Privacy/TPWG/Change Proposals on link shorteners and ID providers

From W3C Wiki
< Privacy‎ | TPWG

This wiki page will list all text proposals for ISSUE-97: Re-direction, shortened URLs, click analytics -- what kind of tracking is this? and ISSUE-99: How does DNT work with identity providers?

Current proposals

Proposal 5: Silence

(via WileyS on 2014-07-23 call)

The document should not speak to this. WG should not focus time on this edge case.

Proposal 6: redirection or framed content

Consolidated text from Walter, Mike, Nick.

Network interactions and subrequests related to a given user action may not constitute intentional interaction when, for example, the user is unaware or only transiently informed of redirection or framed content.

Old proposals

Proposal 3

By Walter van Holst

Add the following sentence after the first sentence of the first party definition:

Accessing a particular URI does not necessarily imply intent to interact with the URI-provider, especially when that URI-provider provides a transparent conduit or to other parties' content, as would be the case for content delivery networks, link shorteners and similar service providers and third parties. In such cases the URI-provider is, from a user perspective, a non-obvious participant in the network interaction.

Similar proposal from Mike O'Neill:

With respect to a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content, or being redirected via a party of which the user is unaware, does not constitute a user's intent to interact with another party.

Merged proposal:

Accessing a particular URI does not necessarily imply intent to interact with the URI-provider, especially when that URI-provider, from a user perspective, only provides a transiently noticeable conduit to other parties' content, as would be the case for content delivery networks, link shorteners and similar service providers and third parties. In such cases the URI-provider is, from a user perspective, a non-obvious participant in the network interaction.

Proposal 4: Example of link-shorteners and source/destination interactions

npdoty: Add the following non-normative example to the end of the definition of a first party to a given user action. (Could be in addition to or instead of any definitional changes.)

When a user selects a link or submits a form to navigate between two pages, she may have first-party interactions with both the source and destination sites, which may be operated by different parties. Redirection (for example, a link shortener, accomplished via an HTTP redirect or a JavaScript location change) might be conducted by service providers to the source or destination site, or as a third party to the user's navigation.

Proposal 1

By Ian Fette

"If a site offers users the choice to log in with an identity provider, via means such as OpenID, OAuth, or other conceptually similar mechanisms, the identity provider is considered a first party for the current transactions and subsequent transactions for which the user remains authenticated to the site via the identity provider."

Proposal 2

By Rob van Eijk

Identity providers must not use user data beyond the purpose of identification and authentication unless this user data is needed for a legitimate business interest like for example fraudulent login attempts across multiple third party sites.

Retrieved from "https://www.w3.org/wiki/index.php?title=Privacy/TPWG/Change_Proposals_on_link_shorteners_and_ID_providers&oldid=74701"