W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

RE: [ACTION-20] First parties signaling exceptions to third parties

From: Kevin Smith <kevsmith@adobe.com>
Date: Tue, 29 Nov 2011 09:40:54 -0800
To: Peter Eckersley <peter.eckersley@gmail.com>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <6E120BECD1FFF142BC26B61F4D994CF30635E9873C@nambx07.corp.adobe.com>
>My guess is it will be more common for 1st parties to store the exception in association with accounts rather than specific cookies, though clearly the cookie-only case is possible.

I do not have any documented stats to back up my hunch, but my personal experience is that the vast majority of web browsing (and therefore ad serving and stats tracking etc) happens in a non-logged-in and therefore account-less state.  I do not think it's very realistic for site owners to only seek exceptions from logged-in users, nor to require visitors to create an account simply to opt back in to being tracked.  Hence, I still believe cookie opt-ins will be prevalent.

From: Peter Eckersley [mailto:peter.eckersley@gmail.com]
Sent: Monday, November 28, 2011 2:39 PM
To: Kevin Smith
Cc: public-tracking@w3.org
Subject: Re: [ACTION-20] First parties signaling exceptions to third parties

Picking up this thread again...
On 15 November 2011 13:16, Kevin Smith <kevsmith@adobe.com<mailto:kevsmith@adobe.com>> wrote:
Peter,

Sorry.  I missed the URI parameter somehow and read it as an additional header.  A URI parameter could work, although I actually think this could be quite complicated since many requests go through multiple services and multiple redirects and the request to the final service likely does not even resemble the original request.  The parameter would have to be passed on.

This makes sense to me, and I would be happy to amend the proposed language to say that passing on the parameter is permitted.

Cookies would actually have similar challenges, but at least then the communication only needs to happen once - not on every request.  Of course, that does expose the solution to the usual cookie disadvantages, but if the 1st party is storing the exception in a cookie (which is a very likely scenario) then those disadvantages already exist.

My guess is it will be more common for 1st parties to store the exception in association with accounts rather than specific cookies, though clearly the cookie-only case is possible.

Practically speaking, I do not think we should attempt to enforce a particular methodology, but should allow the participants to choose the method that works best for them (could even be out-of-band visitor id syncing).  Of course, we can still suggest different methods such as these in the docs.

>From a web developer's point of view, using MUST in a proposal like this has the benefit of standardization: it means that 1st and 3rd party opt-back-in code is more likely to be compatible even when the relationship between the 1st and 3rd party is very casual (eg, the 1st party just turned on a plugin in their CMS, pasted some JS into a page, etc).

Of course there are different benefits in terms of transparency for users who want to be able to see what domains regard them as having opted-back-in to tracking.

--
Peter
Received on Tuesday, 29 November 2011 17:41:27 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC