Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Desirable elements of "UA Policy" #20

Closed
krgovind opened this issue Aug 25, 2020 · 5 comments
Closed

Desirable elements of "UA Policy" #20

krgovind opened this issue Aug 25, 2020 · 5 comments

Comments

@krgovind
Copy link
Collaborator

UA Policy is a key aspect of First-Party Sets that should define what constitutes an acceptable set.

One key principle that has been proposed in the privacy models of various browsers is the notion of being owned and operated by the same organization.

What are other key elements that are desirable to capture in the UA Policy?

What properties of user understanding (as enshrined in the page URL) can the policy cover?
@dmarti
Copy link

dmarti commented Sep 1, 2020
edited
Loading

One way to cover legit cases of "same organization, different domains" would be to borrow a design idea from IAB TCF and include a URL for a common privacy policy that applies to all domains in the set. (The TCF vendor list includes a policyUrl member for every defined vendor.)

That way, for example, yimg.com and yahoo.com would already be able to be part of the same set, because they are administered by the same owner under the same policy. Other organizations that wanted the benefit of first party status would need to make a publicly checkable committment.

@krgovind krgovind added agenda+ and removed agenda+ labels Sep 9, 2020
@krgovind
Copy link
Collaborator Author

As raised on a CG call: the DNT specification may also serve as good precedent here: https://www.w3.org/TR/tracking-compliance/#party

@pbannist
Copy link

While it's useful that other work has been done on defining "party" more clearly, I don't think the definition in the tracking compliance document is very helpful. When we move into the very fuzzy world of corporate ownership, I believe that the words in that definition are insufficient.

A simple example is the status of companies in China. A huge number of companies in China are fully or partly owned by the government. By the definition in the DNT specification, that could easily make all of those companies the same party as each other, when I imagine that isn't what most people would view as a desirable outcome.

I'm sure there are many, many other issues that can be identified here, not least the issue of even knowing what companies own which other companies - that fact alone is often not public.

@jwrosewell
Copy link

ICANN are responsible for the subjects of this proposal. Have ICANN been involved in the debate and their opinion sought on solutions? Anything that does not involve ICANN seems like a "hack".

This was referenced Jun 7, 2021
Open
Open
dmarti added a commit to dmarti/first-party-sets that referenced this issue Aug 23, 2021
@dmarti
Update ua_policy_proposal.md
bf24c0b 
 * Remove reference to Do Not Track

 * Add a source and definition of "controller"

 * Remove language on ownership, replace with more consistent mentions of "controller"

 * Mention that common branding should apply to users of assistive technologies

Ownership verification is complex, does not add enforceable protections for users beyond the common controller requirement, and is likely to create costs and risks for some sites that would make it hard to use this feature.

Refs: WICG#14 WICG#18 WICG#20 WICG#49 WICG#55
@dmarti dmarti mentioned this issue Aug 23, 2021
Closed
@johannhof
Copy link
Member

I think this issue has been superseded by various other policy discussions, so I'll close it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dmarti @jwrosewell @johannhof @krgovind @pbannist