1 of 9

First-Party Sets Policy Proposal

W3C Privacy Community Group

August 12, 2021

Hello everyone. Thank you for attending today’s ad-hoc discussion on our proposal for First-Party Sets policy. My name is Kaustubha Govind, I am a Software Engineering Manager on the Chrome Privacy Sandbox team. Joining me in presenting this proposal is Jeff Lazarus, a Policy Advisor on our Trust & Safety team.

I will start by sharing some context for the First-Party Sets Proposal. This should take about 10-15mins, after which I will pause for questions. Then, Jeff will follow by sharing our proposal for the policy that decides where a given First-Party Sets declaration would be treated as valid or invalid. We will then spend the rest of the time in this meeting on questions and feedback. Our hope is to achieve a standard policy that is accepted across all browsers in the spirit of interoperability, and consistent with the privacy principles that we all aspire to for the web.

2 of 9

Anti-tracking policies for the web

DNT specification (W3C)

“A party is a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user.”

Chrome Privacy Model

The central privacy threat is joining these per-site identities across distinct first parties. Browsers impose limits (on cookies, fingerprinting, and other state) with the goal of preventing the joinability of these per-1p identities.

Mozilla Anti-Tracking Policy

"A first party is a resource or a set of resources on the web operated by the same organization, which is both easily discoverable by the user and with which the user intends to interact."

WebKit Tracking Prevention Policy

"A first party is a website that a user is intentionally and knowingly visiting, as displayed by the URL field of the browser, and the set of resources on the web operated by the same organization."

Edge Tracking Protection Preview

"Not all organizations do business on the internet using just one domain name. In order to help keep sites working smoothly, we group domains owned and operated by the same organization together."

3 of 9

How browsers currently define “third-party”

4 of 9

Why “site” or “registrable domain” isn’t sufficient

Website functionality is often deployed across multiple domains, including:

Single sign-on

bbc.com and bbc.co.uk; sony.com and playstation.com

Embedded content such as documents, and videos

sharepoint.com and live.com

Improved security via isolation/separation of content

Untrusted uploaded content on googleusercontent.com
gov.uk subdomains treated as separate sites due to addition of gov.uk to the Public Suffix List

Analytics/measurement of user journeys to improve quality of services

⇨ User journeys/workflows exist across domains that users perceive as the same website or “first-party”

Sign-in across owned & operated properties

bbc.com and bbc.co.uk
sony.com and playstation.com

Support for embedded content from across owned & operated properties (e.g. videos/documents/resources restricted to the user signed in on the top-level site). One example is Microsoft Sharepoint, which embeds access-controlled documents and spreadsheets hosted on excelapps.office.live.com.
Separation of user-uploaded content from other site content for security reasons, while allowing the sandboxed domain access to authentication (and other) cookies. For example, Google sequesters such content on googleusercontent.com, GitHub on githubusercontent.com, CodePen on cdpn.io. Hosting untrusted, compromised content on the same domain where a user is authenticated may result in attackers’ potentially capturing authentication cookies, or login credentials (in case of password managers that scope credentials to domains); and cause harm to users.

Alternative solution: Sandboxed domains can also consider using partitioned cookies.
Shared services, such as consent management across domains with a common eTLD suffix; such as gov.uk. Repeatedly asking for cookie consent on individual gov.uk sites may be confusing to users, erode trust in the website’s functioning, and cause fatigue; because users think of all subdomains as being part of one gov.uk website.

Analytics/measurement of user journeys across O&O properties to improve quality of services.

5 of 9

Why First-Party Sets?

Draw a “box” or “boundary” around the collection of domains declared in a first-party set; and restrict information flow across that boundary to prevent cross-website tracking.

Blue and Green sites are in the same First-Party Set

Blue site is third-party to Purple site

6 of 9

How could browsers use First-Party Sets?

SameParty cookies
Partitioned/double-keyed third-party cookies
Bounce/Redirect Tracking Interventions
WebID Directed Identifiers are keyed by First-Party Set
Privacy Budget applied across an entire First-Party Set
Others?

7 of 9

Why are we talking about a policy?

Compliance with privacy model for the web
Consistency across browsers
Prevent abuse

8 of 9

FPS Policy Proposal

We propose a three-pronged policy:

Domains must have a common owner, and common controller
Domains must share a common group identity that is easily discoverable by users
Domains must share a common privacy policy that is surfaced to the user via UI treatment (e.g. on the website footer).

9 of 9

Why we need a policy enforcement component for FPS

An independent enforcement entity (aka verification entity) would serve multiple functions:

Maintains publicly-viewable declaration system for First Party Sets
Verifies that the requester of the set formation has control over the domains
Performs random "spot checks" for conformance based on publicly available information
Performs technical check to ensure Privacy Policy is the same across all sites in the same set
Performs technical check to ensure all First Party Sets are mutually exclusive
Conducts manual reviews/investigations of First Party Sets that have been flagged by civil society/research community