- From: JC Cannon <jccannon@microsoft.com>
- Date: Wed, 29 Aug 2012 18:28:10 +0000
- To: Jonathan Mayer <jmayer@stanford.edu>
- CC: W3C DNT Working Group Mailing List <public-tracking@w3.org>
- Message-ID: <BB17D596C94A854E9EE4171D33BBCC81015AAA8B@TK5EX14MBXC239.redmond.corp.microsoft.>
I don’t feel the list should be part of the DNT spec as the spec covers sending a signal from a UA to a website about a user’s tracking preference. It shouldn’t be used to force privacy rules that are out of scope from what we are trying to accomplish. In addition, I don’t see the need to force companies to create a machine-readable version of this list. It would be better to hammer these issues out in a working group focused on offline data usage. JC From: Jonathan Mayer [mailto:jmayer@stanford.edu] Sent: Wednesday, August 29, 2012 11:15 AM To: JC Cannon Cc: W3C DNT Working Group Mailing List Subject: Re: Service Provider Status (ISSUE-137) It seems we're very close - we agree there should be a list of backend service providers. What I'd also ask is 1) the list is mandatory (for a complying website), and 2) the list exists in a machine-readable format. Jonathan On Wednesday, August 29, 2012 at 10:41 AM, JC Cannon wrote: I don’t doubt the benefits to users, I just don’t think DNT is the right mechanism to provide users with a list of third parties a company works with who are not part of the online transaction. It would be better to put that in the privacy statement or terms-of-use where it will always be available to users when they need to see it. JC From: Jonathan Mayer [mailto:jmayer@stanford.edu] Sent: Wednesday, August 29, 2012 10:27 AM To: JC Cannon Cc: W3C DNT Working Group Mailing List Subject: Re: Service Provider Status (ISSUE-137) I don't follow why you think information about a backend service provider would be unusable. The benefits to users, user agents, researchers, and policymakers remain. If we give backend service providers a free pass on signaling, I fear we establish a perverse incentive to diminish transparency even further. Jonathan On Wednesday, August 29, 2012 at 10:01 AM, JC Cannon wrote: I don’t have a problem with the first three items. Item 4) appears to be out of scope for our work since the service provider is not involved in the session. I feel sending a list to the UA is to inform the UA of the status of a third-party site. Since the UA can’t see the site why send unusable information? JC From: Jonathan Mayer [mailto:jmayer@stanford.edu] Sent: Wednesday, August 29, 2012 9:53 AM To: JC Cannon Cc: W3C DNT Working Group Mailing List Subject: Re: Service Provider Status (ISSUE-137) Here are some concrete use cases with service provider ambiguity. 1) HTTP traffic goes to a website that looks like a third party, but is actually a service provider. Example: News.com<http://News.com> embeds content from Analytics.com<http://Analytics.com>. Solution: A simple Service Provider flag (e.g. "Tk: S"). 2) HTTP traffic goes to a website that looks like a first party, but is actually a service provider. Example: Blog.com<http://Blog.com> is hosted by BlogPlatform.com<http://BlogPlatform.com>. Solution: A simple Service Provider flag (e.g. "Tk: S") plus some sort of party identification (e.g. a "Tk-Party: blogplatform.com<http://blogplatform.com>" response header or a "party" field in the status resource). 3) HTTP traffic goes to a website that is a service provider, but it's unclear which party it's working for. Example: Analytics.com<http://Analytics.com> appears buried in a set of advertising iframes on News.com<http://News.com>. Solution: A Service Provider can signal the party it's working for (e.g. a "Tk-Service: news.com<http://news.com>" response header or a "service-provider-party" field in the status resource). 4) A website uses a service provider on the backend. Example: Shopping.com<http://Shopping.com> copies its user account data into a cloud-based CRM service. Solution: A list of service providers in a party's tracking status resource. On Wednesday, August 29, 2012 at 9:38 AM, JC Cannon wrote: Could you describe a scenario where the service provider is not on HTTP? How would it send a response I the first place? Are you talking about offline scenarios? Thanks, JC From: Jonathan Mayer [mailto:jmayer@stanford.edu] Sent: Wednesday, August 29, 2012 9:36 AM To: W3C DNT Working Group Mailing List Subject: Re: Service Provider Status (ISSUE-137) A related design decision: What about service providers that aren't at visible via HTTP? I don't think we have consensus on this yet. On Wednesday, August 29, 2012 at 9:17 AM, Jonathan Mayer wrote: Some possible status ambiguities for service providers. All are solvable with trivial engineering. -If a service provider is using its own domain: -Is the entity a first party, third party, or service provider? -Which party is it providing outsourcing services to? (Might be multiple parties in different roles.) -If a service provider is using a different party's domain (e.g. a CNAMEd analytics service): -Who is the service provider?
Received on Wednesday, 29 August 2012 18:28:50 UTC