W3C home > Mailing lists > Public > public-tracking@w3.org > April 2012

Re: on users and user-agents and parties

From: Geoff Gieron - AdTruth <ggieron@adtruth.com>
Date: Thu, 26 Apr 2012 02:04:42 +0000
To: David Singer <singer@apple.com>
CC: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <F5773252-012F-416B-86AF-533250F590D5@adtruth.com>
David,

How do you handle the 10+ mobile browsers downloadable on iOS who allow for UA manipulation? I believe some have a completely open field for input of whatever the user wants...this has been an area of my concern as people use this element as truth to an extent, however outside of Safari the user agent can be a "lie". Another example of this is the kindle fire which presents itself in the UA to websites as an apple device...which clearly it is not. Apps on iPad show themselves as iphones if not designed for the ipad - sonething set by the developer. Would consumer choice for DNT be safe in a something now designed to lie?

Hope it is ok to ask you and the group, but I struggle with this data point when we review device data and trends in our R&D for device recognition and fraud prevention.

Sent from my iPhone

On Apr 25, 2012, at 4:04 PM, "David Singer" <singer@apple.com> wrote:

> This is something to ponder, I think, rather than take immediate action.
>
> I realized that we talk quite often of 'the user' and 'the user-agent', and most of us have a vision of a browser when we talk of a UA.
>
> But many users have more than one device, and on some devices use more than one browser; and many users use HTML and HTTP in other contexts than straight web browsing.
>
> So, I rather assume that sites, even if they have worked out "it's dave again!" when I use a different device or browser, are NOT supposed to remember "he's one of them DNT people" and not track me.  perhaps this doesn't need stating; it's basically tracking me so as to remember you weren't supposed to do that.
>
> The much harder questions, for me, come up around non-browser UAs.  Sometimes these share a common 'web engine' like webkit, and hence can share some state (e.g. cookie database, settings).
>
> If someone sends me email, and that email has some elements fetched by HTTP, and my mailer is configured to fetch them by default (bad idea, but whatever): who is the 1st party?  Is there one?  I certainly didn't choose to get emailed by skankypeople.net, and as far as I am concerned, the mail is local -- that's what I am 'intentionally interacting with'.
>
> If I run an RSS reader, and the news items pull in requests over HTTP, who is the 1st party?  The site that I signed up to news from?  That might be easier, but it's still not obvious.
>
> How about a help viewer that integrates some local content and some fetched content?
>
>
>
> Would it help us if all UAs sent , in the DNT "and I think you are currently a 1st/3rd party", and have the site 'push back' if it believes to the contrary?  Sometimes sites might have a hard time working it out, and a clue be well received, and even if they disagree, knowing that the UA may flag the interaction "suspected 1st-party impersonator!" might help them.
>
> You can tell, I continue to be worried about the testability and utility of the 1st/3rd distinction.
>
> David Singer
> Multimedia and Software Standards, Apple Inc.
>
>
The information contained in this e-mail is confidential and/or proprietary of AdTruth. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system.
Received on Thursday, 26 April 2012 02:02:45 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:27 UTC