W3C home > Mailing lists > Public > public-tracking@w3.org > August 2012

Input to ISSUE-137 (service provider flag)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Mon, 27 Aug 2012 10:34:13 +0200
Message-ID: <503B3105.1060902@schunter.org>
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Hi Folks,


I'd like to make progress towards resolving ISSUE-137.

SCENARIO UNDER CONSIDERATION

I believe we are considering the following use case:
1 - A user with DNT;1 visits a site
2 - The site sends back its own content (e.g., usually marked with Tk:1 
header that says that the policies for 1st parties have been implemented)
3 - Embedded content from third parties is marked with "3" (following 
3rd party policies; no concern there)
4 - Some embedded content that is marked with "1" but is coming from a 
different domain

Now the user agent may like to distinguish the following cases for the 
content in (4):
A) The content in (4) is just part of the site hosted under a different 
domain name (e.g. ibm.com pulling in lotus.com content) that is part of 
the same first party
B) The content in (4) is comming from a service provider where the 1st 
party remains responsible for following the policies set for the 1st 
party (e.g., a content
      distribution network)
C) Someone has accidentally embedded content intended for 1st party use 
that is now accidentially or maliciously used in a 3rd party context

SOLUTION IN TODAYS DRAFT

I believe that the case (C) must be distinguishable from cases (A+B) 
since it poses a privacy risk if a third party element implements the 
less constrained 1st party policies.
Today, in the current draft, this is achieved by this field at the 
well-known URI:
> Tracking Preference Expression (DNT)
>
> An OPTIONAL member named |same-party| MAY be provided with an array 
> value containing a list of domain names that the origin server claims 
> are the same party, to the extent they are referenced by the 
> designated resource, since all data collected via those references 
> share the same data controller.
>
> same-party     = %x22 "same-party" %x22
> same-party-v   = array-of-strings

- In cases (A) and (B) the 1st party needs to declare the URLs that are 
part of the same party and that it claims to be part of the same party.
- As a consequence, a user agent can mark content that uses the "1" 
response while not being in this list as suspicious (the case (C)).

DISCUSSIONS

I believe that we may discuss the following questions:

1 - Do we agree on this procedure that content responding with "1" 
(intended for 1st party use) that is not specified in the "same-party" 
field
   is suspicious and the user agent handle on it? (this sort-of makes 
the same-party field mandatory if you pull in content from different 
domains).

2.  Do we want to be able to further distinguish cases (A) and (B)? 
I.e., whether content comes from a domain controlled by the site itself 
or from a service provider's domain?
     I believe in EU language: Do we need to know whether the content 
comes from the data controller itself or from a data processor that is 
processing data on behalf
     of the controller.

I suspect that we agree on (1). For (2), the important question to ask 
ourselves is
-  What specific actions may a user agent perform with this information?
Remember that the goal of this protocol is to inform the user agent, 
i.e., we should not transmit information unless we understand how it 
might be useful to the user agent receiving the information.


Regards,
matthias
Received on Monday, 27 August 2012 09:02:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:54 UTC