Re: ISSUE-239: Link to compliance document

On Jan 8, 2014, at 17:54 , Shane M Wiley <wileys@yahoo-inc.com> wrote:

> David and Roy,
> 
> Couldn't a well known resource suffice in this case?  This would allow the research option to occur outside the context of an actual transaction.  The downside will be that Servers will likely support more than a single compliance standard in different markets (US vs. DE, for example) so we'll need to think through how to add that perspective in a well known resource structured array.

I think we may be at cross purposes.  Aren’t we discussing a proposed field in the well-known resource — “identifiers (probably URIs) of supported compliance regimes”?  I agree (a) it needs to be an array and (b) the WKR is entirely sufficient.

(Well, almost entirely;  the user/UA has to fetch the WKR in order to find out how private its fetches will be, but we already say that fetches of the WKR must not be tracked.)

Why multiple?  Because (at least):

a) regimes update;  your site conforms to DAA2015, whereas I am still only doing DAA2013;  DAA2015 is backwards compatible with DAA2013 so the site needs to claim both;
b) regimes build on one another; FSA2015 takes CPA2014 and adds a layer of auditability and verification, and closes a loophole in the Cayman Islands.  Sites that do FSA2015 also automatically support CPA2014, but UAs or users who don’t recognize FSA2015 yet but do recognize CPA2014 need to be told explicitly, as they can’t work it out from knowledge of this structure (knowledge they don’t have).
c) sites serves users in various parts of the world; they may well be able to conform to the Venezuelan Privacy requirements AND the Icelandic Privacy Commission recommendations, at the same time. Yay!


> 
> - Shane
> 
> -----Original Message-----
> From: David Singer [mailto:singer@apple.com] 
> Sent: Wednesday, January 08, 2014 5:32 PM
> To: Nicholas Doty
> Cc: Roy T. Fielding; public-tracking@w3.org (public-tracking@w3.org)
> Subject: Re: ISSUE-239: Link to compliance document
> 
> 
> On Jan 8, 2014, at 8:43 , Nicholas Doty <npdoty@w3.org> wrote:
> 
>> I wasn't suggesting that any of these UI suggestions were good or likely, but in defining the terms that will be communicated over the protocol, we generally add them only if we think they may be used by the client. If we don't think any users will review the compliance array and we don't expect or don't want user agents to block/allow resources based on those values, then providing the extra configurability is not valuable.
> 
> I think that there is great value in providing transparency (in both directions) for researchers and others, even if during much of the time fields are not inspected in real-time.  I.e. I think it a non-sequitur that information should not be available at all if it's not used all the time in real-time.
> 
> David Singer
> Multimedia and Software Standards, Apple Inc.
> 
> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Thursday, 9 January 2014 19:51:44 UTC