W3C home > Mailing lists > Public > public-tracking@w3.org > August 2012

Re: Service Provider Status (ISSUE-137)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 29 Aug 2012 10:27:04 -0700
To: JC Cannon <jccannon@microsoft.com>
Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org>
Message-ID: <F1AD4AB320D74D30A6EE3F7139B1B202@gmail.com>
I don't follow why you think information about a backend service provider would be unusable.  The benefits to users, user agents, researchers, and policymakers remain.

If we give backend service providers a free pass on signaling, I fear we establish a perverse incentive to diminish transparency even further.

Jonathan


On Wednesday, August 29, 2012 at 10:01 AM, JC Cannon wrote:

> I don’t have a problem with the first three items.
>   
> Item 4) appears to be out of scope for our work since the service provider is not involved in the session. I feel sending a list to the UA is to inform the UA of the status of a third-party site. Since the UA can’t see the site why send unusable information?
>   
> JC
>   
> From: Jonathan Mayer [mailto:jmayer@stanford.edu]  
> Sent: Wednesday, August 29, 2012 9:53 AM
> To: JC Cannon
> Cc: W3C DNT Working Group Mailing List
> Subject: Re: Service Provider Status (ISSUE-137)  
>   
> Here are some concrete use cases with service provider ambiguity.
>  
>   
>  
> 1) HTTP traffic goes to a website that looks like a third party, but is actually a service provider.
>  
> Example: News.com (http://News.com) embeds content from Analytics.com (http://Analytics.com).
>  
> Solution: A simple Service Provider flag (e.g. "Tk: S").
>  
>   
>  
> 2) HTTP traffic goes to a website that looks like a first party, but is actually a service provider.
>  
> Example: Blog.com (http://Blog.com) is hosted by BlogPlatform.com (http://BlogPlatform.com).
>  
> Solution: A simple Service Provider flag (e.g. "Tk: S") plus some sort of party identification (e.g. a "Tk-Party: blogplatform.com (http://blogplatform.com)" response header or a "party" field in the status resource).
>  
>   
>  
> 3) HTTP traffic goes to a website that is a service provider, but it's unclear which party it's working for.
>  
> Example: Analytics.com (http://Analytics.com) appears buried in a set of advertising iframes on News.com (http://News.com).
>  
> Solution: A Service Provider can signal the party it's working for (e.g. a "Tk-Service: news.com (http://news.com)" response header or a "service-provider-party" field in the status resource).
>  
>   
>  
> 4) A website uses a service provider on the backend.
>  
> Example: Shopping.com (http://Shopping.com) copies its user account data into a cloud-based CRM service.
>  
> Solution: A list of service providers in a party's tracking status resource.
>  
>   
>  
>  
> On Wednesday, August 29, 2012 at 9:38 AM, JC Cannon wrote:
> >  
> > Could you describe a scenario where the service provider is not on HTTP? How would it send a response I the first place? Are you talking about offline scenarios?
> >  
> >  
> >   
> >  
> >  
> > Thanks,
> >  
> >  
> > JC
> >  
> >  
> >   
> >  
> >  
> > From: Jonathan Mayer [mailto:jmayer@stanford.edu]  
> > Sent: Wednesday, August 29, 2012 9:36 AM
> > To: W3C DNT Working Group Mailing List
> > Subject: Re: Service Provider Status (ISSUE-137)
> >  
> >  
> >   
> >  
> >  
> > A related design decision: What about service providers that aren't at visible via HTTP?  I don't think we have consensus on this yet.
> >  
> >  
> >  
> >   
> >  
> >  
> >  
> > On Wednesday, August 29, 2012 at 9:17 AM, Jonathan Mayer wrote:
> >  
> >  
> > >  
> > > Some possible status ambiguities for service providers.  All are solvable with trivial engineering.  
> > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > > -If a service provider is using its own domain:
> > >  
> > >  
> > >  
> > >          -Is the entity a first party, third party, or service provider?
> > >  
> > >  
> > >  
> > >          -Which party is it providing outsourcing services to?  (Might be multiple parties in different roles.)
> > >  
> > >  
> > >  
> > > -If a service provider is using a different party's domain (e.g. a CNAMEd analytics service):
> > >  
> > >  
> > >  
> > >          -Who is the service provider?
> > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > >  
> >  
> >  
> >   
> >  
> >  
> >  
> >  
> >  
>  
>   
>  
>  
>  
>  
Received on Wednesday, 29 August 2012 17:27:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:54 UTC