT header) > > > Regards, > matthias > > On 10/14/2011 11:31 PM, Kevin Smith wrote: >> With this in mind, I think the best approach is that we simply don’t >> define how to determine whether a request is 1^st or 3^rd party. We >> just define the difference between the two and how a 1^st or 3^rd >> party must behave when it receives a DNT request header. Then we >> leave it to the service to use the approach or combination of >> approaches that makes the most sense for them. >
Received on Thursday, 27 October 2011 22:24:00 UTC