- From: Daniel Appelquist <notifications@github.com>
- Date: Mon, 15 Mar 2021 09:50:10 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/342/799574446@github.com>
Hi! One concern I have is the potential for first party sets to expand the definition of what consists of a “first party” and a “third party” while at the same time web users are becoming ever more aware of their privacy and web browsers are responding by adding privacy features (which in some cases depend on that definition). In the PrivacyCG call last week (https://github.com/privacycg/meetings/blob/main/2021/telcons/03-11-minutes.md), Kaustubha stated that one mitigation against misuse of FPS would be to “require all the domains in the set are owned by the same organization.” I'd like to drill down on that. First of all, who is requiring that? Would it be up to the browser maker to do so? In which case, does this mean there would be specific allow-lists of first party sets (the “UA policy”)? It's asserted that FPS is better than browsers that ships with “an entity list that defines lists of domains belonging to the same organization” because it allows these organisations to declare their own list of domains. However, isn't a UA policy just another list of allowable domains? Secondly, what counts as a an "organization" in this instance? Amazon.co.uk and Amazon.com, for example, are two distinct organisations in two different privacy-regulatory regions. So in that sense treating them both in the same first party may be counter to relevant data protection laws? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/342#issuecomment-799574446
Received on Monday, 15 March 2021 16:50:23 UTC