RE: Service Provider Status (ISSUE-137) from JC Cannon on 2012-08-29 (public-tracking@w3.org from August 2012)

From: JC Cannon <jccannon@microsoft.com>
Date: Wed, 29 Aug 2012 18:28:10 +0000
To: Jonathan Mayer <jmayer@stanford.edu>
CC: W3C DNT Working Group Mailing List <public-tracking@w3.org>
Message-ID: <BB17D596C94A854E9EE4171D33BBCC81015AAA8B@TK5EX14MBXC239.redmond.corp.microsoft.>
I don’t feel the list should be part of the DNT spec as the spec covers sending a signal from a UA to a website about a user’s tracking preference. It shouldn’t be used to force privacy rules that are out of scope from what we are trying to accomplish.

In addition, I don’t see the need to force companies to create a machine-readable version of this list. It would be better to hammer these issues out in a working group focused on offline data usage.

JC

From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Wednesday, August 29, 2012 11:15 AM
To: JC Cannon
Cc: W3C DNT Working Group Mailing List
Subject: Re: Service Provider Status (ISSUE-137)

It seems we're very close - we agree there should be a list of backend service providers.  What I'd also ask is 1) the list is mandatory (for a complying website), and 2) the list exists in a machine-readable format.

Jonathan


On Wednesday, August 29, 2012 at 10:41 AM, JC Cannon wrote:

I don’t doubt the benefits to users, I just don’t think DNT is the right mechanism to provide users with a list of third parties a company works with who are not part of the online transaction. It would be better to put that in the privacy statement or terms-of-use where it will always be available to users when they need to see it.



JC



From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Wednesday, August 29, 2012 10:27 AM
To: JC Cannon
Cc: W3C DNT Working Group Mailing List
Subject: Re: Service Provider Status (ISSUE-137)



I don't follow why you think information about a backend service provider would be unusable.  The benefits to users, user agents, researchers, and policymakers remain.



If we give backend service providers a free pass on signaling, I fear we establish a perverse incentive to diminish transparency even further.



Jonathan



On Wednesday, August 29, 2012 at 10:01 AM, JC Cannon wrote:

I don’t have a problem with the first three items.



Item 4) appears to be out of scope for our work since the service provider is not involved in the session. I feel sending a list to the UA is to inform the UA of the status of a third-party site. Since the UA can’t see the site why send unusable information?



JC



From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Wednesday, August 29, 2012 9:53 AM
To: JC Cannon
Cc: W3C DNT Working Group Mailing List
Subject: Re: Service Provider Status (ISSUE-137)



Here are some concrete use cases with service provider ambiguity.



1) HTTP traffic goes to a website that looks like a third party, but is actually a service provider.

Example: News.com<http://News.com> embeds content from Analytics.com<http://Analytics.com>.

Solution: A simple Service Provider flag (e.g. "Tk: S").



2) HTTP traffic goes to a website that looks like a first party, but is actually a service provider.

Example: Blog.com<http://Blog.com> is hosted by BlogPlatform.com<http://BlogPlatform.com>.

Solution: A simple Service Provider flag (e.g. "Tk: S") plus some sort of party identification (e.g. a "Tk-Party: blogplatform.com<http://blogplatform.com>" response header or a "party" field in the status resource).



3) HTTP traffic goes to a website that is a service provider, but it's unclear which party it's working for.

Example: Analytics.com<http://Analytics.com> appears buried in a set of advertising iframes on News.com<http://News.com>.

Solution: A Service Provider can signal the party it's working for (e.g. a "Tk-Service: news.com<http://news.com>" response header or a "service-provider-party" field in the status resource).



4) A website uses a service provider on the backend.

Example: Shopping.com<http://Shopping.com> copies its user account data into a cloud-based CRM service.

Solution: A list of service providers in a party's tracking status resource.



On Wednesday, August 29, 2012 at 9:38 AM, JC Cannon wrote:

Could you describe a scenario where the service provider is not on HTTP? How would it send a response I the first place? Are you talking about offline scenarios?



Thanks,

JC



From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Wednesday, August 29, 2012 9:36 AM
To: W3C DNT Working Group Mailing List
Subject: Re: Service Provider Status (ISSUE-137)



A related design decision: What about service providers that aren't at visible via HTTP?  I don't think we have consensus on this yet.



On Wednesday, August 29, 2012 at 9:17 AM, Jonathan Mayer wrote:

Some possible status ambiguities for service providers.  All are solvable with trivial engineering.



-If a service provider is using its own domain:

         -Is the entity a first party, third party, or service provider?

         -Which party is it providing outsourcing services to?  (Might be multiple parties in different roles.)

-If a service provider is using a different party's domain (e.g. a CNAMEd analytics service):

         -Who is the service provider?
Received on Wednesday, 29 August 2012 18:28:50 UTC