Re: Service Provider Status (ISSUE-137) from Jonathan Mayer on 2012-08-30 (public-tracking@w3.org from August 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 29 Aug 2012 22:54:44 -0700
To: Alan Chapell <achapell@chapellassociates.com>
Cc: JC Cannon <jccannon@microsoft.com>, W3C DNT Working Group Mailing List <public-tracking@w3.org>
Message-ID: <647B1AE2183A4E4E9F5CF8F5AE3D3DC7@gmail.com>
I'm focusing on service providers since that's the topic of ISSUE-137 and a not-entirely-uncommon use case.  There are, to be sure, very similar - and similarly under-addressed - issues surrounding backend third parties.

Jonathan  


On Wednesday, August 29, 2012 at 12:14 PM, Alan Chapell wrote:

> Thanks Jonathan. Just so I'm clear, are you suggesting that there should be a backend list of Service Providers, a list of Third Parties – or both?  (Seems like you and JC are using slightly different terms and I'm not sure if that's intentional…) Thanks.
>  
> Cheers,
>  
> Alan Chapell
> Chapell & Associates
> 917 318 8440
>  
>  
> From: Jonathan Mayer <jmayer@stanford.edu (mailto:jmayer@stanford.edu)>
> Date: Wednesday, August 29, 2012 2:15 PM
> To: JC Cannon <jccannon@microsoft.com (mailto:jccannon@microsoft.com)>
> Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org (mailto:public-tracking@w3.org)>
> Subject: Re: Service Provider Status (ISSUE-137)
> Resent-From: <public-tracking@w3.org (mailto:public-tracking@w3.org)>
> Resent-Date: Wed, 29 Aug 2012 18:15:32 +0000
>  
> It seems we're very close - we agree there should be a list of backend service providers.  What I'd also ask is 1) the list is mandatory (for a complying website), and 2) the list exists in a machine-readable format.
>  
> Jonathan
>  
>  
> On Wednesday, August 29, 2012 at 10:41 AM, JC Cannon wrote:
>  
> > I don’t doubt the benefits to users, I just don’t think DNT is the right mechanism to provide users with a list of third parties a company works with who are not part of the online transaction. It would be better to put that in the privacy statement or terms-of-use where it will always be available to users when they need to see it.
> >   
> > JC
> >   
> > From: Jonathan Mayer [mailto:jmayer@stanford.edu]  
> > Sent: Wednesday, August 29, 2012 10:27 AM
> > To: JC Cannon
> > Cc: W3C DNT Working Group Mailing List
> > Subject: Re: Service Provider Status (ISSUE-137)
> >   
> > I don't follow why you think information about a backend service provider would be unusable.  The benefits to users, user agents, researchers, and policymakers remain.
> >  
> >   
> >  
> > If we give backend service providers a free pass on signaling, I fear we establish a perverse incentive to diminish transparency even further.
> >  
> >   
> >  
> > Jonathan
> >  
> >   
> >  
> > On Wednesday, August 29, 2012 at 10:01 AM, JC Cannon wrote:
> > >  
> > > I don’t have a problem with the first three items.
> > >  
> > >  
> > >   
> > >  
> > >  
> > > Item 4) appears to be out of scope for our work since the service provider is not involved in the session. I feel sending a list to the UA is to inform the UA of the status of a third-party site. Since the UA can’t see the site why send unusable information?
> > >  
> > >  
> > >   
> > >  
> > >  
> > > JC
> > >  
> > >  
> > >   
> > >  
> > >  
> > > From: Jonathan Mayer [mailto:jmayer@stanford.edu]  
> > > Sent: Wednesday, August 29, 2012 9:53 AM
> > > To: JC Cannon
> > > Cc: W3C DNT Working Group Mailing List
> > > Subject: Re: Service Provider Status (ISSUE-137)
> > >  
> > >  
> > >   
> > >  
> > >  
> > > Here are some concrete use cases with service provider ambiguity.
> > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > > 1) HTTP traffic goes to a website that looks like a third party, but is actually a service provider.
