- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Wed, 14 Mar 2012 17:08:58 -0700
- To: Tracking Protection Working Group WG <public-tracking@w3.org>
Here's some non-normative text on best practices for outsourcing. -------------------------------------------------- I. Technical Precautions A. Siloing in the Browser Outsourcing services should use browser access control features so that stored data specific to one first party is never accessed or collected when the user visits another first party. i. Same-Origin Policy The same-origin policy silos stored data by domain name. An outsourcing service can use a different domain name for each first party. Example: Example Analytics provides an outsourced analytics service to Example News and Example Sports, two unrelated websites. Example Analytics stores its cookies for Example News at examplenews.exampleanalytics.com, and it stores its cookies for Example Sports at examplesports.exampleanalytics.com. An outsourcing service could also use the first party's domain. Example: Example Analytics stores its cookies for Example News at examplenews.com, and it stores its cookies for Example Sports at examplesports.com. ii. Cookie Path Attribute The HTTP cookie path can be used to silo data to a first party. Example: Example Analytics stores its cookies for Example News with "Path=/examplenews", and it stores its cookies for Example Sports with "Path=/examplesports". iii. Storage Key For key/value storage APIs, such as Web Storage and Indexed Database, an outsourcing service can use a different key or key prefix for each first party. Example: Example Analytics stores data for Example News at window.localStorage["examplenews"] and data for Example Sports at window.localStorage["examplesports"]. B. Siloing in the Backend i. Encryption Keys An outsourcing service should encrypt each first party's data with a different set of keys. ii. Access Controls An outsourcing service should deploy access controls so that only authorized personnel are able to access siloed data, and only for authorized purposes. iii. Access Monitoring An outsourcing service should deploy access monitoring mechanisms to detect improper use of siloed data. C. Retention in the Backend An outsourcing service should retain information only so long as necessary to provide necessary functionality to a first party. If a service creates periodic reports, for example, it should delete the data used for a report once it is generated. An outsourcing service should be particularly sensitive to retaining protocol logs, since they may allow correlating user activity across multiple first parties. II. Business Precautions i. Policy An outsourcing service should establish a clear internal policy that gives guidance on how to collect, retain, and use outsourced data in compliance with this standard. ii. Training Personnel that interact with outsourced data should be familiarized with internal policy on compliance with this standard. iii. Supervision and Reporting An outsourcing service should establish a supervision and reporting structure for detecting improper access. iv. Auditing External auditors should periodically examine an outsourcing service to assess whether it is in compliance with this standard and has adopted best practices. Auditor reports should be made available to the public.
Received on Thursday, 15 March 2012 00:09:29 UTC