• Other Thoughts >

    May 26, 2022

    First vs Third In Online Data Privacy

    First, let me just mention that if you're not sure what a domain is, I have a post that defines domains which might help. Domains are important with online data privacy because they give an indicator of the parties involved with a web page. We don't tend to use the term 'domain', though, but rather talk about 'first-party' vs 'third-party'. Just to level set, when the term first-party is used, what it means is that the domain you're talking about is the domain that you see in the location bar of your browser. Third-parties, on the other hand, mean the domains involved do not match the domain in the location bar.

    The location bar in a browser
    The location bar in a browser

    The image above shows www.Disney.com in the location bar, so anything that's served in the page from Disney.com would be considered a first-party resource. Anything coming from any other domains would be considered third-parties. From a privacy perspective, the assumption is that a user going to www.Disney.com understands that they're interacting with Disney - but isn't necessarily aware of any other third-parties on the page. That's undoubtedly true, since not many people are going to be watching the network requests in their browser's developer tools when the page loads up to see the other domains (although they might be using a privacy tool like Ghostery1 and therefore have some idea). The fact is that the majority of sites (like 94%) include third-parties on their web pages - and when they do include third-parties, they're not just including a few. The majority of sites are including 50 to 100 different third-party domains on their sites. (These numbers are coming from the HTTP Archives's State of the Web report for 2021, btw.)

    These numbers can be alarming, and since it's possible for these third-parties to be collecting data about users visiting the page, there are obvious privacy concerns here. Before we all put our tin-foil hats on, though, it is important to remeber that not all third-parties are malignant entities that are trying to track users for nefarious purposes. The page in question might just be sharing content from another site - or offering users tools to easily share the content in their own social media accounts. It could be for analytics tools to make the site better, or personalization tools to tailor the experience to the user. It could also be that the organization that owns the website owns other domains too - and this is what I really wanted to talk about here.

    Going back to that Disney example, I would argue that most adults are aware that Disney is a very large company that owns multiple businesses. For example, if you ask people who owns Disney+, it's a pretty good bet they'll say Disney. That probably holds true for less obvious examples like Pixar, Marvel, or ABC. If you went up to most kids and said "Sesame Street is brought to you by...", a good portion could probably say "PBS and viewers like you" or maybe even "the Children's Television Workshop". Granted, you're just as likely to be told "the letter e and the number 6". The point is we do start learning about brands earlier than we might think.

    Oscar the Grouch holding the Children's Television Workshop sign
    This brings back fond memories

    Why does this matter? Because I think in some cases, people would recognize that when they're visiting the domains disney.com, disneyplus.com or shopdisney.com, they're all owned by Disney and would expect that Disney as an organization could see their activity on all three sites. I'd say the same is true for sesamestreet.org, pbskids.org, and pbs.org (for most adults, at least). It matters because when we talk about data privacy online, the privacy boundary used is between different domains because that's what's easy for user-agents (ie, browsers) to differentiate.

    What that means is that when a browser makes a privacy tool that asks a user for permission for a third-party to do something, that permission prompt will pop-up every time - even when it's shopdisney.com providing the functionality for a user to buy something on disney.com. I think that's annoying and bad for privacy in the long run. The reason is it reminds me of the cookie consent notices, which I think are pretty ineffective and annoying. I sincerely doubt many people are reading those consent notices to make informed decisions about what cookies should be set for a particular web site. Instead I think people just either deny all or allow all when they just want to get the notice our of their way. Instead of improving privacy, I think it just became an annoyance that people mostly try to ignore.

    Having said all of this, I don't think the answer is to do nothing either. I just think we need a more sophisticated tools that allows users to control how they want to define privacy boundaries. Something that likely defaults to being between every domain, but lets users say, "I know disney.com and disneyplus.com are the same organization, so go ahead and treat them the same (and stop warning/promting me about them)". Google has a proposal in their Privacy Sandbox called First-Party Sets that is trying to address this issue. What it does is allow organizations to declare which domains they own, and then those domains can be treated as a first-party to one another. Overall, I think it's a good first step, but there are outstanding questions that need to be addressed with it. For instance, who makes sure these domain lists are accurate? How many domains should be allowed on a list? I also would prefer it if users could set their own preferences to either always ignore first-party sets, or to say "I'm OK with disney.com and disneyplus.com being first-parties to one another, but I want pixar.com treated as a third-party domain". I'd also like the organization that publishes a website to have that same level of control too.

    When I voice this in privacy discussions at the W3C, the argument against it is that browsers have built configuration tools for users to customize things before, and few users actually use them. To provide the functionality takes work, and if no-one is going to use it, it's wasted effort. It's a valid point, but at the end of the day, I still think privacy is personal and to satisfy users, you need to let them customize privacy tools to meet their expectations. That's just my 0.02, but it'll be interesting to see how this develops.

    Thanks for reading! Kris

    Footnotes

    1 Just for full disclosure, I was one of the first people who worked at Ghostery back when it was called Better Advertising. That was moons ago, so it doesn't really have much bearing, other then I still appreciate the tool.

© 2009-. Kristen Chapman. All Rights Reserved.