W3C home > Mailing lists > Public > public-html-comments@w3.org > July 2008

Re: 4.12.2.1: "paranoid user"

From: Frank Ellermann <nobody@xyzzy.claranet.de>
Date: Tue, 15 Jul 2008 16:25:39 +0200
To: public-html-comments@w3.org
Message-ID: <g5ic05$667$1@ger.gmane.org>

Ian Hickson wrote:

> Even with dynamic IPs from a large pool, it is reasonably
> easy to build user profiles over multiple sessions.

It's also reasonably illegal where I live.  I wouldn't know
how to do it - at the moment my UAs and languages are not
extravagant, and locating IPs isn't precise, fortunately.

> The idea that you need cookies to do this is a fiction
> that paranoid users believe in order to get over their 
> worry that people are following their every move.

IBTD.  But I'd agree that HTML5 is apparently designed
to support the interests of the usual "profile" builders.

> anyone who wants to do user tracking has to deal with
> such high levels of cookie churn (people resetting their 
> cookies) that they almost certainly only use the cookies
> as just an extra signal, and not a key part of any
> tracking strategy.

Hopefully many wannabe-paranoid users know this, and block
third party cookies only as part of a multi-layer strategy.
With their complete strategy decisively *NOT* related to
"anonymous browsing", that would be a dangerous illusion.

> Bandwidth for a redirect is essentially free in this day
> of massive multimedia content.

Dunno, writing this message online costs me about € 0.06
...mobile users might also disagree.

> latency (which hurts the user)

ACK, when I blocked sites it was more often about problems 
with whatever they tried to do than about my privacy.  But
I'm definitely not interested to participate in an IVWBOX
or similar schemes (that was web bugs, not cookies, IIRC),
even if it's fast and cheap.

> Actually, third-party cookies are used in opt-out schemes

I avoid opt-out schemes wherever I can.  I never had any
"doubleclick" opt-out cookie.  I manage major parts of all
"doubleclick" traffic on my box talking with 127.0.0.1, or
similar techniques.

> Disabling third-party cookies in such cases actually goes
> against the user's wishes in such cases.

Obviously I don't need to enable any third party cookies to
opt-out from third party cookies when I don't allow them at
all.  Assuming the UA gets this right, I'm not sure if that
is the case.
  
> if a site breaks the user stands more to lose than the site.

IBTD.  Admittedly I often hated it when netscape 3.* displayed
an empty page when something with forms + tables + anchors was
beyond its capabilities to fix errors on the fly, but it is a
large Web.  I could spend years with stuff that interests me
elsewhere.  In some cases where I wanted a workaround I found
it or moved on to greener pastures.

> Saying it's the problem of the site rather than the user is
> a very naive attitude.

Being "very naïve" and "paranoid" is a privilege, no problem
from my POV if "paranoid" users are aware of the limitations.

> all this is why the spec is written as it is.

Yes, it's apparently supporting "trackers" and other creatures.
Putting it mildly, HTML5 has one or more image problems.  

 Frank
Received on Tuesday, 15 July 2008 14:25:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 1 June 2011 00:13:59 GMT