some input on action-227, the 'service provider flag', for discussion

There is a difference between an out-sourcing relationship for some purpose -- another site providing a service -- and the relationship with, for example, a hosting provider.  The out-sourced relationship appears as a different host and transaction, whereas the organization providing, for example, web hosting, is 'invisible'. This is true even though in many cases the host names will suggest that actual first party (e.g. is actually a site operated by a company other than, and is actually hosted by a company other than

For the case of an out-sourced relationship, it seems that there is a major difference for all concerned (the first party, the out-sourced, and the user) between the out-sourced site saying "I AM the first party" and "I am operating on behalf of the first party".   However, the current formulation of the well-known-resource does not state this; it states "I am designed and intended and presumed to be used in a first-party context".

An interesting example is a hypothetical re-direction service that is acting as a service provider for both the upstream and downstream, when a link is clicked.  To the upstream it siloes a report on how many out-bound clicks happened;  to the downstream it reports on how many in-bound visits happened.  In this case, the re-director typically won't have a like host-name to both, and its service-provider relationship would need to be stated for it to be able to claim that it's operating in a first-party context, as the usual state for re-directors is that they are third.

Another interesting case involves embedded widgets;  if the widget is embedded as part of a service-provider relationship, then the tracking all goes back to the one first party.  If not, up until the user interacts with the widget, it's in a third party context, and if the user interacts, he establishes a new first context with the widget provider. Knowing that the widget is acting as a service provider allows him to know his tracking will be centralized in the current first party, and clicking on it does not draw another party into tracking him (or her).

The flag itself in the well-known-resource, or an explicit provision in the first-party's well-kown resource identifying its service providers, would not seem to be burdensome.  It may be possible for service providers to indicate for whom they are providing service (which may be multiple parties, in fact) in a given context, but that may involve a 'dynamic response'.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Friday, 10 August 2012 21:43:43 UTC