W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

Re: ISSUE-137 Service provider flag

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 10 Sep 2012 15:22:24 -0700
Cc: "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <A5E7C848-7B41-4D1A-8729-32ABB907A53F@gbiv.com>
To: Matthias Schunter <mts-std@schunter.org>
On Sep 10, 2012, at 12:51 PM, Matthias Schunter wrote:

> during our call on Wednesday (with Tom and David Singer), I finally
> understood why Tom needs a service provider flag.
> 
> The use case he has in mind is that he would like to identify the
> boundaries of a "same-party".

The boundaries of a "same-party" would only apply to the first party,
so I am assuming he means the boundaries of the first party (including
any service providers that silo to that first party).

> The reason is that if you interact with a site then a user agent would
> like to be able to inform the end user that this site is part of a
> {finite list} of sites that jointly constitute a single party in the DNT
> sense.

Sure, that's what same-party provides if the first party wishes.

> We did not understand how this would be done based on the current site
> responses. One concern we had was that service providers acting under
> their own URL (statistics.com) may say that they are intended for 1st
> party use while also declaring that they are "same-party" with multiple
> parties that are not "same-party" with each other. As a consequence, one
> can either no longer determine the boundaries of a party or else would
> be able to pinpoint the service providers.

No, "same-party" has no meaning for anyone other than the first party
site.  Why would the UA trust a list generated by some other site?

A service provider that is using its own domain MUST provide a link
in the policy member that points to the first party.  This allows the
UA to verify (when going to the first-party WKL) that the service
provider is indeed considered by the first party to be same-party.

> Quick questions:
> - Do you understand this usecase?

Yes.

> - Do you agree with our observation about the current server responses?

No.

> - How would you implement this important use case?

It isn't an important use case; it isn't listed in the ones discussed
by or required by the WG.  Regulators can simply ask the first party.
Humans can simply read the tracking policy, assuming that listing
vendors is a requirement for that policy.

The problem with automating it is that not all first party sites are
willing to divulge the list of same-party domains, either because
it is hard to manage them or because the first party has too much pride.

If same-party were required on first-party sites that use service
providers, then it is easy for a UA to automate. I have no problem
with that, but it is not my call: the WG would have to require it.
IIRC, Google objected to such a requirement in DC, but maybe it wasn't
described sufficiently.  It would help if Tom simply wrote the
use case down and posted to the list.

BTW, while that is an interesting use case, an "S" response value
would do nothing to support it.  

....Roy
Received on Monday, 10 September 2012 22:22:47 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:33 UTC