W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Best Practices for Outsourcing (ACTION-47, ISSUE-49)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 14 Mar 2012 17:08:58 -0700
Message-Id: <27D28E7B-595E-4B31-9F18-407A8B1C9F8B@stanford.edu>
To: Tracking Protection Working Group WG <public-tracking@w3.org>
Here's some non-normative text on best practices for outsourcing.

--------------------------------------------------

I. Technical Precautions

A. Siloing in the Browser

Outsourcing services should use browser access control features so that stored data specific to one first party is never accessed or collected when the user visits another first party.

i. Same-Origin Policy

The same-origin policy silos stored data by domain name.  An outsourcing service can use a different domain name for each first party.

Example: Example Analytics provides an outsourced analytics service to Example News and Example Sports, two unrelated websites.  Example Analytics stores its cookies for Example News at examplenews.exampleanalytics.com, and it stores its cookies for Example Sports at examplesports.exampleanalytics.com.

An outsourcing service could also use the first party's domain.

Example: Example Analytics stores its cookies for Example News at examplenews.com, and it stores its cookies for Example Sports at examplesports.com.

ii. Cookie Path Attribute

The HTTP cookie path can be used to silo data to a first party.

Example: Example Analytics stores its cookies for Example News with "Path=/examplenews", and it stores its cookies for Example Sports with "Path=/examplesports".

iii. Storage Key

For key/value storage APIs, such as Web Storage and Indexed Database, an outsourcing service can use a different key or key prefix for each first party.

Example: Example Analytics stores data for Example News at window.localStorage["examplenews"] and data for Example Sports at window.localStorage["examplesports"].

B. Siloing in the Backend

i. Encryption Keys

An outsourcing service should encrypt each first party's data with a different set of keys.

ii. Access Controls

An outsourcing service should deploy access controls so that only authorized personnel are able to access siloed data, and only for authorized purposes.

iii. Access Monitoring

An outsourcing service should deploy access monitoring mechanisms to detect improper use of siloed data.

C. Retention in the Backend

An outsourcing service should retain information only so long as necessary to provide necessary functionality to a first party.  If a service creates periodic reports, for example, it should delete the data used for a report once it is generated.  An outsourcing service should be particularly sensitive to retaining protocol logs, since they may allow correlating user activity across multiple first parties.

II. Business Precautions

i. Policy

An outsourcing service should establish a clear internal policy that gives guidance on how to collect, retain, and use outsourced data in compliance with this standard.

ii. Training

Personnel that interact with outsourced data should be familiarized with internal policy on compliance with this standard.

iii. Supervision and Reporting

An outsourcing service should establish a supervision and reporting structure for detecting improper access.

iv. Auditing

External auditors should periodically examine an outsourcing service to assess whether it is in compliance with this standard and has adopted best practices.  Auditor reports should be made available to the public.
Received on Thursday, 15 March 2012 00:09:29 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC