W3C home > Mailing lists > Public > public-tracking-commit@w3.org > August 2012

WWW/2011/tracking-protection/drafts tracking-dnt.html,1.144,1.145

From: Roy Fielding via cvs-syncmail <cvsmail@w3.org>
Date: Wed, 08 Aug 2012 08:02:55 +0000
To: public-tracking-commit@w3.org
Message-Id: <E1Sz1EF-0003To-9E@lionel-hutz.w3.org>
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory hutz:/tmp/cvs-serv7985

Modified Files:
	tracking-dnt.html 
Log Message:
ISSUE-137: Remove S tracking status value for service provider and replace
it with a requirement to identify the responsible first party.

In practice there may be dozens of service providers on any given request.
If the designated resource is operated by a service provider acting as a
first party, then the responsible first party is identified by the policy link
or the owner of the origin server domain. This satisfies the use case of
distinguishing between a service provider acting for some other site and the
same service provider acting on one of its own sites.


Index: tracking-dnt.html
===================================================================
RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html,v
retrieving revision 1.144
retrieving revision 1.145
diff -u -d -r1.144 -r1.145
--- tracking-dnt.html	7 Aug 2012 08:45:10 -0000	1.144
+++ tracking-dnt.html	8 Aug 2012 08:02:53 -0000	1.145
@@ -585,7 +585,10 @@
           <tr valign="top"><td align="middle"><dfn>1</dfn></td>
               <td><strong>First party</strong>: The designated resource is
                 designed for use within a first party context and conforms to
-                the requirements on a first party.</td>
+                the requirements on a first party. If the designated resource
+                is operated by an outsourced service provider, the service
+                provider claims that it conforms to the requirements on a
+                third party acting as a first party.</td>
           </tr>
           <tr valign="top"><td align="middle"><dfn>3</dfn></td>
               <td><strong>Third party</strong>: The designated resource is
@@ -606,12 +609,6 @@
                 tracking status value in the representation of a
                 request-specific tracking status resource.</td>
           </tr>
-          <tr valign="top"><td align="middle"><dfn>S</dfn></td>
-              <td><strong>Service provider</strong>: The designated resource
-                is operated by a service provider acting on behalf of the
-                first party and conforms to the requirements for both a first
-                party and a service provider acting as a first party.</td>
-          </tr>
           <tr valign="top"><td align="middle"><dfn>C</dfn></td>
               <td><strong>Consent</strong>: The designated resource believes
                 it has received prior consent for tracking this user, user
@@ -645,7 +642,7 @@
           status value describes how the resource conformed to that specific
           request, and thus indicates both the nature of the request (as
           viewed by the origin server) and the applicable set of requirements
-          to which the server claims to conform for that request.
+          to which the origin server claims to conform for that request.
         </p>
         <p>
           The tracking status value is case sensitive, as defined formally
@@ -656,19 +653,18 @@
               / "3"   ; "3" — third-party
               / %x43  ; "C" - consent
               / %x4E  ; "N" - none
-              / %x53  ; "S" - service provider
               / %x55  ; "U" - updated
               / %x58  ; "X" - dynamic
         </pre>
 
         <p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/137">ISSUE-137</a>: Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s)<br />
-          <b>[OPEN]</b> There is significant disagreement over whether a
-          service provider acting on behalf of a first party needs to
-          indicate such in the tracking status. It is particularly nonsensical
-          given that there may be dozens of service providers acting on any
-          request and the service provider definition is already limited to
-          cases where any data collected is siloed and under control of
-          the first party.
+          <b>[PENDING REVIEW]</b> No, in practice there may be dozens of
+          service providers on any given request.  If the designated resource
+          is operated by a service provider acting as a first party, then the
+          responsible first party is identified by the policy link or the
+          owner of the origin server domain. This satisfies the use case of
+          distinguishing between a service provider acting for some other site
+          and the same service provider acting on one of its own sites.
         </p>
       </section>
 
@@ -909,8 +905,8 @@
             An OPTIONAL member named <code><a>same-party</a></code> MAY be
             provided with an array value containing a list of domain names
             that the origin server claims are the same party, to the extent
-            they are referenced on this site, since all data collected via
-            those references share the same data controller.
+            they are referenced by the designated resource, since all data
+            collected via those references share the same data controller.
           </p>
           <pre class="abnf">
 <dfn>same-party</dfn>    = %x22 "same-party" %x22
@@ -919,8 +915,9 @@
           <p>
             An OPTIONAL member named <code><a>partners</a></code> MAY be
             provided with an array value containing a list of domain names
-            for third-party services that might be invoked while using this
-            site but do not share the same data controller as this site.
+            for third-party services that might be invoked while using the
+            designated resource but do not share the same data controller as
+            the designated resource.
           </p>
           <pre class="abnf">
 <dfn>partners</dfn>      = %x22 "partners" %x22
@@ -929,11 +926,12 @@
           <p>
             An OPTIONAL member named <code><a>audit</a></code> MAY be
             provided with an array value containing a list of URI references
-            to external audits of the site's tracking policy and tracking
-            behavior in compliance with this protocol.  Preferably, the audit
-            references are to resources that describe the auditor and the
-            results of that audit; however, if such a resource is not
-            available, a reference to the auditor is sufficient.
+            to external audits of the designated resource's tracking policy
+            and tracking behavior in compliance with this protocol.
+            Preferably, the audit references are to resources that describe
+            the auditor and the results of that audit; however, if such a
+            resource is not available, a reference to the auditor is
+            sufficient.
           </p>
           <pre class="abnf">
 <dfn>audit</dfn>         = %x22 "audit" %x22
@@ -943,7 +941,8 @@
             An OPTIONAL member named <code><a>policy</a></code> MAY be
             provided with a string value containing a URI-reference to a
             human-readable document that describes the tracking policy for
-            this site.  The content of such a policy document is beyond the
+            the designated resource.
+            The content of such a policy document is beyond the
             scope of this protocol and only supplemental to what is described
             by this machine-readable tracking status representation.
           </p>
@@ -952,16 +951,28 @@
 <dfn>policy-v</dfn>      = string       ; URI-reference
           </pre>
           <p>
+            If the tracking status value is <code>1</code> and the designated
+            resource is being operated by an outsourced service provider on
+            behalf of a first party, the origin server MUST identify the
+            responsible first party via the domain of the policy URI, if
+            present, or by the domain owner of the origin server.
+            If no policy URI is provided and the origin server domain is
+            owned by the service provider, then the service provider is the
+            first party.
+          </p>
+          <p>
             An OPTIONAL member named <code><a>control</a></code> MAY be
             provided with a string value containing a URI-reference to a
             resource for giving the user control over personal data collected
-            by this site; it SHOULD be provided if the tracking status value
-            indicates prior consent (<code><a>C</a></code>).
+            by the designated resource (and possibly other resources);
+            a <code><a>control</a></code> member SHOULD be provided if the
+            tracking status value indicates prior consent
+            (<code><a>C</a></code>).
             Such a control resource might include the ability to review
             past data collected, delete some or all of the data, provide
             additional data (if desired), or <q>opt-in</q>, <q>opt-out</q>,
             or otherwise modify an out-of-band consent status regarding
-            data collection by this site. The design of such a resource,
+            data collection. The design of such a resource,
             the extent to which it can provide access to that data, and
             how one might implement an out-of-band consent mechanism is
             beyond the scope of this protocol.
Received on Wednesday, 8 August 2012 08:02:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 8 August 2012 08:02:57 GMT