Re: tainted uris and tracking Re: "cross-site" from Karl Dubost on 2011-11-22 (public-tracking@w3.org from November 2011)

From: Karl Dubost <karld@opera.com>
Date: Tue, 22 Nov 2011 16:38:29 -0500
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: <public-tracking@w3.org>
Message-Id: <EFEFF41F-0F46-41C6-A957-F2B3778C1CBA@opera.com>

Le 18 nov. 2011 à 18:33, Bjoern Hoehrmann a écrit :
> Yes, I was specifically referring to the fact that the parameters to
> that include the validator.w3.org host name.


for tainted uris I met a few cases with different consequences.

* http://blah.example.com/?uri=http://comingFromThere.example.net/
  This is very often and has minor consequences when used in isolation of other tracking mechanisms.
  It is basically a referer like mechanism. 

FeedBurner is using that mechanism to pollute our URIs.
http://example.com/foo/bar/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Blog+Title

* http://blah.example.com/?sessionId=476786hKHGF22
  This one is a bigger concern, because it has the ability to track you
  across many requests and can be send to many sites. Used by tynt for example.

  For example used by newspaper, with a cut and paste modifying your clipboard.
  See http://lists.w3.org/Archives/Public/www-tag/2010Jun/thread.html#msg7

* http://blah.example.com/?userId=MySocialNetworkID
  When this userid is attached to each request, then the tracking is really 
  annoying. URIs not having the same policy for reading/writing information
  than cookies, they can become nasty tracking mechanisms.

> My impression though is that you seem to see a more fundamental pro-
> blem with the "do not track" concept, but I could not make out where
> you are coming from so far.


"Do Not Track" sent by the browser ==

	"selecting this box, you express that you do not WISH 
	 having aggregation of your personal data by third 
	 parties. We have no guarantee that servers will abide.
	 If the first party is acting as a 3rd, you are… too bad."

Basically we do not provide a very useful value proposition for the users, except the right to voice. We also have an issue on the answers sent by the different servers:

* Am I or not a 3rd party?
* Am I or not a 1st party?
* In which circumstances my role changes?
* If I declare one thing, will I be liable in front of jurisdiction X?
* Better not declare anything… if I risk to be liable.

The time a server will be able to answer precisely this question is IMO very rare, which makes the mechanism along this line.

* voicing your preferences
* not sure about the multiple answers, you receive.
* browsers with headaches implementing a sensible UI which doesn't give a false sense of privacy and in return which doesn't scare users of using the Web
* consumers organizations with a very hard time understanding if the answers are correct or not.
* server implementers a very very hard time implementing the business rules in terms of HTTP headers.



-- 
Karl Dubost - http://dev.opera.com/
Developer Relations & Tools, Opera Software

Received on Tuesday, 22 November 2011 21:39:02 UTC