From 5d6b5e83ffa8176888025eb2cac2fa8b1cb7081c Mon Sep 17 00:00:00 2001 From: Sergey Kanzhelev Date: Mon, 16 Apr 2018 23:57:07 -0700 Subject: [PATCH 1/3] privacy considerations --- report-trace-context.html | 2 ++ trace_context/HTTP_HEADER_FORMAT.md | 2 +- trace_context/compliance.md | 19 +++++++++++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 trace_context/compliance.md diff --git a/report-trace-context.html b/report-trace-context.html index 0e05e17b..b0b126b0 100644 --- a/report-trace-context.html +++ b/report-trace-context.html @@ -44,5 +44,7 @@
+ +
\ No newline at end of file diff --git a/trace_context/HTTP_HEADER_FORMAT.md b/trace_context/HTTP_HEADER_FORMAT.md index e1e1181e..3984f196 100644 --- a/trace_context/HTTP_HEADER_FORMAT.md +++ b/trace_context/HTTP_HEADER_FORMAT.md @@ -183,4 +183,4 @@ Multiple tracing systems (with different formatting): ``` tracestate: rojo=00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01,congo=lZWRzIHRoNhcm5hbCBwbGVhc3VyZS4= -``` +``` \ No newline at end of file diff --git a/trace_context/compliance.md b/trace_context/compliance.md new file mode 100644 index 00000000..c96e861a --- /dev/null +++ b/trace_context/compliance.md @@ -0,0 +1,19 @@ +# Privacy + +Requirements to propagate headers to downstream services opens a potential privacy concerns. The only way to remove this concern is to inspect and remove values from the fields values before allowing the platform or tracing system to execute code that potentially can propagate these headers. All mutations should, however, conform to the list of mutations defined in this specification. + +## Privacy of traceparent field + +`traceparent` field has a predefined set of values. These values are randomly-generated numbers. If random number generator has any logic of using user-identifiable information like IP address - this information may be exposed. Random number generators MUST NOT rely on any information that can potentially be user-identifieable. + +Another privacy risk of `traceparent` field is an ability to correlate calls made as part of a single transaction. Downstream service may track and correlate two or more calls made in a single transaction and make assumtions about identity of caller of one call base on infromation in another call. Service initiating calls MAY choose to restart trace while making calls that might identify caller in the downstream service. + +Note, both privacy concerns of `traceparent` field are theoretical rather than practical. + +## Privacy of tracestate field + +The field `tracestate` may contain any opaque value in any of the keys. The main purpose of this header is to provide additional information about the position of reqauest in the multiple distributed tracing graphs. + +Platforms and tracing systems MUST NOT include any personal identifieable information into `tracestate` header. + +Platforms and tracing systems extremely sensible for personal information exposure MAY implement selective removal of values corresponded to the unknown keys. This mutation of `tracestate` field is not forbidden, but highly discouraged. As it defeats the purpose of this field of allowing multiple tracing systems collaboration. \ No newline at end of file From d89fb2c0563260b06f50042272b3054e57aed702 Mon Sep 17 00:00:00 2001 From: Sergey Kanzhelev Date: Fri, 20 Apr 2018 23:40:19 -0700 Subject: [PATCH 2/3] Update HTTP_HEADER_FORMAT.md From bddbdbc56f16482ad334cdd812159fef03e2faa8 Mon Sep 17 00:00:00 2001 From: Sergey Kanzhelev Date: Wed, 2 May 2018 14:13:28 -0700 Subject: [PATCH 3/3] made introduction cleaner --- trace_context/compliance.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/trace_context/compliance.md b/trace_context/compliance.md index c96e861a..1f64e32e 100644 --- a/trace_context/compliance.md +++ b/trace_context/compliance.md @@ -1,18 +1,20 @@ # Privacy -Requirements to propagate headers to downstream services opens a potential privacy concerns. The only way to remove this concern is to inspect and remove values from the fields values before allowing the platform or tracing system to execute code that potentially can propagate these headers. All mutations should, however, conform to the list of mutations defined in this specification. +Requirements to propagate headers to downstream services as well as storing values of these headers opens a potential privacy concerns. Trace vendors MUST NOT use `traceparent` and `tracestate` fields for any personal identifiable or otherwise sensitive information. The only purpose of these fields is to enable telemetry correlation. + +Trace vendors MUST assess the risk of headers abuse. This section provides some considerations and initial assessment of the risk associated with storing and propagating these headers. Trace vendors may choose to inspect and remove sensitive information from the fields before allowing the platform or tracing system to execute code that potentially can propagate or store these fields. All mutations should, however, conform to the list of mutations defined in this specification. ## Privacy of traceparent field `traceparent` field has a predefined set of values. These values are randomly-generated numbers. If random number generator has any logic of using user-identifiable information like IP address - this information may be exposed. Random number generators MUST NOT rely on any information that can potentially be user-identifieable. -Another privacy risk of `traceparent` field is an ability to correlate calls made as part of a single transaction. Downstream service may track and correlate two or more calls made in a single transaction and make assumtions about identity of caller of one call base on infromation in another call. Service initiating calls MAY choose to restart trace while making calls that might identify caller in the downstream service. +Another privacy risk of `traceparent` field is an ability to correlate calls made as part of a single transaction. Downstream service may track and correlate two or more calls made in a single transaction and make assumptions about identity of caller of one call base on information in another call. Service initiating calls MAY choose to restart trace while making calls that might identify caller in the downstream service. Note, both privacy concerns of `traceparent` field are theoretical rather than practical. ## Privacy of tracestate field -The field `tracestate` may contain any opaque value in any of the keys. The main purpose of this header is to provide additional information about the position of reqauest in the multiple distributed tracing graphs. +The field `tracestate` may contain any opaque value in any of the keys. The main purpose of this header is to provide additional information about the position of request in the multiple distributed tracing graphs. Platforms and tracing systems MUST NOT include any personal identifieable information into `tracestate` header.