Skip to content

privacy considerations #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 23, 2018
Merged

privacy considerations #110

merged 5 commits into from
May 23, 2018

Conversation

SergeyKanzhelev
Copy link
Member

Issues cleaning continued: adding some privacy notes for #55. I'll tag it that issue with correlation-context tag once this PR is complete. So it will not be in the main query

This was referenced Apr 17, 2018
Merged
Merged
wu-sheng
wu-sheng reviewed Apr 23, 2018
View reviewed changes
Copy link
Contributor

@wu-sheng wu-sheng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Platforms and tracing systems MUST NOT include any personal identifieable information into tracestate header.

I think OpenTracing should be noticed, the baggage concepts will have some conflicts with the Privacy rules, if some supported tracers support both this spec and OT.

FYI @tedsuo

@SergeyKanzhelev
Copy link
Member Author

Platforms and tracing systems MUST NOT include any personal identifieable information into tracestate header.

I think OpenTracing should be noticed, the baggage concepts will have some conflicts with the Privacy rules, if some supported tracers support both this spec and OT.

I added privacy note to make sure any service may store and propagate tracestate without much privacy concerns. So the idea is ONLY store non-identifiable information there like application ID, sampling and such. For baggage Correlation-Context header should be used.

@SergeyKanzhelev SergeyKanzhelev mentioned this pull request Apr 23, 2018
Closed
bogdandrutu
bogdandrutu reviewed Apr 30, 2018
View reviewed changes
trace_context/compliance.md Outdated

Requirements to propagate headers to downstream services opens a potential privacy concerns. The only way to remove this concern is to inspect and remove values from the fields values before allowing the platform or tracing system to execute code that potentially can propagate these headers. All mutations should, however, conform to the list of mutations defined in this specification.

## Privacy of traceparent field
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessary a privacy concern, more like an usability concern is when the service initiating calls use the same trace-parent every time then this cause the service owner to not be able to distinguish between different calls. this my be solved by restarting the trace on the service side if the client is untrusted.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I'd start security section for this. This doc purpose was to ensure the traceparent and tracestate can be stored and transmitted without implications for privacy and things like GDPR.

@CodingFabian
Copy link

👍 from my side. It would be a good idea to explicitly mention that there must be no storage restrictions on the tracestate value.

@SergeyKanzhelev
Copy link
Member Author

@CodingFabian I made it more explicit

@tedsuo
Copy link

tedsuo commented May 16, 2018
edited
Loading

@wu-sheng I think baggage is a separate issue, related to correlation-context, not tracestate.

LGTM, except fot the bit about mutating the tracestate.

If the suggestion is that systems MUST NOT include any personal identifieable information into tracestate header, then the follow up suggestion that systems extremely sensitive for personal information exposure MAY implement selective removal of values corresponded to the unknown keys doesn't really make sense.

"Extremely sensitive systems" should be following the main privacy directive, and not be putting "unkown keys" into their tracestate to begin with. (I presume the suggestion here is not to mess with other systems tracestate, but with previous instances of your tracestate).

Simply saying "don't put any personally identifiable information in tracestate" should be enough for now, the nuance muddles the message IMHO.

@SergeyKanzhelev SergeyKanzhelev merged commit 5e84805 into master May 23, 2018
@SergeyKanzhelev SergeyKanzhelev deleted the sergkanz/privacy branch May 23, 2018 06:05
@SergeyKanzhelev
Copy link
Member Author

@tedsuo I realize there are some re-iteration of the same. I intentionally mentioned it as there are services who will want to have an extra level of protection and will want to blacklist. Not talking theoretically =)

The language can be cleaned up though and I'd propose we clean it with upcoming editors clean up.

Thank you for feedback. If you still believe the language needs to change factually - please file an issue. Haven't meant to disregard your feedback here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bogdandrutu bogdandrutu bogdandrutu left review comments

@wu-sheng wu-sheng wu-sheng left review comments

@mtwo mtwo mtwo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@SergeyKanzhelev @CodingFabian @tedsuo @mtwo @bogdandrutu @wu-sheng