W3C home > Mailing lists > Public > public-tracking@w3.org > April 2012

on users and user-agents and parties

From: David Singer <singer@apple.com>
Date: Wed, 25 Apr 2012 16:00:33 -0700
Message-id: <87FDD2FC-7566-4327-8387-17A21EFC2D28@apple.com>
To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
This is something to ponder, I think, rather than take immediate action.

I realized that we talk quite often of 'the user' and 'the user-agent', and most of us have a vision of a browser when we talk of a UA.

But many users have more than one device, and on some devices use more than one browser; and many users use HTML and HTTP in other contexts than straight web browsing.

So, I rather assume that sites, even if they have worked out "it's dave again!" when I use a different device or browser, are NOT supposed to remember "he's one of them DNT people" and not track me.  perhaps this doesn't need stating; it's basically tracking me so as to remember you weren't supposed to do that.

The much harder questions, for me, come up around non-browser UAs.  Sometimes these share a common 'web engine' like webkit, and hence can share some state (e.g. cookie database, settings).

If someone sends me email, and that email has some elements fetched by HTTP, and my mailer is configured to fetch them by default (bad idea, but whatever): who is the 1st party?  Is there one?  I certainly didn't choose to get emailed by skankypeople.net, and as far as I am concerned, the mail is local -- that's what I am 'intentionally interacting with'.

If I run an RSS reader, and the news items pull in requests over HTTP, who is the 1st party?  The site that I signed up to news from?  That might be easier, but it's still not obvious.

How about a help viewer that integrates some local content and some fetched content?



Would it help us if all UAs sent , in the DNT "and I think you are currently a 1st/3rd party", and have the site 'push back' if it believes to the contrary?  Sometimes sites might have a hard time working it out, and a clue be well received, and even if they disagree, knowing that the UA may flag the interaction "suspected 1st-party impersonator!" might help them.

You can tell, I continue to be worried about the testability and utility of the 1st/3rd distinction.

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Wednesday, 25 April 2012 23:01:23 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:27 UTC