Re: Parties and First Party vs. Third Party (ISSUE-10) from David Singer on 2012-03-28 (public-tracking@w3.org from March 2012)

From: David Singer <singer@apple.com>
Date: Wed, 28 Mar 2012 14:55:12 -0700
To: Lauren Gelman <gelman@blurryedge.com>
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-id: <C7E4A249-5416-4BE9-A646-46179FE89B08@apple.com>

On Mar 28, 2012, at 11:35 , Lauren Gelman wrote:

> 
> Is there consensus on (b).  

I thought so.  We discussed in Brussels the scenario: the user has a relationship with site A, and has agreed (for example) to their privacy policy. A has represented that site B is part of the same party, and data has passed from A to B.  B now does something contrary to the policy with the user's data.  The user complains to A (who they have a relationship with).  A *cannot* now respond "that's not me, that's someone else, take it up with them" because they previously claimed to be the same party.

> 
> On Mar 27, 2012, at 4:44 PM, David Singer wrote:
> 
>> After reading this thread, I am still unsure as to what concrete problem is being addressed.
>> 
>> Did we not have requirements before that to be considered a single party, two sites must 
>> a) make that party relationship discoverable
>> and
>> b) have a legal relationship such that data flows between the sites are protected by the same obligations, duties etc. (I don't recall the phrasing).
>> 
>> ?
>> 
>> 
>> It seems that we need to cover the cases:
>> * a 1st party asks for exceptions; I think it beholden on the party to explain how broadly this applies ("this permission is not just for the bogville chronicle, but all organizations in the BogNews group").
>> * a 3rd party wants a web-wide exception; again, the same applies - explain to the user the affected properties;
>> * a site that the UA doesn't immediately detect as the 1st party sends the return header "I am the first party" - the UA can check that they are, or smell a rat.
>> 
>> Under what circumstances do we need something more than (and more subjective than) (a) and (b) above (suitably phrased), to meet these needs?  What does (for example) a 'branding' requirement add?
>> 
>> 
>> 
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
> 
> Lauren Gelman
> BlurryEdge Strategies
> 415-627-8512
> gelman@blurryedge.com
> http://blurryedge.com
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 28 March 2012 21:56:17 UTC