RE: Action 31 - Propose a user-agent managed site-specific exception from Shane Wiley on 2011-11-13 (public-tracking@w3.org from November 2011)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Sun, 13 Nov 2011 14:20:15 -0800
To: Andy Zeigler <andyzei@microsoft.com>, "Tracking Protection Working Group WG (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8023D039591B7@SP2-EX07VS02.ds.corp.yahoo.com>

"The primary benefit of having a user-agent-managed list of exceptions would be for the user-agent to be able to "enforce" opt-ins by managing requests from tracking entities. I think this is basically wasted work..."

I believe there are many benefits to a browser managed list of exceptions:

*         User able to retract exceptions outside of direct contact with a specific 3rd party

*         User able to see all of the exceptions granted to date

*         Exception list could be used to help manage 1st party/3rd party granted exceptions (for example, PublisherXYZ requests an exception for their site and the 4 3rd parties they work with in exchange for free content.  The exception list would be able to tie the exception for that 3rd party only in the context of this 1st party.

*         Enables external audits (remove entry from list - look at header response code for correct behavior)

- Shane

From: Andy Zeigler [mailto:andyzei@microsoft.com]
Sent: Friday, November 11, 2011 5:28 PM
To: Tracking Protection Working Group WG (public-tracking@w3.org)
Subject: Action 31 - Propose a user-agent managed site-specific exception


So I volunteered for the action "Propose a user-agent managed site-specific exception". A few of us over here sat down and figured out a couple of ways of doing this, but I think that this approach is fundamentally flawed, and I think a website-based approach in Action 32 is better for a variety of reasons.



Namely, it would be an awkward user experience if the user-agent injects itself into the opt-in process. This approach would essentially require a protocol that associates domains with business entities. I think that "what" a user opts-into and which resources on the page are included in that opt-in are much better managed by the sites that include them.



There are other issues here:



-          For example, imagine that I belong to a social network, and I opt-in to tracking. The user-agent stores the domain name of network. Now I'm on a different website, and the same social network operates a "like" button on the page. Should the exception carry over? These types of issues are much better handled by the websites that have business relationships with tracking entities, and there are scenarios where this becomes very difficult to jam into a protocol without adding a lot of technical complexity.

-          The primary benefit of having a user-agent-managed list of exceptions would be for the user-agent to be able to "enforce" opt-ins by managing requests from tracking entities. I think this is basically wasted work - if a tracking service is not DNT-compliant, then they won't bother requesting that the user opt-in - they'll just track the user directly, rendering user-agent enforcements useless.



Thanks,



Andy

Received on Sunday, 13 November 2011 22:21:05 UTC