- From: TOUBIANA, VINCENT (VINCENT) <Vincent.Toubiana@alcatel-lucent.com>
- Date: Tue, 15 Nov 2011 10:51:06 +0100
- To: Karl Dubost <karld@opera.com>
- CC: Bjoern Hoehrmann <derhoermi@gmx.net>, Tom Lowenthal <tom@mozilla.com>, "public-tracking@w3.org" <public-tracking@w3.org>
I think examples 1) and 3) correspond to example 11) in Tom's list as the end user is not aware that he will be redirected. At least in case 3, he does not know that he will go through bit.ly (he may know that t.co is a redirection), so bit.ly is clearly a third party in that case. Regarding your first example, it would be interesting to clarify what information the ad-network could log when a user clicks on an ad as the two cases seem similar to me. The second example is more problematic because if the user does not understand that bit.ly is a redirection, he won't expect to be redirected and that's a real problem. Again we would have to estimate what is the user expectation when he clicks on such link. Vincent -----Message d'origine----- De : Karl Dubost [mailto:karld@opera.com] Envoyé : lundi 14 novembre 2011 23:09 À : Vincent Toubiana Cc : Bjoern Hoehrmann; Tom Lowenthal; public-tracking@w3.org Objet : Re: User intended interactions [1st & 3rd Parties] Le 12 nov. 2011 à 09:21, Vincent Toubiana a écrit : > I think the point here - and the big difference with example 11 - is that the user knows that he'll go through "bit.ly" redirection Is it always true? There are cases the user just doesn't know. 1. clicking on a pattern <a><img/></a> the image doesn't necessary gives an insightful hint on the link we are about to click 2. just not understanding that bit.ly is a redirection service. 3. Multiple redirections. Let's say I retweeted something from someone "tracking protection WG home page http://t.co/t9CdCBEb #test" curl -sI http://t.co/t9CdCBEb HTTP/1.1 301 Moved Permanently Date: Mon, 14 Nov 2011 22:05:49 GMT Server: hi Location: http://bit.ly/vz5OpK Cache-Control: private,max-age=300 Expires: Mon, 14 Nov 2011 22:10:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Ah a Location header let's explore curl -sI http://bit.ly/vz5OpK HTTP/1.1 301 Moved Server: nginx Date: Mon, 14 Nov 2011 22:06:11 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Set-Cookie: _bit=4ec190d3-00041-06ef4-271cf10a;domain=.bit.ly;expires=Sat May 12 22:06:11 2012;path=/; HttpOnly Cache-control: private; max-age=90 Location: http://c8l.ca/1gf MIME-Version: 1.0 Content-Length: 109 Ah yet another one curl -sI http://c8l.ca/1gf HTTP/1.0 301 Moved Permanently Date: Mon, 14 Nov 2011 22:07:05 GMT Server: Apache/2.2.8 (EL) X-Powered-By: PHP/5.2.6 Set-Cookie: bb2_screener_=1321308425+24.53.13.170; path=/ Location: http://www.w3.org/2011/tracking-protection/ Content-Length: 160 Connection: close Content-Type: text/html; charset=UTF-8 Finally the link. What is my user consent in all these redirections. They just happen because the HTTP protocol is designed like this. The social networks and mobile usage have increased a lot these interaction patterns lately. The mechanism was not really built for this at the origin. All these intermediaries have some capabilities of tracking. -- Karl Dubost - http://dev.opera.com/ Developer Relations & Tools, Opera Software
Received on Tuesday, 15 November 2011 09:53:10 UTC