Re: Service Provider Status (ISSUE-137) from Roy T. Fielding on 2012-08-30 (public-tracking@w3.org from August 2012)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 30 Aug 2012 15:23:53 -0400
To: Jonathan Mayer <jmayer@stanford.edu>
Cc: JC Cannon <jccannon@microsoft.com>, W3C DNT Working Group Mailing List <public-tracking@w3.org>
Message-Id: <D0F3A908-3728-45E0-BB4C-A498CEAC990E@gbiv.com>

On Aug 29, 2012, at 12:53 PM, Jonathan Mayer wrote:

> Here are some concrete use cases with service provider ambiguity.

What is the privacy concern?

> 1) HTTP traffic goes to a website that looks like a third party, but is actually a service provider.
> Example: News.com embeds content from Analytics.com.
> Solution: A simple Service Provider flag (e.g. "Tk: S").

What does that solve?

> 2) HTTP traffic goes to a website that looks like a first party, but is actually a service provider.
> Example: Blog.com is hosted by BlogPlatform.com.
> Solution: A simple Service Provider flag (e.g. "Tk: S") plus some sort of party identification (e.g. a "Tk-Party: blogplatform.com" response header or a "party" field in the status resource).

Now you are claiming the site operator is the party, as opposed to
the site that the user wanted to access.  Your definition of party
and first-party are not consistent with user expectations.

> 3) HTTP traffic goes to a website that is a service provider, but it's unclear which party it's working for.
> Example: Analytics.com appears buried in a set of advertising iframes on News.com.
> Solution: A Service Provider can signal the party it's working for (e.g. a "Tk-Service: news.com" response header or a "service-provider-party" field in the status resource).

Already solved in the TPE by requiring the policy link be provided
by service providers when the domain is not owned by the first party.

> 4) A website uses a service provider on the backend.
> Example: Shopping.com copies its user account data into a cloud-based CRM service.
> Solution: A list of service providers in a party's tracking status resource.

Again, that clearly demonstrates that your definition of first party
is simply wrong --- you are using it to discover information about
corporate structure and contractual agreements regarding website
operations even though everyone involved in that process is
operating within the user's expectations of providing the service
the user asked for and limiting data control to the owner of that
service.  The obligation should be on the first party to retain
control over the data collected.

....Roy

Received on Thursday, 30 August 2012 19:24:17 UTC