Bad (or good) behaviour by first parties

[jwrosewell]

Section 2.13 “How does this specification distinguish between behaviour in first-party and third-party contexts?” does not consider that first parties can be a threat to privacy and security. It assumes only third parties can be bad.

Section 3.4 “3.4. Third-Party Tracking” only considers tracking associated with third parties. It should consider tracking by any party.

First parties have the potential to perform harms just as much as third parties. The document should be expanded to reflect this.

[lknik]

Hello,

Thanks for the feedback.

Section 2.13 “How does this specification distinguish between behaviour in first-party and third-party contexts?” does not consider that first parties can be a threat to privacy and security. It assumes only third parties can be bad.

This question is very specific and tries to understand how features distinguish between behavior in different modes of operation. It does not imply that "first parties" cannot be a threat.

Section 3.4 “3.4. Third-Party Tracking” only considers tracking associated with third parties. It should consider tracking by any party.

First parties have the potential to perform harms just as much as third parties. The document should be expanded to reflect this.

I always thought this is implicitly understood, after all - when a user grants e.g. permission to use a specific feature, the first party is in control of something powerful.

[jdwieland8282]

I tend to agree with @jwrosewell , the way the document is laid out there is an implication that only 3rd party tracking is nefarious. A more balanced document would have a heading "Tracking" with two sub sections, "third party tracking" & "first party tracking". Each section should contain a description of the limits or rules each party operates under.

[lknik]

I tend to agree with @jwrosewell , the way the document is laid out there is an implication that only 3rd party tracking is nefarious. A more balanced document would have a heading "Tracking" with two sub sections, "third party tracking" & "first party tracking". Each section should contain a description of the limits or rules each party operates under.

Balanced? Rather than arguing for a specific point, the document's core is not about tracking, but web features and the risks they can bring. Risks can obviously exist both in first and third party context, though.

The document actually speaks of thinking in first-party terms also:

The behavior of a feature should be considered not just in the context of its being used by a first party origin that a user is visiting but also the implications of its being used by an arbitrary third party that the first party includes

"Not just" implies that both are worth to tackle.

[dbaron]

Specifically regarding tracking, I think there is a substantial difference between first-party and third-party tracking because they differ substantially in:

• how much they differ from user expectations
• how visible they are to the user.

For example, if somebody goes to facebook.com, they probably expect that facebook.com knows something about their visit, what they click on on the page, etc. It's also relatively clear that facebook.com is what they're interacting with.

On the other hand, if they go to read a news article on reuters.com, they are much likely to have these expectations about what facebook does to track what they're doing. A user doing so does not naturally expect facebook to track what they're doing on reuters.com, nor is it clearly visible to the user that facebook is doing so.

[jwrosewell]

If we're designing for a world where someone can visit reuters.com (other publishers are available) and trusts Thomson Reuters then it is up to Thomson Reuters to decide who Thomson Reuters do and do not trust. If Thomas Reuters abuse the trust someone placed in them because a third party committed a bad act there will be sanctions for Thomas Reuters. This is a concept encapsulated in GDPR very effectively.

I don't believe the W3C should be designing standards or assessing proposals which remove these trust choices from people or publishers. Therefore the differentiation between first parties, third parties, and browser vendors implementing W3C standards needs to be considered further.

The document could be expanded to consider the identification and reporting of bad acts to support the sanctions provided for under law no matter the role of the parties.

[lknik]

If we're designing for a world where someone can visit reuters.com (other publishers are available) and trusts Thomson Reuters then it is up to Thomson Reuters to decide who Thomson Reuters do and do not trust. If Thomas Reuters abuse the trust someone placed in them because a third party committed a bad act there will be sanctions for Thomas Reuters. This is a concept encapsulated in GDPR very effectively.

While an interesting concept and discussion, I'm not quite sure such discussion is at the core use goal of the document. As for the regulatory side, this document is not part of compliance with any data protection regime. It can help to make some matters understood, but it should not subscribe to any particular law framework.

I don't believe the W3C should be designing standards or assessing proposals which remove these trust choices from people or publishers. Therefore the differentiation between first parties, third parties, and browser vendors implementing W3C standards needs to be considered further.

