Re: Draft Language on Interaction with Third-Party Content from David Singer on 2011-10-27 (public-tracking@w3.org from October 2011)

From: David Singer <singer@apple.com>
Date: Thu, 27 Oct 2011 16:54:03 -0700
To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-id: <2DDE04A7-5CCC-4F79-86A5-C72CBCFEB578@apple.com>

The more I think about how to distinguish 3rd and 1st parties, the more of a nightmare it is.

I think that the natural definition of the 1st party is "the site that the user intended to visit or thinks they are visiting".

If I publish something as a syndicatable piece of content, i.e. viewable stand-alone, and embeddable in a frame, and make it accessible from my site and others, I don't think there is anything in the headers that helps me know which way the user is using it. That is, the server typically cannot know whether it's the site the user visited (and hence 1st party) or is embedded in some other site (ahd hence 3rd, until the user interacts if we accept Jonathan's proposal).

Worse, 'the site the user thinks they are visiting' and 'the site in the address bar' might not always be the same; it's not uncommon to provide links that are apparently to other sites ("click here to read the original story on PQS News") when the link is actually to a page on the original, or another, site that merely *embeds* the story from PQS News. The user *thinks* they are at PQS News, but actually the top-level context is somewhere else.

Some people have argued that all visible content is naturally 1st party (really); but this is hopeless. How do I (as a browser) tell the difference between 1x1.gif, a social media 'like' (potentially tracking) button, a frame, etc.? At what point does content become 1st party because of its size? It doesn't, as far as I can tell.

Maybe we could get the browser to identify in the HTTP header "you are the 1st party", "you are the 3rd party", but then there is a temptation to lie to even the 1st party that they are third; and this enables sites to refuse to serve except when identified as the 1st party ("you can't deep link me").

I think that the route that Jonathan is going around interaction may be more fruitful than trying to tease the parties apart. Maybe DNT says "nobody tracks me except those who I interact with"?

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Thursday, 27 October 2011 23:54:33 UTC