- From: Mike West <mkwst@google.com>
- Date: Mon, 27 Aug 2018 11:36:34 +0200
- To: phk@phk.freebsd.dk
- Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, rigo@w3.org, squid3@treenet.co.nz, rigo@w3c.org, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAKXHy=c5DhRq7b7xeH_7YHggL8vmJZYedSzAHLMtgqe4yv-gLA@mail.gmail.com>
On Mon, Aug 27, 2018 at 11:21 AM Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > -------- > In message <CAKXHy=eVOjyXa8+iLrXt8AYtFj1wDPrp_ZQAHjX3f4U_= > niPgA@mail.gmail.com> > , Mike West writes: > > >> >> Not sure I agree there, if UAs by default sent a different > >> >> 64 bit randomly generated ID to each origin and kept those > >> >> IDs for a long time, that seems worse to me than the current > >> >> situation. (I'm not saying that's Mike's proposal, but > >> >> just disagreeing with your "no big difference" statement.) > >> > > >> > How is that worse than sending an opaque cookie, > >> > >> If it was always sent, with no opt-out. (Again, I'm not > >> saying that was Mike's proposal though.) > >> > > > >IMO, users must always have the ability to opt-out of sending this > >identifier to any entity, just as they do with cookies today. User agents > >should likely aim above that bar, but an opt-out is the bare minimum. > > My original proposal was that this identifier is 100% under the > clients control This is the proposal I put forth in the explainer document as well. It sounds like there's some interest in letting the server set some number of bits at the front of the identifier for routing, etc. and I can see how that would be helpful, but I think there's a strong case for complete client-side control. > , and that one bit is a courtesy bit where the > client signals if it intends this to be a permanent session or an > ephemeral/temporary session. > > As a starting point, browsing in private mode would set the bit > to ephemeral, browsing in normal mode would set it to permanent. > I'm still not convinced that this is a good idea. :) But obviously the user should have a way to say "always send > ephemeral id's to $ADNETWORK" etc. > My impression is that folks are generally happier sending no identifier at all when opting-out of advertisers' tracking (or an explicit "0" in the case of platform-level advertising identifiers like we see on iOS and Android), but randomizing on every hit is certainly something we could consider doing. -mike
Received on Monday, 27 August 2018 09:37:09 UTC