Re: [w3ctag/design-reviews] First-Party Sets (#342) from krgovind on 2021-03-15 (public-webapps-github@w3.org from March 2021)

From: krgovind <notifications@github.com>
Date: Mon, 15 Mar 2021 12:55:44 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/342/799709089@github.com>
> Hi! One concern I have is the potential for first party sets to expand the definition of what consists of a “first party” and a “third party” while at the same time web users are becoming ever more aware of their privacy and web browsers are responding by adding privacy features (which in some cases depend on that definition).

@torgo When you say "expand the definition", I think you are referring to the fact that today "first-party" is essentially defined as "same-domain". Unfortunately, domain names are an artifact of the DNS, the primary purpose of which is to map human-readable names to IP address. The premise of First-Party Sets (FPS) is that in today's highly composable web - (a) sites are deployed over multiple domain names (some times for reasons such as security, or localization), and (b) domain names typical serve as brand indicators for the web - therefore, treating "same-domain" as "first-party" is too limiting and antiquated. We are indeed seeking to define a privacy boundary for the web that is more realistic than the domain name; but we want to make sure that we are drawing the boundary correctly, and surfacing the information to users appropriately via UA Policy and UI affordances.

> First of all, who is requiring that? Would it be up to the browser maker to do so? 

Yes, browser makers should require that any first-party sets accepted by the browser have been previously approved per the "UA policy". Ideally, this verification process is conducted by an independent entity.The WebPKI / TLS certificate issuance serve as  precedence here.

> In which case, does this mean there would be specific allow-lists of first party sets (the “UA policy”)? It's asserted that FPS is better than browsers that ships with “an entity list that defines lists of domains belonging to the same organization” because it allows these organisations to declare their own list of domains. However, isn't a UA policy just another list of allowable domains? 

Yes, the UA policy essentially will result in an allowlist of FPS assertions. The reasons I think this is better than the entities lists that some browsers currently ship:

- First-party sets would be asserted by the site developers themselves and should be less prone to mistakes (assuming we put in appropriate safeguards in place, such as requiring proof of ownership, relatively short expirations, etc.). As an example, Disconnect.me entity list has at least a couple of mistakes (com.com is incorrectly [listed](https://github.com/disconnectme/disconnect-tracking-protection/blob/e01b37ac4a9d952d8129deed829f338454acaac6/entities.json#L2848) as a CBS property, yahoo.co.jp is incorrectly [listed](https://github.com/disconnectme/disconnect-tracking-protection/blob/e01b37ac4a9d952d8129deed829f338454acaac6/entities.json#L11744) as a VerizonMedia property)
- The Disconnect.me list doesn't have a clearly articulated policy and process. Modifying the list appears to be informally managed on GitHub, and it is not clear if browser vendors ship the list without additional modifications. Having a documented UA policy and process will bring more transparency to users, and predictability to site authors.
- My understanding is that the Disconnect.me entities list currently serves as an "exception list" to the "trackers list"; and is not comprehensive. 

> Secondly, what counts as a an "organization" in this instance? Amazon.co.uk and Amazon.com, for example, are two distinct organisations in two different privacy-regulatory regions. So in that sense treating them both in the same first party may be counter to relevant data protection laws?

Sorry, I'm not sure if there are two questions here. IIUC, the question is primarily about FPS' application to privacy regulations. Note that being part of the same First-Party Set does not preclude organizations from conforming to privacy regulations. FPS only defines "first-party" from the browser's perspective; but organizations still have to do their due diligence and decide whether the domains really should be part of the same FPS, and conform to regulations. (Just as they have to do today on browsers where third-party cookies are available and cross-domain sharing is possible).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/342#issuecomment-799709089
Received on Monday, 15 March 2021 19:55:56 UTC