Privacy/TPWG/Proposals on elements for 1and3 party use

From W3C Wiki
< Privacy‎ | TPWG

This discussion aims at agreeing whether and if yes in what form we should retain the 1 and 3 signals in the current TPE spec. Please refer to ISSUE-241 for more information and related emails.

Elements for 1st and 3rd party in the TPE

Last Public Working Draft

5.2.3 First Party (1)
A tracking status value of 1 means that the origin server claims that the designated resource is designed for use only within a first-party context and conforms to the requirements on a first party. If the designated resource is operated by an outsourced service provider, the service provider claims that it conforms to the requirements on a third party acting as a first party.
For the site-wide tracking status and Tk header field, the tracking status values 1 and 3 indicate how the designated resource is designed to conform, not the nature of the request. Hence, if a user agent is making a request in what appears to be a third-party context and the tracking status value indicates that the designated resource is designed only for first-party conformance, then either the context has been misunderstood (both are actually the same party) or the resource has been referenced incorrectly.
For the request-specific tracking status resource, an indication of first or third party as the status value describes how the resource conformed to that specific request, and thus indicates the applicable set of requirements to which the origin server claims to conform.
5.2.4 Third Party (3)
A tracking status value of 3 means that the origin server claims that the designated resource conforms to the requirements on a third party.

Current Editors' draft

In the current Editors' draft the above section does no longer exist. Compliance with a potential 1st or 3rd party rule set would be implied by additional qualifiers.

5.5.4 Qualifiers Property
An origin server may send a property named qualifiers with a string value containing a sequence of case sensitive characters corresponding to explanations or limitations on the extent of tracking. Multiple qualifiers indicate that multiple explanations or forms of tracking might apply for the designated resource. The meaning of each qualifier is presumed to be defined by one or more of the regimes listed in compliance.
qualifiers = %x22 "qualifiers" %x22
qualifiers-v = %x22 *qualifier %x22
qualifier = id-char

Proposal 2 - descriptively defining 1st and 3rd party

Proposal by David Singer in the Working Group's call on January 29, 2014. Update of proposal from Nick, Rob S., Susan, Chris P.

This text would be added after the definition of the qualifiers field in the tracking status resource section. Comments and improvements most welcome.

While different compliance regimes can define requirements and uses of certain qualifiers, and a particular compliance regime might not require the use of qualifiers for particular activities to be permitted, the following qualifiers have the defined, descriptive meanings.

 "1": the resource is designed for usage as a first party
 "3": the resource is designed for usage as a third party

Proposal 3 - no change

Proposal by Roy Fielding

Leave text "as is" in current editor's draft (above).

Rationale:

The new definition of tracking makes distinctions between first and third party design obsolete.

A resource that is not tracking will respond as "N" in the TSV, which excludes the collection of data about other contexts. This means that the resource is either only used in one context (first-party) and never shares the data outside of that context, or doesn't collect any data about a particular user in other contexts. Either way, it isn't tracking and thus not subject to qualifiers.

A resource that might be tracking (or that later allows use or retention of the data received via that resource in a way that might result in a particular user's activity being observed across multiple distinct contexts) will respond as "T". Why would a resource that is designed only for use in a first-party context ever respond with "T"? The only reason I can think of is that the resource is designed for use on only one site, but shares the received data with other parties in a way that allows the particular user to be tracked. If so, why would the user consider that use of "1" to be better than a "3"?

The distinction between "1" and "3" was added at a time when we were effectively saying that any tracking by a first party was okay provided that the data is not shared with third parties. What we are now saying is that collecting data about a user's activity across multiple distinct contexts is tracking, whether or not the user is intentionally interacting with that party. Hence, knowing the user's intent is no longer relevant to the definition of tracking, which means that the first party distinction is no longer relevant to the user (aside from how it impacts the boundaries of a given context).

TPE does not need definitions of first or third party in order to describe the protocol. The current usage of those terms in TPE is legacy commentary that will be removed once we are clear on direction from the WG. This does not prevent those terms from being used within a given compliance regime, nor from being communicated in the TPE's qualifiers field after they have been appropriately defined by a compliance specification.