W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: ISSUE-111 - Exceptions are broken

From: Sean Harvey <sharvey@google.com>
Date: Thu, 8 Mar 2012 17:15:30 -0500
Message-ID: <CAFy-vueOob5sqBVDUqP4DK+gAuR8=ZkYRDx9BO5sjysPri-8kg@mail.gmail.com>
To: Nicholas Doty <npdoty@w3.org>
Cc: Kevin Smith <kevsmith@adobe.com>, "TOUBIANA, VINCENT (VINCENT)" <Vincent.Toubiana@alcatel-lucent.com>, "Roy T. Fielding" <fielding@gbiv.com>, Shane Wiley <wileys@yahoo-inc.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
my other concern is that if the browser is "handling it" it would result in
truly crazy behavior that is non-implementable for servers.

Specifically, we might be forced to set cookies and then opt-out cookies
repeatedly and in succession depending on whether a 0 or 1 value is present
in DNT. I'm curious what alternate implementation you are suggesting.

On Thu, Mar 8, 2012 at 5:11 PM, Sean Harvey <sharvey@google.com> wrote:

> e.g. silo-ing is the issue here. unless silo-ing is not a requirement.
> On Thu, Mar 8, 2012 at 5:09 PM, Sean Harvey <sharvey@google.com> wrote:
>> Thanks Nick. Please do tell me if you think I'm not thinking clearly
>> about this. But regardless of whether it is being handled by the browser,
>> you would still need separate cookies per "site" if the exception is
>> site-specific.
>> Example use case: I am third party ad server AdDoty (yes there are brand
>> names this and more stupid in our industry) and I have a site specific
>> exemption from both Yahoo and AOL. How do I differentiate this data on the
>> server side, regardless of whether or not the browser is "handling it"?
>> On Thu, Mar 8, 2012 at 5:06 PM, Nicholas Doty <npdoty@w3.org> wrote:
>>> On Mar 8, 2012, at 11:45 AM, Sean Harvey wrote:
>>> > at a high level this would be new functionality in the ecosystem.
>>> there is no such thing as a site-specific exemption or site-specific cookie
>>> for an ad servers, etc. coming from a third party domain.
>>> >
>>> > i also agree that this is probably not practically implementable by
>>> anyone -- one potential implementation would involve domain-specific
>>> cookies in a sub-domain of the third party, but this would mean potentially
>>> thousands of cookies on the client browser where previously only one
>>> existed. Which does not sound like an ideal outcome.
>>> Sorry, I'm not sure I understand here. As proposed, the
>>> user-agent-managed site-specific exception would be handled by the browser
>>> (choosing when to send DNT:0) rather than asking the ad server or other
>>> third-parties to create separate cookies to manage that state for each
>>> first-party site. Right now when an ad network receives a request from a
>>> browser that has an opt-out cookie for that network, it has to use a
>>> different behavior (not showing a targeted ad) no matter what the
>>> first-party site is, right? Can these site-specific exception headers
>>> prompt per-request behavior in the same way that an opt-out cookie does?
>>> Or is the concern that site-specific exceptions would require siloing of
>>> data and that requires different cookies for each first-party site?
>>> My take on Vincent and Kevin's question: Do first-party publishers get
>>> any indication from the user or the third-party that the user has an
>>> opt-out cookie installed and is potentially generating less revenue for the
>>> publisher?
>>> Thanks,
>>> Nick
>> --
>> Sean Harvey
>> Business Product Manager
>> Google, Inc.
>> 212-381-5330
>> sharvey@google.com
> --
> Sean Harvey
> Business Product Manager
> Google, Inc.
> 212-381-5330
> sharvey@google.com

Sean Harvey
Business Product Manager
Google, Inc.
Received on Thursday, 8 March 2012 22:15:59 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:46 UTC