Setup a session to debate definitions of parties across W3C considering their relationship with one another, trust, choice, scale and varying conditions

[jwrosewell]

The current definitions of first party and third parties and people’s trust relationship to them are too simplistic. In reality people’s trust choices change based on circumstances and conditions. Competition between difference parties is also a consideration.

This tussle is at the heart of many issues many people have raised in relation to proposals, and debates held within this group. The W3C needs a clear policy in relation to these issues.

This session would invite policy experts to provide their input on these issues to better inform the conversation. Outputs beyond the minutes might include a recommendation concerning how to define and apply clear definitions.

This is a mirror of the issue raised under First Party Sets, a pull request to amend the security and privacy questionnaire, and issues (bias, behaviour, and supply chains) related to the security and privacy questionnaire which have been closed without discussion.

[kdeqc]

I would like to see a session like this as well. I agree that first-party vs third-party is too simplistic, although I understand it's currently the easiest thing to focus on from a technical feasibility point-of-view. I think sticking with first vs third would be doing a disservice to users, though, and a mistake for how the web should evolve.

One of the privacy arguments about first vs third is that users only understand that they're interacting with the first-party domain, which I don't fully agree with. Even if that was completely true, though, I would argue that the reason users don't understand is because we don't provide them with easy tools to understand the relationships. I think what we should be building are those informational tools, which is one of the reasons I like the first-party sets proposal.

I would like to see a system where the relationships between domains could be defined by the publisher of the website - and I wouldn't limit that to the publisher just being able to associate other domains they might own. I'd like something where a publisher could say here are other domains that:

• are owned by my company
• are partner domains that I work with to form a consortium/network
• are domains I link to for content
• are domains I link to for social content
• are vendor domains I use to provide X service, where I have full control
• are vendor domains I use, but where I don't have full control

Depending on the relationship, different levels of privacy could then be required. I think this could be used to give users more information, but also a way for publishers to convey how much they trust they would place with partners and vendors.

I think all of this is important not just in terms of data privacy, but because the web was originally developed with a sort of "buyer beware" level of accuracy and trust, where the onus is on users to determine what to believe in. Developing a system where publishers could convey how much trust they have could be a useful signal in how to start addressing those types of problems as well.

[joshuakoran]

I also think this would be useful discussion.

I do not feel the current terms in this thread adequately express what we are after -- namely, improving visibility and choice to people about their privacy -- which (as many privacy regulations emphasize) encompasses distinguishing whether directly-identifiable identity is associated with the digital ID (or not) as well as the right to be forgotten.

I agree with Kris and others that most people are likely not as interested in corporate ownership, but instead ensuring they have an audit trail to detect, deter and hold bad actors accountable for any harm they cause.

Keeping the end user in mind, I hope we ensure that we make the open web simple for people to navigate, rather than having to complete multi-level forms, read scores of legalese or answer a multitude of questions to gain access to each web property.

[jwrosewell]

Thank you for comments of support - I've added this to the proposed sessions for TPAC.

I'd like to leave this issue open to assemble comments before the session and invite interested people to come forward to explain some of the challenges in the current definitions.

[piwanczak]

Personally, I too would be interested in such a discussion.

[hober]

I've written up my thoughts on this question in preparation for this session.

[jwrosewell]

Thank you @hober for considering this issue and writing up thoughts in this post and to the PING group.

https://lists.w3.org/Archives/Public/public-privacy/2020OctDec/0005.html

[joshuakoran]

Thank you @hober for writing up the definitions so clearly.

“The terms "first party", "second party", and "third party" arose centuries ago in contract law, and are used in modern privacy laws & regulations like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).”

• I know you asked this be taken with a grain of salt, but I did want to clarify that GDPR does not use the terms “second party” or “first party,” but instead focuses more accurately on “data controller” [the entity controlling data collection and processing].

“Privacy boundaries are typically defined in terms of sites, which is unfortunate, because the concept of site depends on the Public Suffix List, and the Public Suffix List is known to have a number of problems. But we’re probably stuck with this—for legacy reasons, “

• Thank you for calling out that historical browser defitions of "sites" does not map to modern privacy regulations regarding data collection and processing, which understand that many organizations and sites must rely on a supply-chain of partners, which help fund and support their operations. I would hope that the W3C members review the recent UK Competition and Markets Authority and US Congressional reports on how competition requires interoperability provided by these supply chains. Focusing on defining origins (domain variants) does not seem aligned to regulators desire to restore competition to digital markets.

Thus while we can agree first/third parties are no longer very helpful distinctoins for the conversation, we need to ensure we are addressing END USER privacy concerns which have far more to do with whether a data controller is harming them rather than whether the bad actor is a website OR is a vendor to the digital marketplace that helps publishers operate their business.