Automated Discovery of claims of party membership
description
Transcript of Automated Discovery of claims of party membership
Automated Discovery of claims of party membership
…the report
What problem(s) are we solving?
• 1 automated discoverability of the assertion of party relationships– discoverability by users, user-agents, researchers,
enforcement…?? we need to decide which audiences we are trying to help
• 2 when a user grants an exception to 3rd-party A on 1st party B, they could be asked to grant an exception to all sites in the party that B is a member of?
Use Case(s)
• The discoverability would allow a user-agent to say "note that X (a site) is a part of Y (the master party), and if you allow X to track you, that data will be available to all of Y”.
• The secondmight assist reducing the 'request noise' to users: “do you want to grant an exception for these 3rd parties on ALL properties related to current-1st-party?”
NOT on the table
• This NOT about 1st/3rd party distinction, merely about party membership.
Research Check
• Did POWDER already address this problem, and if so, how, and can we use or learn something?
Refined Strawman• The following techniques enable a set of Sites that form a single
Party to make their assertion of relationship status automatically discoverable.
• Each site in the set MAY maintain a re-direction pointer from the well-known URL /.well-known/dnt-sites to that same URL at their master site. At the master site, that URL MAY resolve to a text file that contains a list of site (domain) names, for validation.
• The file dnt-sites, if it exists, contains a list of domain names, one per line.
• (If the file does not exist at the master site, the user-agent might report, for example "site X claims to be part of party Y, but this cannot be verified".)
Example 1• bricks.com and mortar.com are both managed by
building.com. • The URL http://bricks.com/.well-known/dnt-sites
re-directs to http://building.com/.well-known/dnt-sites (as does the URL at mortar.com)
• That file contains:mortar.combricks.combuilding.com
Example 2
• Scores.com maintains a set of embeddable widgets at soccer-scores.com, tennis-scores.com, etc.
• The user visits scores.com and says “your widgets may track me” (out of band opt-in)
• They then visit a site which embeds “rowing-scores” (3rd party) and it claims to have an opt-in
• The user-agent verifies that rowing-scores seems to be part of scores.com, and it knows of the user’s scores.com opt-in.
Action Items
• Several people to – clarify the problem – and refine the solution