W3C home > Mailing lists > Public > public-tracking-commit@w3.org > January 2013

CVS WWW/2011/tracking-protection/drafts

From: CVS User rfieldin <cvsmail@w3.org>
Date: Mon, 21 Jan 2013 23:38:17 +0000
Message-Id: <E1TxQwT-0004Hv-HT@gil.w3.org>
To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv16215

Modified Files:
	tracking-dnt.html 
Log Message:
ACTION-328: Add first-party member to tracking status representation
to identify the responsible data controller(s) for cases where the
origin server domain is not owned by the first party or there exist
multiple first parties. This obsoletes use of the policy link for
the former purpose.


--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html	2013/01/21 14:02:15	1.176
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html	2013/01/21 23:38:17	1.177
@@ -638,8 +638,9 @@
           <b>[PENDING REVIEW]</b> No, in practice there may be dozens of
           service providers on any given request.  If the designated resource
           is operated by a service provider acting as a first party, then the
-          responsible first party is identified by the policy link or the
-          owner of the origin server domain. This satisfies the use case of
+          responsible first party is identified by the
+          <code><a>first-party</a></code> member or the owner of the origin
+          server domain. This satisfies the use case of
           distinguishing between a service provider acting for some other site
           and the same service provider acting on one of its own sites.
         </p>
@@ -843,7 +844,7 @@
           <p>
            (relative to the URI of that origin server) for obtaining
            information about the potential tracking behavior of resources
-           provided by that origin server.  A tracking status resource MAY be
+           provided by that origin server.  A tracking status resource can be
            used for verification of DNT support, as described in
            <a href="#using-tracking-status" class="sectionRef"></a>.
           </p>
@@ -855,7 +856,7 @@
             leads to such a representation.
             A user agent MAY consider failure to provide access to such a
             representation equivalent to the origin server not implementing
-            this protocol.  The representation MAY be cached, as described
+            this protocol.  The representation can be cached, as described
             in <a href="#status-caching" class="sectionRef"></a>.
           </p>
         </section>
@@ -898,10 +899,10 @@
         <section id='status-representation'>
           <h3>Representation</h3>
           <p>
-            The representation of a tracking status resource SHALL be provided
-            in the "application/json" format [[!RFC4627]] and MUST conform to
-            the ABNF for <a>status-object</a> (except that the members within
-            each member-list MAY be provided in any order).
+            An origin server MUST provide a representation of each tracking
+            status resource in the JSON format [[!RFC4627]] that conforms to
+            the ABNF for <code><a>status-object</a></code> (except that the
+            members within each member-list MAY be provided in any order).
           </p>
           <p>
             The following example tracking status representation
@@ -911,6 +912,7 @@
 <pre class="example">
 {
   "tracking": "1",
+  "first-party": ["https://www.example.com/privacy"],
   "same-party": [
     "example.com",
     "example_vids.net",
@@ -928,13 +930,14 @@
 </pre>
           <p>
             A tracking status representation consists of a single
-            <a>status-object</a> containing members that describe the
-            tracking status applicable to the designated resource.
+            <code><a>status-object</a></code> containing members that describe
+            the tracking status applicable to the designated resource.
           </p>
           <pre class="abnf">
 <dfn>status-object</dfn> = begin-object member-list end-object
 
