- From: Rigo Wenning <rigo@w3.org>
- Date: Sun, 23 Sep 2012 22:09 +0200
- To: public-tracking@w3.org
- Cc: Rob Sherman <robsherman@fb.com>, Chris Pedigo <CPedigo@online-publishers.org>, Justin Brookman <justin@cdt.org>
Rob, On Friday 21 September 2012 07:01:52 Rob Sherman wrote: > Thanks very much for all of this feedback. As I understand it, > the group generally agrees that the party responsible for a > website that a user visits is a first party on that > website. Text in the existing draft acknowledges that, in some > circumstances, there may be more than one party responsible. If we have multiple parties responsible, we have the everybody and nobody problem. This is very nicely exemplified by the yahoo/att example. Does Yahoo take responsibility of the ATT part and vice versa? How can the user determine where the data goes? I think there are serious holes in that bucket where data sprays out. I think we should analyze where the first HTTP request goes. And this site can than take responsibility and declare "same-party" relations if they have a co-branding. But there must be one initial entity responsible. Responsible means also to which extend data is shared. Having very few requirements for first parties means low protection despite the fact that information goes to multiple parties with the ability to share that data between them. This is going away from the siloing concept we have elsewhere. Taking into account our initial threat-model I don't see how your definition wouldn't mean the end of the "third-party" concept and continued information sharing between all those first parties. And the gain would be what? DNT for the sake of using more bandwidth with headers? If multiple first parties are on the site, do they share information with each other? And how would you distinguish ATT content on a Yahoo site from Google adds on my homepage? In both scenarios, the other party is clearly identified. And as Google allows my to say "powered by Google ads" it is co-branding and people could reasonably expect to communicate with me and Google. I simply don't see how you could maintain a third party concept with your definition. Obviously, this reveals that I'm rather in favor of the second option (registrant of domain, currently in the spec) as this can be determined with rather high precision and everybody more or less knows where they stand. My experience with laws tells me that the gain in clarity outweighs the gain in expanding first party rights. Because the uncertainty has two sides: One may perhaps trespass and declare oneself one of multiple first parties. But the lack of clarity means that somebody else may have a well justified differing opinion and thus a liability risk lurks. Rigo
Received on Sunday, 23 September 2012 20:09:28 UTC