W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

RE: User intended interactions [1st & 3rd Parties]

From: TOUBIANA, VINCENT (VINCENT) <Vincent.Toubiana@alcatel-lucent.com>
Date: Tue, 15 Nov 2011 10:51:06 +0100
To: Karl Dubost <karld@opera.com>
CC: Bjoern Hoehrmann <derhoermi@gmx.net>, Tom Lowenthal <tom@mozilla.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4D30AC7C2C82C64580A0E798A171B4444887DA473C@FRMRSSXCHMBSD1.dc-m.alcatel-lucent.com>
I think examples 1) and 3) correspond to example 11) in Tom's list as the end user is not aware that he will be redirected. At least in case 3, he does not know that he will go through bit.ly (he may know that t.co is a redirection), so bit.ly is clearly a third party in that case.

Regarding your first example, it would be interesting to clarify what information the ad-network could log when a user clicks on an ad as the two cases seem similar to me.

The second example is more problematic because if the user does not understand that bit.ly is a redirection, he won't expect to be redirected and that's a real problem. Again we would have to estimate what is the user expectation when he clicks on such link. 


Vincent

-----Message d'origine-----
De : Karl Dubost [mailto:karld@opera.com] 
Envoyé : lundi 14 novembre 2011 23:09
À : Vincent Toubiana
Cc : Bjoern Hoehrmann; Tom Lowenthal; public-tracking@w3.org
Objet : Re: User intended interactions [1st & 3rd Parties]


Le 12 nov. 2011 à 09:21, Vincent Toubiana a écrit :
> I think the point here  - and the big difference with example 11 -  is that the user knows that he'll go through "bit.ly" redirection 

Is it always true?
There are cases the user just doesn't know.

1. clicking on a pattern <a><img/></a>
   the image doesn't necessary gives an insightful hint on the link we are about to click
2. just not understanding that bit.ly is  a redirection service.
3. Multiple redirections.
   Let's say I retweeted something from someone
   "tracking protection WG home page http://t.co/t9CdCBEb #test"


curl -sI http://t.co/t9CdCBEb

HTTP/1.1 301 Moved Permanently
Date: Mon, 14 Nov 2011 22:05:49 GMT
Server: hi
Location: http://bit.ly/vz5OpK
Cache-Control: private,max-age=300
Expires: Mon, 14 Nov 2011 22:10:49 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

Ah a Location header let's explore

curl -sI http://bit.ly/vz5OpK

HTTP/1.1 301 Moved
Server: nginx
Date: Mon, 14 Nov 2011 22:06:11 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: _bit=4ec190d3-00041-06ef4-271cf10a;domain=.bit.ly;expires=Sat May 12 22:06:11 2012;path=/; HttpOnly
Cache-control: private; max-age=90
Location: http://c8l.ca/1gf
MIME-Version: 1.0
Content-Length: 109

Ah yet another one


curl -sI http://c8l.ca/1gf

HTTP/1.0 301 Moved Permanently
Date: Mon, 14 Nov 2011 22:07:05 GMT
Server: Apache/2.2.8 (EL)
X-Powered-By: PHP/5.2.6
Set-Cookie: bb2_screener_=1321308425+24.53.13.170; path=/
Location: http://www.w3.org/2011/tracking-protection/
Content-Length: 160
Connection: close
Content-Type: text/html; charset=UTF-8



Finally the link. What is my user consent in all these redirections. They just happen because the HTTP protocol is designed like this. The social networks and mobile usage have increased a lot these interaction patterns lately. The mechanism was not really built for this at the origin.

All these intermediaries have some capabilities of tracking. 


-- 
Karl Dubost - http://dev.opera.com/
Developer Relations & Tools, Opera Software
Received on Tuesday, 15 November 2011 09:53:10 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC