W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: [ISSUE-60] Will a recipient know if it itself is a 1st or 3rd party?

From: Tom Lowenthal <tom@mozilla.com>
Date: Thu, 27 Oct 2011 15:22:49 -0700
Message-ID: <4EA9D9B9.1020304@mozilla.com>
To: public-tracking@w3.org
I find David's position quite persuasive: most sites most of the time
know which party they are. There are times when it's less obvious
whether a site is a first or third party, and I think that we may be
able to leave it up to those sites to work it out

In light of this, I thoroughly agree with Matthias: unless you know
you're a first party, you must act as if you're a third party. It's you
obligation to use a reliable heuristic and err on the side of respecting
user privacy.

On 10/18/2011 05:05 PM, David Singer wrote:
> For the most part, I think that a first or third party (a) is easy to
define and (b) easy to identify.
> For a user, the first party is the site they chose to visit, and that
they see they are visiting (the address in the address bar); 3rd parties
are all other sites.
> As said below, many services know that they are only ever 3rd parties.
> For other services, it's usually the case (and they can easily make it
so if not) that when they are used as 3rd parties, the URL identifies
that fact (not many users choose to load
http://www.example.com/tracer/1x1.gif, or other pieces of content
designed only to be embedded).  And indeed, the browser could identify,
if we really need it.
> The problematic cases I can see are (a) a site that is designed to be
used both stand-alone and as a frame in another site or (b) frames that
are designed to be included either in  layup from the same site
(whereupon they are first-party) or in a mash-up made on another site
(whereupon they are 3rd).
> On Oct 16, 2011, at 4:55 , Jennifer Karan wrote:
>> Actually, I think that depending on the type of company, it might be
easy to determine if you are a third party.  For example, DoubleVerify
(a verification company), would never be a 1st party.  We are a
technology company.  Users do not come to us.  For content companies,
like Yahoo, this would not work, but ad servers, analytics, rich media,
data collectors, ad exchanges, etc., I think would always and would only
be a third party.  If we can agree to this, then, maybe like first
parties, we can have a conversation similar to the 1st party definitions
which says "when you know that you are the 3rd party...".
>> Jennifer
> David Singer
> Multimedia and Software Standards, Apple Inc.

On 10/15/2011 06:56 AM, Matthias Schunter wrote:
> Hi Kevin,
> thanks a lot for your valuable input.
> I believe that from a privacy point of view, we must require:
>   "1st party exemptions apply only if a site can reliably
>     determine that it is acting as a 1st party."
> With this said, I agree that we need to define "the" single way of
> 'reliably determining' whether a site is acting as 1st or 3rd party.
> As a consequence, I see two questions:
>  1. What are 'proven ways' / 'best practices' that work to determine
>     whether you are 1st or 3rd party (you gave input here and
>       I'll wiki-fy it)
>  2. NEW: Are hints from the browser helpful and do they make
>     determining 1st vs 3rd much simpler (in this case,
>     we may add such hints to the DNT header)
> Regards,
> matthias
> On 10/14/2011 11:31 PM, Kevin Smith wrote:
>> With this in mind, I think the best approach is that we simply donít
>> define how to determine whether a request is 1^st or 3^rd party.  We
>> just define the difference between the two and how a 1^st or 3^rd
>> party must behave when it receives a DNT request header.  Then we
>> leave it to the service to use the approach or combination of
>> approaches that makes the most sense for them. 

Received on Thursday, 27 October 2011 22:24:00 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC