Re: Service Provider Status (ISSUE-137) from Jonathan Mayer on 2012-08-29 (public-tracking@w3.org from August 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 29 Aug 2012 09:53:27 -0700
To: JC Cannon <jccannon@microsoft.com>
Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org>
Message-ID: <EF8BE28A6CDC4947A19DE472D81B9C2D@gmail.com>

Here are some concrete use cases with service provider ambiguity.

1) HTTP traffic goes to a website that looks like a third party, but is actually a service provider.
Example: News.com (http://News.com) embeds content from Analytics.com (http://Analytics.com).
Solution: A simple Service Provider flag (e.g. "Tk: S").

2) HTTP traffic goes to a website that looks like a first party, but is actually a service provider.
Example: Blog.com (http://Blog.com) is hosted by BlogPlatform.com (http://BlogPlatform.com).
Solution: A simple Service Provider flag (e.g. "Tk: S") plus some sort of party identification (e.g. a "Tk-Party: blogplatform.com" response header or a "party" field in the status resource).

3) HTTP traffic goes to a website that is a service provider, but it's unclear which party it's working for.
Example: Analytics.com (http://Analytics.com) appears buried in a set of advertising iframes on News.com (http://News.com).
Solution: A Service Provider can signal the party it's working for (e.g. a "Tk-Service: news.com (http://news.com)" response header or a "service-provider-party" field in the status resource).

4) A website uses a service provider on the backend.
Example: Shopping.com (http://Shopping.com) copies its user account data into a cloud-based CRM service.
Solution: A list of service providers in a party's tracking status resource.

On Wednesday, August 29, 2012 at 9:38 AM, JC Cannon wrote:

> Could you describe a scenario where the service provider is not on HTTP? How would it send a response I the first place? Are you talking about offline scenarios?
>  
> Thanks,
> JC
>  
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Wednesday, August 29, 2012 9:36 AM
> To: W3C DNT Working Group Mailing List
> Subject: Re: Service Provider Status (ISSUE-137) 
>  
> A related design decision: What about service providers that aren't at visible via HTTP?  I don't think we have consensus on this yet.
> 
>  
> 
> On Wednesday, August 29, 2012 at 9:17 AM, Jonathan Mayer wrote:
> 
> > Some possible status ambiguities for service providers.  All are solvable with trivial engineering. 
> > 
> >  
> > 
> > -If a service provider is using its own domain:
> > 
> >          -Is the entity a first party, third party, or service provider?
> > 
> >          -Which party is it providing outsourcing services to?  (Might be multiple parties in different roles.)
> > 
> > -If a service provider is using a different party's domain (e.g. a CNAMEd analytics service):
> > 
> >          -Who is the service provider?
> > 
> >  
> > 
> > 
> > 
> 
>  
> 
> 
> 
>

Received on Wednesday, 29 August 2012 16:53:55 UTC