Re: issue-112, exceptions for subdomains from Nicholas Doty on 2012-08-29 (public-tracking@w3.org from August 2012)

From: Nicholas Doty <npdoty@w3.org>
Date: Tue, 28 Aug 2012 19:47:17 -0700
To: Vinay Goel <vigoel@adobe.com>
Cc: David Singer <singer@apple.com>, David Wainberg <david@networkadvertising.org>, "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <4AF4FF6F-7353-40EB-A170-0039DEE5C657@w3.org>

On Aug 23, 2012, at 8:32 AM, Vinay Goel <vigoel@adobe.com> wrote:

> As both David W and Shane pointed out, this is still an open issue that we'd like to further discuss.  I don't think its sufficient to allow for the exception to cover the fully qualified domain only.  I know there are some concerns of abuse with the expansion of ICAAN policy, but by limiting the exception to fully qualified domains we'd be limiting significantly how a trusted third party ad services provider could use an exception.
> 
> Take the scenario of Acme, a site retargeting advertising firm.  It has three clients that it collects data on; but each client's data is owned by the client; not Acme.  Acme cannot combine/use data from Website A with data from Website B.  Acme uses the domain acme.net.  For data collected on Website A, it uses a.acme.net; for Website B it uses b.acme.net; for Website C it uses c.acme.net.  If Acme is asking for an exception, it needs it to cover all of its retargeting services for each client.  It cannot ask for a separate exception for each of its customers (could be in the hundreds).  By limiting the exception to fully qualified domains only, you would be encouraging retargeting firms to move away from cookie-based silos.
> 
> We should change the language of the current draft such that www.acme.net can make an exception request for *.acme.net or (*.)www.acme.net.  I would suggest we allow for a domain to ask for an exception for itself and its subdomains, but restrict how a subdomain can ask for an exception.  Specifically: acme.net can ask for an exception for acme.net and a.acme.net; a.acme.net can ask for an exception only for  (*).a.acme.net, but not acme.net.

This appears to be a request for Web-wide exceptions to be requested for a broader scope than as currently drafted. As I understand the use case -- a user visits acme.net (a 3rd-party re-targeting firm), hears about how great the re-targeting feature is, decides to opt-in to Acme retargeting even while sending a DNT:1 signal to everyone else, and acme.net uses the JavaScript API to request a Web-wide exception. But acme.net wants to ask the user to send DNT:0 for requests to all subdomains of acme.net, not just to the effective script origin ("http://acme.net").

We could potentially achieve this requirement through adding an optional, boolean, default=false parameter named `includeSubdomains` to the requestWebWideTrackingException() method. That would add some complexity, certainly, and we'd want to add a specification that this should only be done for subdomains that are part of the same party as defined elsewhere, but otherwise seems straightforward.

On Aug 23, 2012, at 12:52 PM, Vinay Goel <vigoel@adobe.com> wrote:

> I agree — a user that might want to give NYT an exception, but not give the vendor of NYT's other clients an exception.  In that situation, NY Times should be responsible for using the nytimes.retargeting.com domain and not *.retargeting.com.  That only works though if that retargeting firm uses client-specific subdomains.  Not all do.

As a result, I'm not sure I understand this particular use case, Vinay. If a user grants a site-wide exception on nyt.com (whether the exception is for "*" or for a list of third-party trackers including "nytimes.retargeting.com"), the exception would only apply to those third parties embedded within nyt.com, not on other sites. The re-targeter isn't getting permission to track on other first party sites, no matter whether it uses client-specific subdomains or not.

As I understand it, Vinay's is a separate request from Shane's request [0] to include sub-domains (in response to Ian and me on ISSUE-112) -- Shane wants a parameter to list which (or all) subdomains are part of the same first-party to which the site-wide exception should be applied. I would be concerned about that as it could broaden the request for an exception well beyond the current context, which was the advantage of site-specific exceptions to begin with.  As I noted last month, it's also possible for user agents to optionally do this already -- "check here to extend this permission to other properties owned by the same company" and use the same-party or OUR-HOST to determine the scope, which could incentivize that documentation and extend beyond just subdomains to other domains controlled by the same party.

Thanks,
Nick

[0] http://lists.w3.org/Archives/Public/public-tracking/2012Jul/0165.html

Received on Wednesday, 29 August 2012 02:47:29 UTC