Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanbox As we (Mozilla) mentioned in the Privacy CG meeting on 2020-08-27, in our view it's not the role of the W3C to "require sites to unify on a single parent domain"; whether that makes sense for any particular organization is not a technical decision but a business decision. #201

Closed
Creatorm399 opened this issue Jan 10, 2024 · 0 comments
Closed

Sanbox As we (Mozilla) mentioned in the Privacy CG meeting on 2020-08-27, in our view it's not the role of the W3C to "require sites to unify on a single parent domain"; whether that makes sense for any particular organization is not a technical decision but a business decision. #201

Creatorm399 opened this issue Jan 10, 2024 · 0 comments

Comments

@Creatorm399
Copy link 

          As we (Mozilla) mentioned in the Privacy CG meeting on 2020-08-27, in our view it's not the role of the W3C to "require sites to unify on a single parent domain"; whether that makes sense for any particular organization is not a technical decision but a business decision.

With that said, Internet users have been trained for the past 25+ years to use a registrable domain (i.e., eTLD+1) or a narrower selector (e.g., origin) as the basis for making decisions about who the first party is. We think that broadening the definition of first party now will violate the principle of least user astonishment, with potentially serious implications for user privacy and security.

Although it's true that large consumer-oriented corporations sometimes have multiple brands (and it makes sense for each of those brands to be hosted on its own domain), the point at issue is what is clear to the consumers of those brands.

A few examples:

  • a subscriber to Architectural Digest might not expect that a casual reading of an article at GQ or Wired might result in sharing data across those sites (all owned by Condé Nast)
  • a person who views a YouTube video might not expect that activity to be linked to their Gmail identity or their Google Searches (all owned by Google)
  • a person who posts to IMDb might not expect those posts to be linked to their purchases at Whole Foods or Zappos (all owned by Amazon)

As discussed on the call, there are many wrinkles here, including:

  • joint ownership (e.g., what if the corporation controlling a domain is 50/50 owned by two different organizations? what about minority owners in a joint venture? etc.)
  • changes of ownership (e.g., large consumer-oriented corporations often divest themselves of brands and it's unrealistic to expect people to track such ownership changes; also what happens to data that was shared under the previous ownership?)
  • trademarks and established brands in particular countries (e.g., Mr. Clean products are called Flash in the UK and Ireland because another company called Mr. Clean exists there)

These and other issues could be sources of significant confusion to users and even to the organizations involved. Our view is that it's best not to open this large can of worms.

Originally posted by @stpeter in #19 (comment)
@johannhof johannhof closed this as not planned Won't fix, can't repro, duplicate, stale Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johannhof @Creatorm399