Full Title or Meme
Nearly all sites track users at some level. There is generally some level at which users object which is dependent on the site's behavior.
- This wiki page deals exclusively with the User Experience (UX) of a web browser chosen by the user to navigate the web.
- Some comments and terminology my need to be framed in terms of the behavior of the web site in that User Experience in order to understand the entirety of the problem.
- REST, or representative State
Just to be sure we are all talking about the same thing for at least the durations of this wiki page. The designation for first party (1P) is very web centric, but seems common, so let's stick with it.
- First Party (1P) - the web site the user navigated to.
- Second Party (2P) - actions by a native app on the user's device.
- Third Party (3P) - some other web site brought onto the UX by the 1P.
Web sites have not been able to distinguish between ad tracking and authentication tracking. The following images shows the impact of the Apple (webkit) Tracking Prevention Policy
This does not effect sites that use redirection to allow OpenID Connect for first party web site authentication. But when related sites attempt to use cross site authentication they will be blocked.
First try to understand what the user knows, what the browser knows and what the site knows as a result of cookies or of back-end account store.
- Nothing about the site but its name and perhaps a recommendation by the link that send the user there.
- User forms an opinion about whether the site is interesting. - Site puts a cookie on the user's computer to remember if the user comes back and what the user saw last time.
- If the user never goes back the cookie times out and is deleted. Timing here is interesting - lets say it is 30 days. For some reason the exact time the user was there seems to be called PII?
- User goes back while cooke still valid. The site know that the user is interested and may be willing to continue to offer paywall content for (say) 3 times in 30 days. Then they dmand money. ( The user is "KNOWN".)
- For one reason or another the user decides to create an account an sign into the web site. Now thinks get interesting. If Notification is triggered the user needs to supply a call-back method. ("The user is "SIGNEDIN".)
- After some time the use is signed out for inactivity. (The user is "ACCOUNT" at site the user name and password may be retained by the browser.)
- The user goes to the web site again and the site can perform several actions. A request to sign into the site can be intercepted by the browser and auto signing. ("The user is "SIGNEDIN".)
- The user is asked for demographics besides the call-back. The is now a PII CONTROLLER and assumes lots of responsibility. (The user state in the web site changes to "PII PRINCIPAL", browser doesn't understand.)
- The user asked to have the account closed. - unknown impact.
Need to understand when OIDC cares about being 1p versus 3p and what causes that and how the browser is to know difference between tracking for authN and just ads.