Re: [w3ctag/design-reviews] First-Party Sets (#342) from Amy Guy on 2021-10-19 (public-webapps-github@w3.org from October 2021)

From: Amy Guy <notifications@github.com>
Date: Tue, 19 Oct 2021 11:56:38 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/342/947017381@github.com>

We discussed this again in our meeting last week. Having read the updated UA Policy document, we think this is an improvement. We have a couple more questions now though:

* Can you tell us more about the use cases for a single party with multiple domains placing those domains into different sets?
* We agree it's useful to mandate a particular UI surface to make sure web users are aware of all parties in common in a set as this gives sites less opportunity to potentially mislead people. What are your expectations around normative language regarding the UI? What are your thoughts about how it would be possible to mandate and test for in the specification?
* We are concerned about the international applicability and future-proof-ness of language like "parent company" with respect to the owner/controller of sites/domains. Have you thought about how this would work in the face of different corporate structures?
* Further, entities [frequently](https://www.icij.org/investigations/pandora-papers/) use structures like parent companies to obscure their true ownership; this can get very complex very fast and data is not always available to easily verify the connection. How does this impact the job of the independent enforcement entity? "Random spot checks" by the enforcement entity may not be sufficient when there is the potential for huge amounts of data leakage which it would not be possible to claw back if it was shared erroneously (data leaks by other means happen all the time, but it doesn't mean we want to add tools that let the UA facilitate them). Given the low barrier to registering a domain, one company could potentially register many dozens/hundreds of domains in order to participate ('illegally' as it were) in different sets with other organisations, and has a chance to fly under the radar of the enforcement entity for some time, possibly indefinitely.
* Related is the worry about web users actually recognising the names of the controlling entities, or with sibling entities, when in practice they are only used to interacting with one or two particular subsidiary brands. It may be that presenting this information to a person visiting the site is functionally meaningless - they aren't really giving informed consent to data being shared within the set.

There is some language about pop-ups as a potential solution, which we think would be an unfortunate direction to go in.

In general, we remain concerned about the dependencies on things that don't fit as part of a web standard.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/342#issuecomment-947017381

Received on Tuesday, 19 October 2021 18:56:51 UTC