Privacy/TPWG/Change Proposals on link shorteners and ID providers
This wiki page will list all text proposals for ISSUE-97: Re-direction, shortened URLs, click analytics -- what kind of tracking is this? and ISSUE-99: How does DNT work with identity providers?
Current proposals
Proposal 5: Silence
(via WileyS on 2014-07-23 call)
The document should not speak to this. WG should not focus time on this edge case.
Proposal 6: redirection or framed content
Consolidated text from Walter, Mike, Nick.
- Network interactions and subrequests related to a given user action may not constitute intentional interaction when, for example, the user is unaware or only transiently informed of redirection or framed content.
Old proposals
Proposal 3
By Walter van Holst
Add the following sentence after the first sentence of the first party definition:
Accessing a particular URI does not necessarily imply intent to interact with the URI-provider, especially when that URI-provider provides a transparent conduit or to other parties' content, as would be the case for content delivery networks, link shorteners and similar service providers and third parties. In such cases the URI-provider is, from a user perspective, a non-obvious participant in the network interaction.
Similar proposal from Mike O'Neill:
With respect to a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content, or being redirected via a party of which the user is unaware, does not constitute a user's intent to interact with another party.
Merged proposal:
Accessing a particular URI does not necessarily imply intent to interact with the URI-provider, especially when that URI-provider, from a user perspective, only provides a transiently noticeable conduit to other parties' content, as would be the case for content delivery networks, link shorteners and similar service providers and third parties. In such cases the URI-provider is, from a user perspective, a non-obvious participant in the network interaction.
Proposal 4: Example of link-shorteners and source/destination interactions
npdoty: Add the following non-normative example to the end of the definition of a first party to a given user action. (Could be in addition to or instead of any definitional changes.)
- When a user selects a link or submits a form to navigate between two pages, she may have first-party interactions with both the source and destination sites, which may be operated by different parties. Redirection (for example, a link shortener, accomplished via an HTTP redirect or a JavaScript location change) might be conducted by service providers to the source or destination site, or as a third party to the user's navigation.
Proposal 1
By Ian Fette
"If a site offers users the choice to log in with an identity provider, via means such as OpenID, OAuth, or other conceptually similar mechanisms, the identity provider is considered a first party for the current transactions and subsequent transactions for which the user remains authenticated to the site via the identity provider."
Proposal 2
By Rob van Eijk
Identity providers must not use user data beyond the purpose of identification and authentication unless this user data is needed for a legitimate business interest like for example fraudulent login attempts across multiple third party sites.