> > >  
> > >  
> > >  
> > > Example: News.com (http://News.com) embeds content from Analytics.com (http://Analytics.com).
> > >  
> > >  
> > >  
> > > Solution: A simple Service Provider flag (e.g. "Tk: S").
> > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > > 2) HTTP traffic goes to a website that looks like a first party, but is actually a service provider.
> > >  
> > >  
> > >  
> > > Example: Blog.com (http://Blog.com) is hosted by BlogPlatform.com (http://BlogPlatform.com).
> > >  
> > >  
> > >  
> > > Solution: A simple Service Provider flag (e.g. "Tk: S") plus some sort of party identification (e.g. a "Tk-Party: blogplatform.com (http://blogplatform.com)" response header or a "party" field in the status resource).
> > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > > 3) HTTP traffic goes to a website that is a service provider, but it's unclear which party it's working for.
> > >  
> > >  
> > >  
> > > Example: Analytics.com (http://Analytics.com) appears buried in a set of advertising iframes on News.com (http://News.com).
> > >  
> > >  
> > >  
> > > Solution: A Service Provider can signal the party it's working for (e.g. a "Tk-Service: news.com (http://news.com)" response header or a "service-provider-party" field in the status resource).
> > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > > 4) A website uses a service provider on the backend.
> > >  
> > >  
> > >  
> > > Example: Shopping.com (http://Shopping.com) copies its user account data into a cloud-based CRM service.
> > >  
> > >  
> > >  
> > > Solution: A list of service providers in a party's tracking status resource.
> > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > > On Wednesday, August 29, 2012 at 9:38 AM, JC Cannon wrote:
> > > >  
> > > > Could you describe a scenario where the service provider is not on HTTP? How would it send a response I the first place? Are you talking about offline scenarios?
> > > >  
> > > >  
> > > >   
> > > >  
> > > >  
> > > > Thanks,
> > > >  
> > > >  
> > > > JC
> > > >  
> > > >  
> > > >   
> > > >  
> > > >  
> > > > From: Jonathan Mayer [mailto:jmayer@stanford.edu]  
> > > > Sent: Wednesday, August 29, 2012 9:36 AM
> > > > To: W3C DNT Working Group Mailing List
> > > > Subject: Re: Service Provider Status (ISSUE-137)
> > > >  
> > > >  
> > > >   
> > > >  
> > > >  
> > > > A related design decision: What about service providers that aren't at visible via HTTP?  I don't think we have consensus on this yet.
> > > >  
> > > >  
> > > >  
> > > >   
> > > >  
> > > >  
> > > >  
> > > > On Wednesday, August 29, 2012 at 9:17 AM, Jonathan Mayer wrote:
> > > >  
> > > >  
> > > > >  
> > > > > Some possible status ambiguities for service providers.  All are solvable with trivial engineering.  
> > > > >  
> > > > >  
> > > > >  
> > > > >   
> > > > >  
> > > > >  
> > > > >  
> > > > > -If a service provider is using its own domain:
> > > > >  
> > > > >  
> > > > >  
> > > > >          -Is the entity a first party, third party, or service provider?
> > > > >  
> > > > >  
> > > > >  
> > > > >          -Which party is it providing outsourcing services to?  (Might be multiple parties in different roles.)
> > > > >  
> > > > >  
> > > > >  
> > > > > -If a service provider is using a different party's domain (e.g. a CNAMEd analytics service):
> > > > >  
> > > > >  
> > > > >  
> > > > >          -Who is the service provider?
> > > > >  
> > > > >  
> > > > >  
> > > > >   
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > >  
> > > >  
> > > >   
> > > >  
> > > >  
> > > >  
> > > >  
> > > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > >  
> > >  
> >  
> >   
> >  
> >  
> >  
> >  
> >  
>  
>
Received on Thursday, 30 August 2012 05:55:13 UTC