This document does not "remove trust choices from people or publishers". It's a questionnnaire intended for feature developers. That said, no doubt that first parties can be involved in abusive behavior, of course.

The document could be expanded to consider the identification and reporting of bad acts to support the sanctions provided for under law no matter the role of the parties.

That's an important comment so thank you. Testing implementations and actual use is a role for research (which is keenly advised and welcomed). This is also clear from the many references the questionnaire uses. For sure an important point, but this is not the key goal of the questionnaire - auditing the abuse of features should be important though, and I believe if such potential risk of abuses are found they can be documented already in the questionnaire and in the respective privacy considerations of each spec.

[jwrosewell]

Legal Framework

Whilst the W3C lacks a policy in relation to matters of regulation each participant and document contributors form their own view. In my case, as a European, I’m skewed towards the GDPR. Speaking with a lot of other participants from other geographies I understand that GDPR is held in high regard and is used as a foundation for other legal frameworks. I therefore used the GPDR illustratively in the example. It would be helpful if the W3C adopted an official baseline policy on all matters including privacy.

Trust Choices

In the case of a change to a de facto standard which I believe has been implemented by Apple, Mozilla and, shortly Google around third-party cookies, trust choices have been removed from people and publishers. This is not in debated.

Document such as this provide legitimacy for such changes to de facto standards. Where proposals are presented to TAG for review this document along with Ethical Web Principles are most often cited.

In practice these matters are related and do result in a removal of trust choices for some stakeholders.

Transparency

Within the IAB Tech Lab Project Rearc there is a dedicated work stream focused on Accountability. IAB Europe have Transparency and Control Framework (TCF). The Partnership for Responsible Addressable Media (PRAM) principle 1 states “[provide] consumers with meaningful transparency and controls, giving the marketplace the tools to understand consumer preferences and the ability to abide by those preferences.”

The W3C could follow these organisations models and embrace the need for transparency and accountability as part of the work.

To conclude this specific issue the document should be modified in the following way.

1. Reference the need for a W3C policy on all matters including privacy.
2. In the absence of such a policy list its assumption referencing reasonable legal frameworks such as GDPR. Alternatively pause the use of the document until a W3C wide policy on all matters is available.
3. Redefine parties to reflect the policy or legal framework chosen.
4. Also consider matters of antitrust raised in this related issue.

[lknik]

Hello,

Thanks for your input, which is highly appreciated. Please see my remarks below.

1. Reference the need for a W3C policy on all matters including privacy.

I'm not sure if this is the role of this document, which is meant for feature developers.

2. In the absence of such a policy list its assumption referencing reasonable legal frameworks such as GDPR. Alternatively pause the use of the document until a W3C wide policy on all matters is available.

This questionnaire is not a legal document, and as such does not need a legal justification nor grounds. I do not feel the need to "pause the use of the document", which was basically used for many years now and is an integral part of the W3C spec review process. I feel it would be unhelpful and stall the privacy review aspect of new web features.

3. Redefine parties to reflect the policy or legal framework chosen.

This is not a legal document and it does not require any legal backing.

[hober]

@jwrosewell wrote:

Alternatively[,] pause the use of [this] document until a W3C wide policy on all matters is available.

We're not going to stop important technical work to wait on a theoretical policy change that may or may not happen.

3. Redefine parties to reflect the policy or legal framework chosen.

When and if the W3C's policies change, all W3C documents should of course be updated where appropriate to reflect the new policy. We don't need open issues to track this until such policy changes actually happen, though.

---

Regarding the distinction between first and third party tracking captured in this document (and many others), I think @dbaron already addressed the user-centered reason for this distinction:

I think there is a substantial difference between first-party and third-party tracking because they differ substantially in:

• how much they differ from user expectations
• how visible they are to the user.

For example, if somebody goes to facebook.com, they probably expect that facebook.com knows something about their visit, what they click on on the page, etc. It's also relatively clear that facebook.com is what they're interacting with.

On the other hand, if they go to read a news article on reuters.com, they are much likely to have these expectations about what facebook does to track what they're doing. A user doing so does not naturally expect facebook to track what they're doing on reuters.com, nor is it clearly visible to the user that facebook is doing so.