Re: Best Practices for Outsourcing (ACTION-47, ISSUE-49) from Jonathan Mayer on 2012-03-16 (public-tracking@w3.org from March 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Fri, 16 Mar 2012 10:30:21 -0700
To: Vinay Goel <vigoel@adobe.com>
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <6616CBA5-D4B7-46CB-AA7C-3C094CE4BDC3@stanford.edu>
Vinay,

At the Santa Clara meeting we debated whether to mandate specific technical requirements for the outsourcing exception.  The compromise consensus was to call for "reasonable" measures and give implementers guidance in a non-normative section.

Jonathan

On Mar 16, 2012, at 6:14 AM, Vinay Goel wrote:

> Hi Jonathan,
> 
> This is a normative statement (and not a non-normative statement as you've
> labeled it) and is inappropriate for inclusion in the spec.  It belongs
> within a Best Practices document separate from the Compliance/Preferences
> Specs that is best published by someone other than the WG.
> 
> 
> -Vinay
> 
> ___________________________________________________________________________
> ________
> Vinay Goel | Privacy Product Manager | Adobe Systems | Office: 917.934.0867
> 
> 
> On 3/14/12 8:08 PM, "Jonathan Mayer" <jmayer@stanford.edu> wrote:
> 
>> Here's some non-normative text on best practices for outsourcing.
>> 
>> --------------------------------------------------
>> 
>> I. Technical Precautions
>> 
>> A. Siloing in the Browser
>> 
>> Outsourcing services should use browser access control features so that
>> stored data specific to one first party is never accessed or collected
>> when the user visits another first party.
>> 
>> i. Same-Origin Policy
>> 
>> The same-origin policy silos stored data by domain name.  An outsourcing
>> service can use a different domain name for each first party.
>> 
>> Example: Example Analytics provides an outsourced analytics service to
>> Example News and Example Sports, two unrelated websites.  Example
>> Analytics stores its cookies for Example News at
>> examplenews.exampleanalytics.com, and it stores its cookies for Example
>> Sports at examplesports.exampleanalytics.com.
>> 
>> An outsourcing service could also use the first party's domain.
>> 
>> Example: Example Analytics stores its cookies for Example News at
>> examplenews.com, and it stores its cookies for Example Sports at
>> examplesports.com.
>> 
>> ii. Cookie Path Attribute
>> 
>> The HTTP cookie path can be used to silo data to a first party.
>> 
>> Example: Example Analytics stores its cookies for Example News with
>> "Path=/examplenews", and it stores its cookies for Example Sports with
>> "Path=/examplesports".
>> 
>> iii. Storage Key
>> 
>> For key/value storage APIs, such as Web Storage and Indexed Database, an
>> outsourcing service can use a different key or key prefix for each first
>> party.
>> 
>> Example: Example Analytics stores data for Example News at
>> window.localStorage["examplenews"] and data for Example Sports at
>> window.localStorage["examplesports"].
>> 
>> B. Siloing in the Backend
>> 
>> i. Encryption Keys
>> 
>> An outsourcing service should encrypt each first party's data with a
>> different set of keys.
>> 
>> ii. Access Controls
>> 
>> An outsourcing service should deploy access controls so that only
>> authorized personnel are able to access siloed data, and only for
>> authorized purposes.
>> 
>> iii. Access Monitoring
>> 
>> An outsourcing service should deploy access monitoring mechanisms to
>> detect improper use of siloed data.
>> 
>> C. Retention in the Backend
>> 
>> An outsourcing service should retain information only so long as
>> necessary to provide necessary functionality to a first party.  If a
>> service creates periodic reports, for example, it should delete the data
>> used for a report once it is generated.  An outsourcing service should be
>> particularly sensitive to retaining protocol logs, since they may allow
>> correlating user activity across multiple first parties.
>> 
>> II. Business Precautions
>> 
>> i. Policy
>> 
>> An outsourcing service should establish a clear internal policy that
>> gives guidance on how to collect, retain, and use outsourced data in
>> compliance with this standard.
>> 
>> ii. Training
>> 
>> Personnel that interact with outsourced data should be familiarized with
>> internal policy on compliance with this standard.
>> 
>> iii. Supervision and Reporting
>> 
>> An outsourcing service should establish a supervision and reporting
>> structure for detecting improper access.
>> 
>> iv. Auditing
>> 
>> External auditors should periodically examine an outsourcing service to
>> assess whether it is in compliance with this standard and has adopted
>> best practices.  Auditor reports should be made available to the public.
>> 
>> 
> 
> 
> Confidentiality Notice: The contents of this e-mail (including any attachments) may be confidential to the intended recipient, and may contain information that is privileged and/or exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and destroy the original e-mail and any attachments (and any copies that may have been made) from your system or otherwise. Any unauthorized use, copying, disclosure or distribution of this information is strictly prohibited. <ACL>
>
Received on Friday, 16 March 2012 17:30:52 UTC