-<dfn>member-list</dfn>   = tracking         ns tracking-v [tracking-q]
+<dfn>member-list</dfn>   = tracking             ns tracking-v [tracking-q]
+                [ vs first-party ns first-party-v ]
                 [ vs same-party  ns same-party-v  ]
                 [ vs third-party ns third-party-v ]
                 [ vs audit       ns audit-v       ]
@@ -943,7 +946,7 @@
                 *( vs extension )
           </pre>
           <p>
-            A <a>status-object</a> MUST have a member named
+            A <code><a>status-object</a></code> MUST have a member named
             <code><a>tracking</a></code> that contains a single character
             tracking status value
             (<a href="#tracking-status-value" class="sectionRef"></a>), 
@@ -962,11 +965,48 @@
 {"tracking": "N"}
 </pre>
           <p>
+            An origin server MAY send a member named
+            <code><a>first-party</a></code> that has an array value containing
+            a list of URI references that indirectly identify the first party
+            (or set of parties) that claims to be the responsible data
+            controller for personal data collected via the designated resource.
+            An origin server that does not send <code><a>first-party</a></code>
+            is implying that its domain owner is the sole first party and that
+            information about its policies ought to be found on this site's
+            root page, or by way of a clearly indicated link from that page
+            (i.e., no first-party member is equivalent to:
+            <code>"first-party":["/"]</code>).
+          <p>
+          </p>
+            If the designated resource has joint data controllers (i.e.,
+            multiple parties have independent control over the collected data
+            and claim first party status), as might occur on a co-branded
+            site, the origin server MUST send a
+            <code><a>first-party</a></code> member that contains references
+            specific to each of those first parties.
+            Likewise, if the designated resource has a sole first party and
+            the origin server's domain is not owned by that first party, the
+            origin server MUST send a <code><a>first-party</a></code> member
+            that contains a reference specific to that first party.
+          <p>
+          </p>
+            Each URI reference provided in <code><a>first-party</a></code>
+            MUST refer to a resource that, if a retrieval action is performed
+            on that URI, would provide the user with information regarding
+            (at a minimum) the identity of the corresponding first party and
+            its data collection practices.
+          </p>
+          <pre class="abnf">
+<dfn>first-party</dfn>    = %x22 "first-party" %x22
+<dfn>first-party-v</dfn>  = array-of-strings
+          </pre>
+          <p>
             An OPTIONAL member named <code><a>same-party</a></code> MAY be
             provided with an array value containing a list of domain names
             that the origin server claims are the same party, to the extent
             they are referenced by the designated resource, since all data
-            collected via those references share the same data controller.
+            collected via those references share the same data controller as
+            the designated resource.
           </p>
           <pre class="abnf">
 <dfn>same-party</dfn>    = %x22 "same-party" %x22
@@ -1005,22 +1045,15 @@
             The content of such a policy document is beyond the
             scope of this protocol and only supplemental to what is described
             in the machine-readable tracking status representation.
+            If no <code><a>policy</a></code> member is provided, this
+            information might be obtained via the links provided in
+            <code><a>first-party</a></code>.
           </p>
           <pre class="abnf">
 <dfn>policy</dfn>        = %x22 "policy" %x22
 <dfn>policy-v</dfn>      = string       ; URI-reference
           </pre>
           <p>
-            If the tracking status value is <code>1</code> and the designated
-            resource is being operated by an outsourced service provider on
-            behalf of a first party, the origin server MUST identify the
-            responsible first party via the domain of the policy URI, if
-            present, or by the domain owner of the origin server.
-            If no policy URI is provided and the origin server domain is
-            owned by the service provider, then the service provider is the
-            first party.
-          </p>
-          <p>
             An OPTIONAL member named <code><a>control</a></code> MAY be
             provided with a string value containing a URI-reference to a
             resource for giving the user control over personal data collected
@@ -1028,6 +1061,11 @@
             a <code><a>control</a></code> member SHOULD be provided if the
             tracking status value indicates prior consent
             (<code><a>C</a></code>).
+            If no <code><a>control</a></code> member is provided, this
+            information might be obtained via the links provided in
+            <code><a>first-party</a></code>.
+          </p>
+          <p>
             Such a control resource might include the ability to review
             past data collected, delete some or all of the data, provide
             additional data (if desired), or <q>opt-in</q>, <q>opt-out</q>,
@@ -1043,9 +1081,9 @@
           </pre>
           <p>
             Additional <code><a>extension</a></code> members MAY be provided
-            in the <a>status-object</a> to support future enhancements to
-            this protocol.  A user agent SHOULD ignore extension members
-            that it does not recognize.
+            in the <code><a>status-object</a></code> to support future
+            enhancements to this protocol. A user agent SHOULD ignore
+            extension members that it does not recognize.
           </p>
           <pre class="abnf">
 <dfn>extension</dfn>     = object
@@ -1221,16 +1259,16 @@
             A user agent MAY check the tracking status for a designated
             resource by first making a retrieval request for the site-wide
             tracking status representation, as described above, and then
-            parsing the representation as JSON to extract the Javascript
-            <a>status-object</a>.
+            parsing the representation as JSON to extract the
+            <code><a>status-object</a></code>.
             If retrieval is unsuccessful or parsing results in a syntax error,
             the user agent SHOULD consider the site to be non-conformant with
             this protocol.
           </p>
           <p>
-            The <a>status-object</a> is supposed to have a member named
-            <code><a>tracking</a></code> containing the tracking status value.
-            The meaning of each tracking status value is defined in
+            The <code><a>status-object</a></code> is supposed to have a member
+            named <code><a>tracking</a></code> containing the tracking status
+            value. The meaning of each tracking status value is defined in
             <a href="#tracking-status-value" class="sectionRef"></a>.
           </p>
           <p>
Received on Monday, 21 January 2013 23:38:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 21 January 2013 23:38:18 GMT