ACTION-302 - Background and Cleanup WRT "Intermediary" from Brendan Riordan-Butterworth on 2012-11-07 (public-tracking@w3.org from November 2012)

From: Brendan Riordan-Butterworth <Brendan@iab.net>
Date: Wed, 7 Nov 2012 15:56:31 +0000
To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <49168C3A3F0D9C43B3B0F529D19AA7E893F3CC63@IAB-NYC-EX1.IAB.local>
The following background and analysis of the Compliance and Scope and TPE documents with regards to the use of the term and concept of “Intermediary” results in the following suggestions:

"User agents often include user-installable component parts, commonly known as plug-ins or browser extensions, that are capable of making their own network requests.” In section 4.4 of the existing TPE should be updated to  "User agents often include user-installable component parts, commonly known as plug-ins or browser extensions, that are capable of making their own network requests or modifying existing network request."

The terms “Intermediary” and “Intermediaries” are incorrectly used in all cases in the Compliance and Scope document, and should be replaced.

/brendan.

----------
Background
----------

HTTPbis draft has a working definition of "HTTP Intermediary"

Section 2.3
http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-21#section-2.3

"HTTP enables the use of intermediaries to satisfy requests through a chain of connections.  There are three common forms of HTTP intermediary: proxy, gateway, and tunnel.  In some cases, a single intermediary might act as an origin server, proxy, gateway, or tunnel, switching behavior based on the nature of each request."


This refines the languague used to describe "Network Intermediaries" in RFC 6202

Section 3.2
http://tools.ietf.org/html/rfc6202#section-3.2

"The HTTP protocol allows for intermediaries (proxies, transparent proxies, gateways, etc.) to be involved in the transmission of a response from the server to the client."


These both extend the definition of "Intermediary" from RFC 2616

Section 1.4
http://www.w3.org/Protocols/rfc2616/rfc2616-sec1.html

"There are three common forms of intermediary: proxy, gateway, and tunnel. A proxy is a forwarding agent, receiving requests for a URI in its absolute form, rewriting all or part of the message, and forwarding the reformatted request toward the server identified by the URI. A gateway is a receiving agent, acting as a layer above some other server(s) and, if necessary, translating the requests to the underlying server's protocol. A tunnel acts as a relay point between two connections without changing the messages; tunnels are used when the communication needs to pass through an intermediary (such as a firewall) even when the intermediary cannot understand the contents of the messages."


--------------------
Compliance and Scope
--------------------

The use of "Intermediary" in the non-normative text in the current draft of the "Tracking Compliance and Scope" document is not inline with the definition above - specifically:

Section 3.4.1.1
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#Non-Normative

"Contractual requirements that enforce data rights and responsibilities for separation are a critical element of establishing an outsourcer acting on another party’s behalf. Contracts may occur directly through parties (for example, a Publisher in an Ad Network) or between intermediaries (for example, an Ad Network acting through an Ad Exchange). In either case, data separation and removal of independent rights are necessary elements that must survive intermediary contractual constructs."

The case of an Ad Network acting as an Ad Exchange is not compatible with the established definition of an Intermediary.

Section 3.5.1.2.1
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#overview

"In some cases, web requests are redirected through intermediary domains, such as url shorteners or framing pages, before eventually delivering the content that the user was attempting to access. The operators of these intermediary domains are third parties, unless they are a common party to the operator of either the referring page or the eventual landing page."

The case of a redirection by a 3rd party domain (through the HTTP Response 301/302, or through HTML "META:REFRESH", or through JavaScript document.location re-write) is not compatible with the established definition of an Intermediary, and therefore should be replaced with the word "redirecting".


------------
TPE Document
------------

The use of "Intermediary" in the normative text in the current draft of the "Tracking Preference Expression" document is inline with the definition above - specifically:

Section 4.2
http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dnt-header-field

"An HTTP intermediary must not add, delete, or modify the DNT header field in requests forwarded through that intermediary unless that intermediary has been specifically installed or configured to do so by the user making the requests. For example, an Internet Service Provider must not inject DNT: 1 on behalf of all of their users who have not expressed a preference."


The ISP can act as a tunnel, proxy, or gateway.

Section 4.4
http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#plug-ins

"User agents often include user-installable component parts, commonly known as plug-ins or browser extensions, that are capable of making their own network requests. From the user's perspective, these components are considered part of the user agent and thus ought to respect the user's configuration of a tracking preference. However, plug-ins do not normally have read access to the browser configuration."

The existing definitions clearly indicate that software receiving an HTTP request from a User Agent can act as an "intermediary".  However, it is ambiguous whether this receipt of the HTTP request must occur via the HTTP protocol, or whether this can be simply the passing of the fully formed HTTP request to the software in memory.  The TPE takes the stance that, if the HTTP request is being passed effectively in memory (with plug-ins), the additional software is effectively part of the User Agent.

This means that any browser plug-in that makes an HTTP request bear a DNT state that does not match the preference set in the User Agent settings is behaving incorrectly.  However, the language should be cleaned up to indicate:

"User agents often include user-installable component parts, commonly known as plug-ins or browser extensions, that are capable of making their own network requests or modifying existing network request."
Received on Wednesday, 7 November 2012 15:57:35 UTC