action-268, use of first and third party terms in the TPE from David Singer on 2012-11-14 (public-tracking@w3.org from November 2012)

From: David Singer <singer@apple.com>
Date: Tue, 13 Nov 2012 17:24:49 -0800
To: "public-tracking@w3.org WG" <public-tracking@w3.org>
Message-id: <8245AAE6-52BC-40DE-A430-8E21DEF31127@apple.com>
I was tasked with reviewing the occurrences of "first party" and "third party" in the TPE and making sure that when they are used, they are consistent with the compliance document, and achievable when building the API or using it.  I believe so; where machine-defined terms are needed, the TPE uses 'origin' nd 'top-level origin', 'document origin', and so on.  


I think this can close with no edits.


For the curious here are most of the sentences that use the terms first or third party:

* * * * * * 


Intro:
From the user's perspective, they are simply visiting and interacting with a single brand — the first-party Web property — and all of the technical details and protocol mechanisms that are used to compose a page representing that brand are hidden behind the scenes.

Data collection can occur both at the first-party site and via third-party providers through the insertion of tracking elements on each page.

A companion document, [TRACKING-COMPLIANCE], more precisely defines the terminology of tracking preferences, the scope of its applicability, and the requirements on compliant first-party and third-party participants when an indication of tracking preference is received.

Terminology:

The term user-granted exception is used when the user has permitted tracking by a given third party.

A companion document, [TRACKING-COMPLIANCE], defines many of the terms used here, notably 'party', 'first party', and 'third party'.

Expressing a preference:

When a user has enabled a tracking preference, that preference needs to be expressed to all mechanisms that might perform or initiate tracking by third parties, including sites that the user agent communicates with via HTTP, scripts that can extend behavior on pages, and plug-ins or extensions that might be installed and activated for various media types.

Likewise, servers might make use of other preference information outside the scope of this protocol, such as site-specific user preferences or third-party registration services, to inform or adjust their behavior when no explicit preference is expressed via this protocol.


Tracking status values:

1	First party: The designated resource is designed for use within a first-party context and conforms to the requirements on a first party. If the designated resource is operated by an outsourced service provider, the service provider claims that it conforms to the requirements on a third party acting as a first party.

3	Third party: The designated resource is designed for use within a third-party context and conforms to the requirements on a third party.

X	Dynamic: The designated resource is designed for use in both first and third-party contexts and dynamically adjusts tracking status accordingly. If X is present in the site-wide tracking status, more information must be provided via the Tkresponse header field when accessing a designated resource. If X is present in the Tk header field, more information will be provided in a request-specific tracking status resource referred to by the status-id. An origin server must notsend X as the tracking status value in the representation of a request-specific tracking status resource.

Hence, if a user agent is making a request in what appears to be a third-party context and the tracking status value indicates that the designated resource is designed only for first-party conformance, then either the context has been misunderstood (both are actually the same party) or the resource has been referenced incorrectly. For the request-specific tracking status resource, an indication of first or third party as the status value describes how the resource conformed to that specific request, and thus indicates both the nature of the request (as viewed by the origin server) and the applicable set of requirements to which the origin server claims to conform.

If the tracking status value is 1 and the designated resource is being operated by an outsourced service provider on behalf of a first party, the origin server mustidentify the responsible first party via the domain of the policy URI, if present, or by the domain owner of the origin server. If no policy URI is provided and the origin server domain is owned by the service provider, then the service provider is the first party.

(some examples)

Note that the tracking status resource space applies equally to both first-party and third-party services.

Well-known Resource:

An optional member named third-party may be provided with an array value containing a list of domain names for third-party services that might be invoked while using the designated resource but do not share the same data controller as the designated resource.

A key advantage of providing the tracking status at a resource separate from the site's normal services is that the status can be accessed and reviewed prior to making use of those services and prior to making requests on third-party resources referenced by those services.

Exceptions:

	• The solution should not require cross-domain communication between a first-party publisher and its third parties.

When asking for a site-specific exception, the top-level origin making the request may be making some implicit or explicit claims as to the actions and behavior of its third parties; for this reason, it might want to establish exceptions for only those for which it is sure that those claims are true. (Consider a site that has some trusted advertisers and analytics providers, and some mashed-up content from less-trusted sites). For this reason, there is support both for explicitly named sites, as well as support for granting an exception to all third-parties on a given site (site-wide exception, using the conceptual wild-card "*").

NOTE
Note that these strict, machine-discoverable, concepts may not match the definitions of first and third party; in particular, sites themselves need to determine (and signal) when they get 'promoted' to first party by virtue of user interaction; the UA will not change the DNT header it sends them.

Exception Transfer:
(many mentions of third party here, as it's all about third-party transfer)

The first party will not necessarily know in advance whether a known third party will use some other third parties.

The sub-services to the named third party do not acquire an independent right to process the data for independent secondary uses unless they, themselves, receive a DNT:0 header from the user agent (as a result of their own request or the request of a first-party).


David Singer
Multimedia and Software Standards, Apple Inc.
Received on Wednesday, 14 November 2012 01:25:17 UTC