- From: Dan Auerbach <dan@eff.org>
- Date: Tue, 25 Jun 2013 23:49:46 -0700
- To: "public-tracking@w3.org" <public-tracking@w3.org>
I unfortunately haven't had time to digest the history and current state of the service provider debate as reflected by the June document. I'm posting old relevant text so that I don't give up my right to object about service providers, since I think the text below is more detailed and requires some important technical controls on the part of service providers: A first party may outsource website functionality to a third party, in which case the third party may act as the first party under this standard with the following additional restrictions. 1 Technical Precautions 1.1 Operative Text Throughout all data reception, retention, and use, outsourced service providers must use all feasible technical precautions to both mitigate the linkability of and prevent the linking of data from different first parties. Structural separation ("siloing") of data per first party, including both separate data structures and avoidance of shared unique identifiers are necessary, but not necessarily sufficient, technical precautions. 1.2 Non-Normative Discussion 1.2.1 Siloing in the Browser Outsourcing services should use browser access control features so that stored data specific to one first party is never accessed or received when the user visits another first party. 1.2.1.1 Same-Origin Policy The same-origin policy silos stored data by domain name. An outsourcing service can use a different domain name for each first party. Example: Example Analytics provides an outsourced analytics service to Example News and Example Sports, two unrelated websites. Example Analytics stores its cookies for Example News at examplenews.exampleanalytics.com, and it stores its cookies for Example Sports at examplesports.exampleanalytics.com. 1.2.1.2 Cookie Path Attribute The HTTP cookie path can be used to silo data to a first party. Example: Example Analytics stores its cookies for Example News with "Path=/examplenews", and it stores its cookies for Example Sports with "Path=/examplesports". 1.2.1.3 Storage Key For key/value storage APIs, such as Web Storage and Indexed Database, an outsourcing service can use a different key or key prefix for each first party. Example: Example Analytics stores data for Example News at window.localStorage["examplenews"] and data for Example Sports at window.localStorage["examplesports"]. 1.2.2 Siloing in the Backend 1.2.2.1 Encryption Keys An outsourcing service should encrypt each first party's data with a different set of keys. 1.2.2.2 Access Controls An outsourcing service should deploy access controls so that only authorized personnel are able to access siloed data, and only for authorized purposes. 1.2.2.3 Access Monitoring An outsourcing service should deploy access monitoring mechanisms to detect improper use of siloed data. 1.2.3 Retention in the Backend An outsourcing service should retain information only so long as necessary to provide necessary functionality to a first party. If a service creates periodic reports, for example, it should delete the data used for a report once it is generated. An outsourcing service should be particularly sensitive to retaining protocol logs, since they may allow correlating user activity across multiple first parties. 2 Internal Practices 2.1 Operative Text Throughout all data reception, retention, and use, outsourced service providers must use sufficient internal practices to prevent the linking of data from different first parties. 2.2 Non-Normative Discussion 2.2.1 Policy An outsourcing service should establish a clear internal policy that gives guidance on how to receive, retain, and use outsourced data in compliance with this standard. 2.2.2 Training Personnel that interact with outsourced data should be familiarized with internal policy on compliance with this standard. 2.2.3 Supervision and Reporting An outsourcing service should establish a supervision and reporting structure for detecting improper access. 2.2.4 Auditing External auditors should periodically examine an outsourcing service to assess whether it is in compliance with this standard and has adopted best practices. Auditor reports should be made available to the public. 3 Use Direction An outsourced service must use data retained on behalf of a first party ONLY on behalf of that first party, and must not use data retained on behalf of a first party for their own business purposes, or for any other reasons. 4 First-Party Requirements 4.1 Representation A first party's representation that it is in compliance with this standard includes a representation that its outsourcing service providers comply with this standard. 4.2 Contract A first party must enter into a contract with an outsourcing service provider that requires that outsourcing service provider to comply with these requirements. -- Dan Auerbach Staff Technologist Electronic Frontier Foundation dan@eff.org 415 436 9333 x134
Received on Wednesday, 26 June 2013 06:50:14 UTC