Dan: what is the status of this work?

Peter: tied to first party sets

Dan: there was significant pushback from other parties, was discussed in the PrivacyCG. I think the tie in is it's using the same conceptual framework

Rossen: it builds on it. Are we assuming that first party sets are a thing?

Dan: our review of first party sets is closed - and we identified issues which were not resolved to my knowledge ... Mozilla thinks its harmful.

Rossen: the first party sets itself is problematic. It says we don't trust who is first and third party, we will tell you who is first party, we are going to group domains to say they are first party, trust us. Based on this proposal is extending it and we'll also tell you what third party cookies are on top of this first party sets. In the security and privacy, they are going to good detail to what the different proposals are.

Dan: I want to push back and say before you start building stuff on top of first party sets then asking the TAG to review it, get yoru story straight with first party sets and get consensus and multiple implementations behind first party sets. this is not a thing where some browsers can support it and some can't and that's okay, this is much more fundamental to how the web operates. If you don't have inteorperability it's not going to function and there's something to the notion it might be a harmful feature.

Rossen: No official MS position, I have my personal opinion that doesn't stand for MS.

Dan: where is this being worked on? In a private repo.

Dan: proposed comment ` Hi folks - this is an interesting proposal. We are just picking it up at our virtual f2f this week and discussing. I note that it builds on First Party Sets, which we previously reviewed and found issues with, which were not resolved. Furthermore there seems to be lack of multi-implementer support for First Party Sets based on e.g. the Mozilla feedback. Therefore it feels to me like it's premature to build things on top of First Party Sets?

`

[relationship to 1st party set is an issue]

[discussion on how this depends on privacy budget and how privacy budget is not a well defined concept at this point]

Tess: large ecommerce sites often have 100s of domains that they own.. Amazon.co.uk, amazon.mx, etc... All of their national TLDs are the same set. That might be reasonable but once you get into high numbers like that then the potential for abuse skyrockets. Ad-tech companies might abuse this.

Dan: what's the mitigation being discussed in the Privacy CG for this?

Tess: the mitigation linked to here is that the privacy budget would apply across all sites across the first party set. Another mitigation would be to limit the size to 10 or 20 domains. Once you get into high numbers then the harm of using it as a tracking vector overrides the benefit.

Rossen: where is the ... expanding and registering domains that are part of the set? Who registers the sets?

Tess: every party in the set needs to declare.

Rossen: legit subsidiary issues. Also enterprises with different companies. Does current 1st party set thinking consider these the same? Or is there a grey line? All of your TLDs around the world.

Tess: don't know if you draw that distinction

Hadley: this is companies saying "we understand the same origin policy but we're annoyed by it so we want to scrap it in certain circumstances".

Tess: there are multiple reasons why you might want to have these sets - different properties (all the same legal entity, vs looser...)

Tess: what's tricky here is that 1st party sets is agnostic. Doesn't say what they use it for. Same party cookies are the first example of an application of 1st party sets. Rossen identified at least 2 cases that are interesting. I think there are more. There could be a way to share a set of domains that share certain aspects - e.g. ethical principles...

Hadley: it reminds me of a proposal from the IAB (the advertising one)- they wanted to let brands designate places that could sell their stuff legitimately. They could use that to cut down on counterfeiting.

Rossen: what is the governance model for this? Do we have a def of that?

Tess: not sure if there is any kind of governance.

Ken: they are sending an intent to experiment.

Dan: you would end up with defacto browser allow lists of which 1st party sets are ok

Tess: and then you have the compatiility problem.. different browsers have different lists, it's a race to the bottom

Hadley: rife for conflicts of interest. Crosses out of user agents...

Rossen: the whole domain registry well-established governance model shifts completely.

Dan: this is a destabilizer.

Dan: doesn't this fundamentally harm web architecture?

Rossen: should we reopen first party sets? and continue the conversation there. It's no longer "too early".

Hadley: same people? no

Rossen: some similar folks, and much livilier discussion

Hadley: 342 has discussion around governance but doesn't really conclude

Dan: left a comment redirecting back to the first party sets issue.

Hadley: will leave a comment on that issue.

Rossen: discussion was moved into first party sets right?

Marked this as blocked on dependency (waiting on #342 First-Party Sets).

Dan: noted we feel it's blocked behind FPS. Feel like we need another session with Kaustubha where we talk about this, FPS and CHIPS. Next week?

Dan: stil blocked on first party sets...

Amy: last update is that this is blocked on FPS

Dan: still blocked on FPS discussion

Dan: still blocked on FPS.