W3C home > Mailing lists > Public > public-tracking@w3.org > April 2012

RE: on users and user-agents and parties

From: SULLIVAN, BRYAN L <bs3131@att.com>
Date: Thu, 26 Apr 2012 04:21:35 +0000
To: David Singer <singer@apple.com>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <59A39E87EA9F964A836299497B686C350FE95A7D@WABOTH9MSGUSR8D.ITServices.sbc.com>
Dave,

I share a similar scalability concern, about the utility of DNT preferences management on devices when almost any smartphone application can integrate a Web library, and in most cases there will be no sharing of preferences (or any navigator / window / cache / cookies / localStorage data) across the diverse HTTP-enabled applications. 

The focus on "the browser" use case is deceptively simple (even though in reality complex in itself) when compared to the potentially dozens of Web-enabled apps that the user is likely to have installed on a device, not to mention the 4 or 5 other devices that the user has.

The Web is so natively integrated into so many different types of applications, that I seriously question the scalability of per-app settings management for DNT, especially on the client side.

Thanks,
Bryan Sullivan 

-----Original Message-----
From: David Singer [mailto:singer@apple.com] 
Sent: Wednesday, April 25, 2012 4:01 PM
To: public-tracking@w3.org Group WG
Subject: on users and user-agents and parties

This is something to ponder, I think, rather than take immediate action.

I realized that we talk quite often of 'the user' and 'the user-agent', and most of us have a vision of a browser when we talk of a UA.

But many users have more than one device, and on some devices use more than one browser; and many users use HTML and HTTP in other contexts than straight web browsing.

So, I rather assume that sites, even if they have worked out "it's dave again!" when I use a different device or browser, are NOT supposed to remember "he's one of them DNT people" and not track me.  perhaps this doesn't need stating; it's basically tracking me so as to remember you weren't supposed to do that.

The much harder questions, for me, come up around non-browser UAs.  Sometimes these share a common 'web engine' like webkit, and hence can share some state (e.g. cookie database, settings).

If someone sends me email, and that email has some elements fetched by HTTP, and my mailer is configured to fetch them by default (bad idea, but whatever): who is the 1st party?  Is there one?  I certainly didn't choose to get emailed by skankypeople.net, and as far as I am concerned, the mail is local -- that's what I am 'intentionally interacting with'.

If I run an RSS reader, and the news items pull in requests over HTTP, who is the 1st party?  The site that I signed up to news from?  That might be easier, but it's still not obvious.

How about a help viewer that integrates some local content and some fetched content?



Would it help us if all UAs sent , in the DNT "and I think you are currently a 1st/3rd party", and have the site 'push back' if it believes to the contrary?  Sometimes sites might have a hard time working it out, and a clue be well received, and even if they disagree, knowing that the UA may flag the interaction "suspected 1st-party impersonator!" might help them.

You can tell, I continue to be worried about the testability and utility of the 1st/3rd distinction.

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Thursday, 26 April 2012 04:22:36 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:27 UTC