Re: Service Provider Status (ISSUE-137) from Jonathan Mayer on 2012-08-29 (public-tracking@w3.org from August 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 29 Aug 2012 11:15:01 -0700
To: JC Cannon <jccannon@microsoft.com>
Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org>
Message-ID: <4245BC7A474A412596F2688D150A1E8C@gmail.com>
It seems we're very close - we agree there should be a list of backend service providers.  What I'd also ask is 1) the list is mandatory (for a complying website), and 2) the list exists in a machine-readable format.

Jonathan


On Wednesday, August 29, 2012 at 10:41 AM, JC Cannon wrote:

> I don’t doubt the benefits to users, I just don’t think DNT is the right mechanism to provide users with a list of third parties a company works with who are not part of the online transaction. It would be better to put that in the privacy statement or terms-of-use where it will always be available to users when they need to see it.
>   
> JC
>   
> From: Jonathan Mayer [mailto:jmayer@stanford.edu]  
> Sent: Wednesday, August 29, 2012 10:27 AM
> To: JC Cannon
> Cc: W3C DNT Working Group Mailing List
> Subject: Re: Service Provider Status (ISSUE-137)  
>   
> I don't follow why you think information about a backend service provider would be unusable.  The benefits to users, user agents, researchers, and policymakers remain.
>  
>   
>  
> If we give backend service providers a free pass on signaling, I fear we establish a perverse incentive to diminish transparency even further.
>  
>   
>  
> Jonathan
>  
>   
>  
> On Wednesday, August 29, 2012 at 10:01 AM, JC Cannon wrote:
> >  
> > I don’t have a problem with the first three items.
> >  
> >  
> >   
> >  
> >  
> > Item 4) appears to be out of scope for our work since the service provider is not involved in the session. I feel sending a list to the UA is to inform the UA of the status of a third-party site. Since the UA can’t see the site why send unusable information?
> >  
> >  
> >   
> >  
> >  
> > JC
> >  
> >  
> >   
> >  
> >  
> > From: Jonathan Mayer [mailto:jmayer@stanford.edu]  
> > Sent: Wednesday, August 29, 2012 9:53 AM
> > To: JC Cannon
> > Cc: W3C DNT Working Group Mailing List
> > Subject: Re: Service Provider Status (ISSUE-137)
> >  
> >  
> >   
> >  
> >  
> > Here are some concrete use cases with service provider ambiguity.
> >  
> >  
> >  
> >   
> >  
> >  
> >  
> > 1) HTTP traffic goes to a website that looks like a third party, but is actually a service provider.
> >  
> >  
> >  
> > Example: News.com (http://News.com) embeds content from Analytics.com (http://Analytics.com).
> >  
> >  
> >  
> > Solution: A simple Service Provider flag (e.g. "Tk: S").
> >  
> >  
> >  
> >   
> >  
> >  
> >  
> > 2) HTTP traffic goes to a website that looks like a first party, but is actually a service provider.
> >  
> >  
> >  
> > Example: Blog.com (http://Blog.com) is hosted by BlogPlatform.com (http://BlogPlatform.com).
> >  
> >  
> >  
> > Solution: A simple Service Provider flag (e.g. "Tk: S") plus some sort of party identification (e.g. a "Tk-Party: blogplatform.com (http://blogplatform.com)" response header or a "party" field in the status resource).
> >  
> >  
> >  
> >   
> >  
> >  
> >  
> > 3) HTTP traffic goes to a website that is a service provider, but it's unclear which party it's working for.
> >  
> >  
> >  
> > Example: Analytics.com (http://Analytics.com) appears buried in a set of advertising iframes on News.com (http://News.com).
> >  
> >  
> >  
> > Solution: A Service Provider can signal the party it's working for (e.g. a "Tk-Service: news.com (http://news.com)" response header or a "service-provider-party" field in the status resource).
> >  
> >  
> >  
> >   
> >  
> >  
> >  
> > 4) A website uses a service provider on the backend.
> >  
> >  
> >  
> > Example: Shopping.com (http://Shopping.com) copies its user account data into a cloud-based CRM service.
> >  
> >  
> >  
> > Solution: A list of service providers in a party's tracking status resource.
> >  
> >  
> >  
> >   
> >  
> >  
> >  
> > On Wednesday, August 29, 2012 at 9:38 AM, JC Cannon wrote:
> > >  
> > > Could you describe a scenario where the service provider is not on HTTP? How would it send a response I the first place? Are you talking about offline scenarios?
> > >  
> > >  
> > >   
> > >  
> > >  
> > > Thanks,
> > >  
> > >  
> > > JC
> > >  
> > >  
> > >   
> > >  
> > >  
> > > From: Jonathan Mayer [mailto:jmayer@stanford.edu]  
> > > Sent: Wednesday, August 29, 2012 9:36 AM
> > > To: W3C DNT Working Group Mailing List
> > > Subject: Re: Service Provider Status (ISSUE-137)
> > >  
> > >  
> > >   
> > >  
> > >  
> > > A related design decision: What about service providers that aren't at visible via HTTP?  I don't think we have consensus on this yet.
> > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > > On Wednesday, August 29, 2012 at 9:17 AM, Jonathan Mayer wrote:
> > >  
> > >  
> > > >  
> > > > Some possible status ambiguities for service providers.  All are solvable with trivial engineering.  
> > > >  
> > > >  
> > > >  
> > > >   
> > > >  
> > > >  
> > > >  
> > > > -If a service provider is using its own domain:
> > > >  
> > > >  
> > > >  
> > > >          -Is the entity a first party, third party, or service provider?
> > > >  
> > > >  
> > > >  
> > > >          -Which party is it providing outsourcing services to?  (Might be multiple parties in different roles.)
> > > >  
> > > >  
> > > >  
> > > > -If a service provider is using a different party's domain (e.g. a CNAMEd analytics service):
> > > >  
> > > >  
> > > >  
> > > >          -Who is the service provider?
> > > >  
> > > >  
> > > >  
> > > >   
> > > >  
> > > >  
> > > >  
> > > >  
> > >  
> > >  
> > >   
> > >  
> > >  
> > >  
> > >  
> > >  
> >  
> >  
> >   
> >  
> >  
> >  
> >  
> >  
>  
>   
>  
>  
>  
>
Received on Wednesday, 29 August 2012 18:15:30 UTC