Re: Third parties should not pretend to be first parties from Tom Lowenthal on 2012-03-01 (public-tracking@w3.org from March 2012)

From: Tom Lowenthal <tom@mozilla.com>
Date: Wed, 29 Feb 2012 16:10:52 -0800
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4F4EBE8C.3090109@mozilla.com>

The aim is to prohibit anyone who isn't a first party from using the
first-party options in the URI/Tk header, which even outsourced service
providers shouldn't do. Perhaps we should add more detail to the
outsourcing exception to deal with this case?

On 02/29/2012 03:51 PM, Roy T. Fielding wrote:
> Did you mean to exclude outsourced service providers from this?
> 
> This requirement is incompatible with many (if not most) service
> contracts that forbid the service provider from advertising the
> fact that it is operating the service.  For example, we would not
> require such a thing when websites are hosted at AWS, and I am
> pretty sure SiteCatalyst and BusinessCatalyst would never accept
> such a limitation.
> 
> ....Roy
> 
> On Feb 29, 2012, at 2:48 PM, Tom Lowenthal wrote:
> 
>> ACTION-116
>> ISSUE-123
>>
>> Proposal: add an additional requirement to the TC document in section
>> 4.3. This replaces a similar provision which Matthias encouraged me to
>> remove from the header spec since it makes more sense in TC than TPE.
>>
>>> A third party MUST NOT falsely represent themselves as a first party,
>>> whether using the methods of expression described in
>>> [[!TRACKING-PREFERENCE-EXPRESSION]] or otherwise.
>>
>> The HTML for 4.3 (up to but not including 4.3.1) with this addition is:
>>
>> ~~~~~
>>
>> <h3>Compliance by a third party</h3>
>> 			
>> <p class="note">This section consists of proposed text that is meant to
>> address <a
>> href="http://www.w3.org/2011/tracking-protection/track/issues/19">ISSUE-19</a>
>> and <a
>> href="http://www.w3.org/2011/tracking-protection/track/issues/39">ISSUE-39</a>
>> and is pending discussion and <strong>[PENDING REVIEW]</strong>.</p>
>>
>> <p>If the operator of a third-party domain receives a communication to
>> which a [DNT-ON] header is attached:</p>
>> <ol>
>> <li>that operator MUST NOT collect, share, or use information related to
>> that
>> communication outside of the Exceptions as defined
>> within this standard and any explicitly-granted Exemptions, provided in
>> accordance with the requirements of this standard;</li>
>> <li> that operator MUST NOT use information about previous communications
>> in which the operator was a third party, outside of the explicitly
>> expressed Exceptions as defined within this standard;</li>
>> <li> that operator [MUST NOT or SHOULD NOT] retain information about
>> previous communications in which the operator was a third party, outside
>> of the explicitly expressed Exceptions as defined within this standard.</li>
>> </ol>
>>
>> <p>> A third party MUST NOT falsely represent themselves as a first
>> party, whether using the methods of expression described in
>> [[!TRACKING-PREFERENCE-EXPRESSION]] or otherwise.</p>
>>
>> ~~~~~
>>
>>
>

Received on Thursday, 1 March 2012 00:11:38 UTC