- From: Roy Fielding via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 08 Aug 2012 08:02:55 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts In directory hutz:/tmp/cvs-serv7985 Modified Files: tracking-dnt.html Log Message: ISSUE-137: Remove S tracking status value for service provider and replace it with a requirement to identify the responsible first party. In practice there may be dozens of service providers on any given request. If the designated resource is operated by a service provider acting as a first party, then the responsible first party is identified by the policy link or the owner of the origin server domain. This satisfies the use case of distinguishing between a service provider acting for some other site and the same service provider acting on one of its own sites. Index: tracking-dnt.html =================================================================== RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html,v retrieving revision 1.144 retrieving revision 1.145 diff -u -d -r1.144 -r1.145 --- tracking-dnt.html 7 Aug 2012 08:45:10 -0000 1.144 +++ tracking-dnt.html 8 Aug 2012 08:02:53 -0000 1.145 @@ -585,7 +585,10 @@ <tr valign="top"><td align="middle"><dfn>1</dfn></td> <td><strong>First party</strong>: The designated resource is designed for use within a first party context and conforms to - the requirements on a first party.</td> + the requirements on a first party. If the designated resource + is operated by an outsourced service provider, the service + provider claims that it conforms to the requirements on a + third party acting as a first party.</td> </tr> <tr valign="top"><td align="middle"><dfn>3</dfn></td> <td><strong>Third party</strong>: The designated resource is @@ -606,12 +609,6 @@ tracking status value in the representation of a request-specific tracking status resource.</td> </tr> - <tr valign="top"><td align="middle"><dfn>S</dfn></td> - <td><strong>Service provider</strong>: The designated resource - is operated by a service provider acting on behalf of the - first party and conforms to the requirements for both a first - party and a service provider acting as a first party.</td> - </tr> <tr valign="top"><td align="middle"><dfn>C</dfn></td> <td><strong>Consent</strong>: The designated resource believes it has received prior consent for tracking this user, user @@ -645,7 +642,7 @@ status value describes how the resource conformed to that specific request, and thus indicates both the nature of the request (as viewed by the origin server) and the applicable set of requirements - to which the server claims to conform for that request. + to which the origin server claims to conform for that request. </p> <p> The tracking status value is case sensitive, as defined formally @@ -656,19 +653,18 @@ / "3" ; "3" — third-party / %x43 ; "C" - consent / %x4E ; "N" - none - / %x53 ; "S" - service provider / %x55 ; "U" - updated / %x58 ; "X" - dynamic </pre> <p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/137">ISSUE-137</a>: Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s)<br /> - <b>[OPEN]</b> There is significant disagreement over whether a - service provider acting on behalf of a first party needs to - indicate such in the tracking status. It is particularly nonsensical - given that there may be dozens of service providers acting on any - request and the service provider definition is already limited to - cases where any data collected is siloed and under control of - the first party. + <b>[PENDING REVIEW]</b> No, in practice there may be dozens of + service providers on any given request. If the designated resource + is operated by a service provider acting as a first party, then the + responsible first party is identified by the policy link or the + owner of the origin server domain. This satisfies the use case of + distinguishing between a service provider acting for some other site + and the same service provider acting on one of its own sites. </p> </section> @@ -909,8 +905,8 @@ An OPTIONAL member named <code><a>same-party</a></code> MAY be provided with an array value containing a list of domain names that the origin server claims are the same party, to the extent - they are referenced on this site, since all data collected via - those references share the same data controller. + they are referenced by the designated resource, since all data + collected via those references share the same data controller. </p> <pre class="abnf"> <dfn>same-party</dfn> = %x22 "same-party" %x22 @@ -919,8 +915,9 @@ <p> An OPTIONAL member named <code><a>partners</a></code> MAY be provided with an array value containing a list of domain names - for third-party services that might be invoked while using this - site but do not share the same data controller as this site. + for third-party services that might be invoked while using the + designated resource but do not share the same data controller as + the designated resource. </p> <pre class="abnf"> <dfn>partners</dfn> = %x22 "partners" %x22 @@ -929,11 +926,12 @@ <p> An OPTIONAL member named <code><a>audit</a></code> MAY be provided with an array value containing a list of URI references - to external audits of the site's tracking policy and tracking - behavior in compliance with this protocol. Preferably, the audit - references are to resources that describe the auditor and the - results of that audit; however, if such a resource is not - available, a reference to the auditor is sufficient. + to external audits of the designated resource's tracking policy + and tracking behavior in compliance with this protocol. + Preferably, the audit references are to resources that describe + the auditor and the results of that audit; however, if such a + resource is not available, a reference to the auditor is + sufficient. </p> <pre class="abnf"> <dfn>audit</dfn> = %x22 "audit" %x22 @@ -943,7 +941,8 @@ An OPTIONAL member named <code><a>policy</a></code> MAY be provided with a string value containing a URI-reference to a human-readable document that describes the tracking policy for - this site. The content of such a policy document is beyond the + the designated resource. + The content of such a policy document is beyond the scope of this protocol and only supplemental to what is described by this machine-readable tracking status representation. </p> @@ -952,16 +951,28 @@ <dfn>policy-v</dfn> = string ; URI-reference </pre> <p> + If the tracking status value is <code>1</code> and the designated + resource is being operated by an outsourced service provider on + behalf of a first party, the origin server MUST identify the + responsible first party via the domain of the policy URI, if + present, or by the domain owner of the origin server. + If no policy URI is provided and the origin server domain is + owned by the service provider, then the service provider is the + first party. + </p> + <p> An OPTIONAL member named <code><a>control</a></code> MAY be provided with a string value containing a URI-reference to a resource for giving the user control over personal data collected - by this site; it SHOULD be provided if the tracking status value - indicates prior consent (<code><a>C</a></code>). + by the designated resource (and possibly other resources); + a <code><a>control</a></code> member SHOULD be provided if the + tracking status value indicates prior consent + (<code><a>C</a></code>). Such a control resource might include the ability to review past data collected, delete some or all of the data, provide additional data (if desired), or <q>opt-in</q>, <q>opt-out</q>, or otherwise modify an out-of-band consent status regarding - data collection by this site. The design of such a resource, + data collection. The design of such a resource, the extent to which it can provide access to that data, and how one might implement an out-of-band consent mechanism is beyond the scope of this protocol.
Received on Wednesday, 8 August 2012 08:02:57 UTC