First Party Sets

From Bitnami MediaWiki
Revision as of 18:57, 24 June 2021 by Jkoran (talk | contribs) (→‎Regulator Perspectives)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Overview

Google's First Party Sets proposal enables different sites (or origins) controlled by the same organization to declare themselves to people as being allowed to share personal data.[1]

Google's proposal allows two exceptions to their general rule to block cross-origin data transfers, when the receiving origin is:

  1. Registered under the same top-level domain (e.g., news.yahoo.com and sports.yahoo.com) as owns the sending origin.
  2. Owned by the same organization (e.g., google.com and youbtube.com) as owns the sending origin.

Google defines "control" solely as 51% ownership of each domain by the same parent organization.

Impact

By relying on organizational ownership as the sole mechanism of trust, this advantages vertically-integrated organizations over those that rely on supply-chain partners. (See below W3C's critique due to this impact.) This runs counter to the general goal on the web of supporting decentralization.

Moreover, in contrast, privacy regulations support other mechanisms to support appropriate control and safeguard of people's personal data, such as by contract (including Standard Contractual Clauses). Instead of incentivizing centralized ownership of domains, privacy regulations focus on reducing the privacy risks to people via relying on pseudonymous identifiers, rather than people's identity, whenever possible.[2]

Status

First-Party Sets began Origin Trial in M89.[3][4]

Regulator Perspectives

The UK CMA noted (5.32-33, 6.62) that should Google impair publishers' ability to work with supply chain vendors of their choice through interference with interoperable data, then Google's own extensive data collection would give Google a "significant data advantage over others." The CMA noted that without addressing this data advantage, then "Privacy Sandbox Proposals (notably "First Party Sets" would "distort competition in digital advertising markets."[5]

The UK ICO and CMA published (82) a joint statement that also criticizes self-serving definitions of privacy that hinge on corporate ownership:

It is important to note, therefore, that neither competition nor data protection regulation allows for a 'rule of thumb' approach, where intra-group transfers of personal data are permitted while extra-group transfers are not. Under both data protection law and competition law, a careful case-by-case assessment is needed, regardless of the size of a company, the business model adopted, or the nature of any processing activity.”[6]

Perspectives of Trade Body and Advocacy Groups

In April 2021, The W3C Technical Architecture Group (TAG) criticized First Party Sets as "harmful to the web."[7] The TAG recognized that Google's proposal benefit "only powerful, large entities"[8] rather than actually improve “transparency, choice and control over how their data is used.”[9]

Mozilla has also criticized Google's distinction that corporate ownership ought to be an acceptable "privacy" boundary.[10]

Open Questions

  • How much awareness among the general public is required for different domains to be allowed to share personal data?
  • Must users be made aware of the ownership linkages prior to any personal data sharing?
  • How much control should people have to keep their identity distinct from the various sites within such a "first party set"?
  • How should cross-publisher data sharing permissions be granted, administered and audited?
  • Which risks to people will these changes reduce or eliminate?

References