Re: Service Provider Status (ISSUE-137) from Alan Chapell on 2012-08-29 (public-tracking@w3.org from August 2012)

From: Alan Chapell <achapell@chapellassociates.com>
Date: Wed, 29 Aug 2012 15:14:03 -0400
To: Jonathan Mayer <jmayer@stanford.edu>, JC Cannon <jccannon@microsoft.com>
CC: W3C DNT Working Group Mailing List <public-tracking@w3.org>
Message-ID: <CC63E1FA.1FEF3%achapell@chapellassociates.com>
Thanks Jonathan. Just so I'm clear, are you suggesting that there should be
a backend list of Service Providers, a list of Third Parties  or both?
(Seems like you and JC are using slightly different terms and I'm not sure
if that's intentionalŠ) Thanks.

Cheers,

Alan Chapell
Chapell & Associates
917 318 8440


From:  Jonathan Mayer <jmayer@stanford.edu>
Date:  Wednesday, August 29, 2012 2:15 PM
To:  JC Cannon <jccannon@microsoft.com>
Cc:  W3C DNT Working Group Mailing List <public-tracking@w3.org>
Subject:  Re: Service Provider Status (ISSUE-137)
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Wed, 29 Aug 2012 18:15:32 +0000

 
It seems we're very close - we agree there should be a list of backend
service providers.  What I'd also ask is 1) the list is mandatory (for a
complying website), and 2) the list exists in a machine-readable format.

Jonathan

 
  

On Wednesday, August 29, 2012 at 10:41 AM, JC Cannon wrote:
 
>  
> I don¹t doubt the benefits to users, I just don¹t think DNT is the right
> mechanism to provide users with a list of third parties a company works with
> who are not part of the online transaction. It would be better to put that in
> the privacy statement or terms-of-use where it will always be available to
> users when they need to see it.
> 
>  
> 
> JC
> 
>  
> 
> From: Jonathan Mayer [mailto:jmayer@stanford.edu]
> Sent: Wednesday, August 29, 2012 10:27 AM
> To: JC Cannon
> Cc: W3C DNT Working Group Mailing List
> Subject: Re: Service Provider Status (ISSUE-137)
> 
>  
> 
> I don't follow why you think information about a backend service provider
> would be unusable.  The benefits to users, user agents, researchers, and
> policymakers remain.
> 
>  
> 
> If we give backend service providers a free pass on signaling, I fear we
> establish a perverse incentive to diminish transparency even further.
> 
>  
> 
> Jonathan
> 
>  
> 
> On Wednesday, August 29, 2012 at 10:01 AM, JC Cannon wrote:
>> 
>> I don¹t have a problem with the first three items.
>> 
>>  
>> 
>> Item 4) appears to be out of scope for our work since the service provider is
>> not involved in the session. I feel sending a list to the UA is to inform the
>> UA of the status of a third-party site. Since the UA can¹t see the site why
>> send unusable information?
>> 
>>  
>> 
>> JC
>> 
>>  
>> 
>> From: Jonathan Mayer [mailto:jmayer@stanford.edu]
>> Sent: Wednesday, August 29, 2012 9:53 AM
>> To: JC Cannon
>> Cc: W3C DNT Working Group Mailing List
>> Subject: Re: Service Provider Status (ISSUE-137)
>> 
>>  
>> 
>> Here are some concrete use cases with service provider ambiguity.
>> 
>>  
>> 
>> 1) HTTP traffic goes to a website that looks like a third party, but is
>> actually a service provider.
>> 
>> Example: News.com <http://News.com>  embeds content from Analytics.com
>> <http://Analytics.com> .
>> 
>> Solution: A simple Service Provider flag (e.g. "Tk: S").
>> 
>>  
>> 
>> 2) HTTP traffic goes to a website that looks like a first party, but is
>> actually a service provider.
>> 
>> Example: Blog.com <http://Blog.com>  is hosted by BlogPlatform.com
>> <http://BlogPlatform.com> .
>> 
>> Solution: A simple Service Provider flag (e.g. "Tk: S") plus some sort of
>> party identification (e.g. a "Tk-Party: blogplatform.com
>> <http://blogplatform.com> " response header or a "party" field in the status
>> resource).
>> 
>>  
>> 
>> 3) HTTP traffic goes to a website that is a service provider, but it's
>> unclear which party it's working for.
>> 
>> Example: Analytics.com <http://Analytics.com>  appears buried in a set of
>> advertising iframes on News.com <http://News.com> .
>> 
>> Solution: A Service Provider can signal the party it's working for (e.g. a
>> "Tk-Service: news.com <http://news.com> " response header or a
>> "service-provider-party" field in the status resource).
>> 
>>  
>> 
>> 4) A website uses a service provider on the backend.
>> 
>> Example: Shopping.com <http://Shopping.com>  copies its user account data
>> into a cloud-based CRM service.
>> 
>> Solution: A list of service providers in a party's tracking status resource.
>> 
>>  
>> 
>> On Wednesday, August 29, 2012 at 9:38 AM, JC Cannon wrote:
>>> 
>>> Could you describe a scenario where the service provider is not on HTTP? How
>>> would it send a response I the first place? Are you talking about offline
>>> scenarios?
>>> 
>>>  
>>> 
>>> Thanks,
>>> 
>>> JC
>>> 
>>>  
>>> 
>>> From: Jonathan Mayer [mailto:jmayer@stanford.edu]
>>> Sent: Wednesday, August 29, 2012 9:36 AM
>>> To: W3C DNT Working Group Mailing List
>>> Subject: Re: Service Provider Status (ISSUE-137)
>>> 
>>>  
>>> 
>>> A related design decision: What about service providers that aren't at
>>> visible via HTTP?  I don't think we have consensus on this yet.
>>> 
>>>  
>>> 
>>> On Wednesday, August 29, 2012 at 9:17 AM, Jonathan Mayer wrote:
>>>> 
>>>> Some possible status ambiguities for service providers.  All are solvable
>>>> with trivial engineering.
>>>> 
>>>>  
>>>> 
>>>> -If a service provider is using its own domain:
>>>> 
>>>>          -Is the entity a first party, third party, or service provider?
>>>> 
>>>>          -Which party is it providing outsourcing services to?  (Might be
>>>> multiple parties in different roles.)
>>>> 
>>>> -If a service provider is using a different party's domain (e.g. a CNAMEd
>>>> analytics service):
>>>> 
>>>>          -Who is the service provider?
>>>> 
>>>>  
>>> 
>>>  
>> 
>>  
> 
>  
>
Received on Wednesday, 29 August 2012 19:14:33 UTC