W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Best Practices for Outsourcing (ACTION-47, ISSUE-49)

From: Vinay Goel <vigoel@adobe.com>
Date: Fri, 16 Mar 2012 06:14:33 -0700
To: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <CB88B4C0.476F%vigoel@adobe.com>
Hi Jonathan,

This is a normative statement (and not a non-normative statement as you've
labeled it) and is inappropriate for inclusion in the spec.  It belongs
within a Best Practices document separate from the Compliance/Preferences
Specs that is best published by someone other than the WG.


Vinay Goel | Privacy Product Manager | Adobe Systems | Office: 917.934.0867

On 3/14/12 8:08 PM, "Jonathan Mayer" <jmayer@stanford.edu> wrote:

>Here's some non-normative text on best practices for outsourcing.
>I. Technical Precautions
>A. Siloing in the Browser
>Outsourcing services should use browser access control features so that
>stored data specific to one first party is never accessed or collected
>when the user visits another first party.
>i. Same-Origin Policy
>The same-origin policy silos stored data by domain name.  An outsourcing
>service can use a different domain name for each first party.
>Example: Example Analytics provides an outsourced analytics service to
>Example News and Example Sports, two unrelated websites.  Example
>Analytics stores its cookies for Example News at
>examplenews.exampleanalytics.com, and it stores its cookies for Example
>Sports at examplesports.exampleanalytics.com.
>An outsourcing service could also use the first party's domain.
>Example: Example Analytics stores its cookies for Example News at
>examplenews.com, and it stores its cookies for Example Sports at
>ii. Cookie Path Attribute
>The HTTP cookie path can be used to silo data to a first party.
>Example: Example Analytics stores its cookies for Example News with
>"Path=/examplenews", and it stores its cookies for Example Sports with
>iii. Storage Key
>For key/value storage APIs, such as Web Storage and Indexed Database, an
>outsourcing service can use a different key or key prefix for each first
>Example: Example Analytics stores data for Example News at
>window.localStorage["examplenews"] and data for Example Sports at
>B. Siloing in the Backend
>i. Encryption Keys
>An outsourcing service should encrypt each first party's data with a
>different set of keys.
>ii. Access Controls
>An outsourcing service should deploy access controls so that only
>authorized personnel are able to access siloed data, and only for
>authorized purposes.
>iii. Access Monitoring
>An outsourcing service should deploy access monitoring mechanisms to
>detect improper use of siloed data.
>C. Retention in the Backend
>An outsourcing service should retain information only so long as
>necessary to provide necessary functionality to a first party.  If a
>service creates periodic reports, for example, it should delete the data
>used for a report once it is generated.  An outsourcing service should be
>particularly sensitive to retaining protocol logs, since they may allow
>correlating user activity across multiple first parties.
>II. Business Precautions
>i. Policy
>An outsourcing service should establish a clear internal policy that
>gives guidance on how to collect, retain, and use outsourced data in
>compliance with this standard.
>ii. Training
>Personnel that interact with outsourced data should be familiarized with
>internal policy on compliance with this standard.
>iii. Supervision and Reporting
>An outsourcing service should establish a supervision and reporting
>structure for detecting improper access.
>iv. Auditing
>External auditors should periodically examine an outsourcing service to
>assess whether it is in compliance with this standard and has adopted
>best practices.  Auditor reports should be made available to the public.

Confidentiality Notice: The contents of this e-mail (including any attachments) may be confidential to the intended recipient, and may contain information that is privileged and/or exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and destroy the original e-mail and any attachments (and any copies that may have been made) from your system or otherwise. Any unauthorized use, copying, disclosure or distribution of this information is strictly prohibited. <ACL>
Received on Friday, 16 March 2012 13:15:26 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:46 UTC