Post on 06-Jan-2016
description
Automated Discovery of claims of party membership
…the report
What problem(s) are we solving?
• 1 automated discoverability of the assertion of party relationships– discoverability by users, user-agents, researchers,
enforcement…?? we need to decide which audiences we are trying to help
• 2 when a user grants an exception to 3rd-party A on 1st party B, they could be asked to grant an exception to all sites in the party that B is a member of?
Use Case(s)
• The discoverability would allow a user-agent to say "note that X (a site) is a part of Y (the master party), and if you allow X to track you, that data will be available to all of Y”.
• The secondmight assist reducing the 'request noise' to users: “do you want to grant an exception for these 3rd parties on ALL properties related to current-1st-party?”
NOT on the table
• This NOT about 1st/3rd party distinction, merely about party membership.
Research Check
• Did POWDER already address this problem, and if so, how, and can we use or learn something?
Refined Strawman• The following techniques enable a set of Sites that form a single
Party to make their assertion of relationship status automatically discoverable.
• Each site in the set MAY maintain a re-direction pointer from the well-known URL /.well-known/dnt-sites to that same URL at their master site. At the master site, that URL MAY resolve to a text file that contains a list of site (domain) names, for validation.
• The file dnt-sites, if it exists, contains a list of domain names, one per line.
• (If the file does not exist at the master site, the user-agent might report, for example "site X claims to be part of party Y, but this cannot be verified".)
Example 1• bricks.com and mortar.com are both managed by
building.com. • The URL http://bricks.com/.well-known/dnt-sites
re-directs to http://building.com/.well-known/dnt-sites (as does the URL at mortar.com)
• That file contains:mortar.combricks.combuilding.com
Example 2
• Scores.com maintains a set of embeddable widgets at soccer-scores.com, tennis-scores.com, etc.
• The user visits scores.com and says “your widgets may track me” (out of band opt-in)
• They then visit a site which embeds “rowing-scores” (3rd party) and it claims to have an opt-in
• The user-agent verifies that rowing-scores seems to be part of scores.com, and it knows of the user’s scores.com opt-in.
Action Items
• Several people to – clarify the problem – and refine the solution