Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforcement of organizational structure within FPS #18

Closed
pbannist opened this issue Aug 24, 2020 · 1 comment
Closed

Enforcement of organizational structure within FPS #18

pbannist opened this issue Aug 24, 2020 · 1 comment

Comments

@pbannist
Copy link

Breaking out to a separate issue the chain being discussed here: privacycg/proposals#17 (comment). This is with respect to @krgovind's comment that "Geico and Dairy Queen would actually not be a valid set given our current thinking around the FPS policy. Berkshire Hathaway is a holding company, with Geico and DQ being subsidiaries."

Berkshire Hathway happens to be a relatively transparent, public company based in the US that publishes much of its subsidiary information. How will browsers arbitrate what corporate/organizational structures are allowable vs. not? I used Factset, a company that monitors corporate structures, to look into the corporate structure of a number of large multi-national firms.

Alphabet, the parent holding company of Google, has five core subsidiaries. One of those, Google LLC, is the primary subsidiary, and it has many subsidiaries of its own. For example, YouTube is a separate subsidiary of Google LLC, as are Google Germany, Google Spain, Nest Labs, and on and on - Google LLC has hundreds of subsidiaries. Per the comment on the other thread, does this mean that First Party Sets would not apply to youtube.com / google.de / google.es / nest.com? (and many other examples)?

Another example is Disney (The Walt Disney Co), which has totally separate subsidiaries for ABC, Pixar, Lucasfilm, Disney Animation, ESPN, Fox Sports, and many, many others. Again, since these are separate subsidiaries, does this mean that their domains cannot be covered by First Party Sets?

Most of the other large firms I looked at have similar corporate structures, containing dozens of separate subsidiaries. Based on this, and the comment that subsidiaries of a larger company would not make a valid set, it would seem that the current thinking around FPS composition isn't adequate.

Also, by making "same organization" a requirement of First Party Sets, it would seem that the browsers are volunteering to become experts in corporate and organizational ownership laws and practices, globally, and enforcing these standards across millions (hundreds of millions?) of organizational entities of many, many different kinds. And what data source will be used? What about private companies for which this information isn't available? And the veracity of data from sources like FactSet, Dun and Bradstreet, and others, is generally quite good, but there is no independent verification of their approaches.

I don't believe that browsers can enforce organizational ownership as a component of FPS and believe that this component of the proposal should be removed.

dmarti added a commit to dmarti/first-party-sets that referenced this issue Aug 23, 2021
 * Remove reference to Do Not Track

 * Add a source and definition of "controller"

 * Remove language on ownership, replace with more consistent mentions of "controller"

 * Mention that common branding should apply to users of assistive technologies

Ownership verification is complex, does not add enforceable protections for users beyond the common controller requirement, and is likely to create costs and risks for some sites that would make it hard to use this feature.

Refs: WICG#14 WICG#18 WICG#20 WICG#49 WICG#55
@johannhof
Copy link
Member

This issue is outdated relative to the current FPS proposal and while common ownership still plays some role in the current proposal I think the context changed enough to render this issue largely non-actionable. I'll close this for now, feel free to re-open if you think that this is still relevant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants