Privacy: What information may be revealed?

[danielkhan]

see https://lists.w3.org/Archives/Public/public-trace-context/2020Feb/0004.html

what information may be revealed in these standardized identifier headers and who will have access to that information?

Risks of tracking across origins/systems and information disclosure are noted in both the privacy and security considerations sections, although in some cases risks are minimized and mitigations are unspecified or discouraged.

[plehegar]

(see #392 (comment) )

[npdoty]

@mtwo posted these comments on a separate issue, but I'm trying to follow up with the particular issues.

Note that these privacy concerns of the traceparent field are theoretical rather than practical.

We'll remove this

Vendors extremely sensitive to personal information exposure MAY implement selective removal of values corresponding to the unknown keys. Vendors SHOULD NOT mutate the tracestate field, as it defeats the purpose of allowing multiple tracing systems to collaborate.
I agree that the phrasing here is awkward and unclear. We'll rewrite the section.

Vendors should ensure that they include only these response headers when responding to systems that participated in the trace.
As you suggested, we'll replace this with "Vendors should ensure that they include these response headers only when responding to systems that participated in the trace."

“requeest” should be “request”
This has since been fixed.

@npdoty do my responses address your concerns? Let us know and we can continue discussing and create PRs.

I think the suggestions here would be a big help in addressing the concerns about how mitigations are described in the privacy considerations section.