- From: Sid Stamm <sid@mozilla.com>
- Date: Wed, 14 Mar 2012 15:51:15 -0700
- To: Jonathan Mayer <jmayer@stanford.edu>
- CC: Kevin Smith <kevsmith@adobe.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
Hey Jonathan,
On 3/14/12 3:15 PM, Jonathan Mayer wrote:
> Here are a few concrete use cases:
>
> 1) A publisher wants to distinguish itself as having good privacy
> practices. Instead of requesting a blanket exception, it wants to
> request exceptions for a small number of well-known third parties.
This use case isn't directly relevant. It identifies a need for
site-by-site exception *requests*, but not a list-based exception status
API.
> 2) A publisher wants to reflow its layout to exclude widgets and SSO
> providers that the user has not excepted. (This was Ian Fette's
> example.)
This is a good use case. Can we address it with multiple calls to the
request API instead of "gimme all exceptions"?
> 3) If certain web-wide exceptions are present, a publisher does not
> need to ask for new exceptions.
This isn't really a use case but rather a side-effect or desired
function. Regardless, it identifies a desire for user agents to avoid
duplicate prompts to users (UI design) and doesn't require us to expose
a list to JS. We could put non-normative text in there to suggest user
agents should shortcut publishers' requests that are unnecessary due to
web-wide exceptions, but the same info can be obtained from a non-list API.
> 4) A user wants to blacklist a third party in a manner that trumps a
> site-specific exception.
Again, I think we should let the browser UI deal with this. This is
user-centric, not site-centric so we shouldn't address it on the site-side.
> In all of these scenarios, a first party needs to know the exception
> status for specific third parties. There are, broadly, four
> proposals for how we might facilitate that:
>
> a) polling with existing web technology (e.g. cached JavaScript with
> a Vary: DNT response header),
>
> b) polling with requestSiteSpecificTrackingException (asks for the
> exception if not already granted or denied),
>
> c) polling with a dedicated API (e.g.
> testSiteSpecificTrackingException), and
>
> d) getting a list from a dedicated API (e.g.
> siteSpecificTrackingExceptions).
>
> Polling approaches, especially (a), will be slower.
Javascript is fast. We're talking realistically, maybe a thousand API
calls. This won't be noticeable for implementations that don't block on
user input, or a user agent can roll them all up into one prompt batch
to speed it up.
> A list approach brings greater first-party fingerprinting risk.
Yep.
> (With polling, a first party would have to enumerate domains; that's
> more difficult, slower, more easily detected, and can be mitigated
> through frequency capping.)
Yep.
> First-party fingerprinting risk in (c) and (d) could be greatly
> mitigated by requiring user consent for the API (e.g. "This website
> would like to learn about your tracking preferences for other
> websites. Allow/Deny").
Okay, I see. That makes good sense. Would sites still use this API if
there were a wait-for-user barrier there like this? (I guess I'm asking
the web site operators out there, not you directly Jonathan...)
-Sid
>
> On Mar 14, 2012, at 11:49 AM, Sid Stamm wrote:
>
>> I agree with Kevin that we should identify precisely the set of
>> use cases we're looking to address by resurrecting this idea.
>>
>> But I still have fingerprinting concerns with the proposal (please
>> help me understand if I'm wrong). Even if it's limited to
>> first-party-context scripts, there's still the ability for
>> first-party sites to fingerprint using this list-based thing.
>>
>> The adversaries in my fingerprinting concern are not the sites
>> trying to do the right thing with the suite of tools we're
>> developing here, but rather *other* sites that have no intention of
>> being friendly. I know our work here is not intended to address
>> "bad actors", but we should not develop new technologies that make
>> it easier for bad actors to act badly.
>>
>> I'm worried about shadyfirstpartysite.com re-identifying me based
>> on things like my browsing history between visits to their site.
>> I'm concerned that a first-party list-based API will provide
>> shadyfirstpartysite.com with more bits of entropy that make it
>> easier to re-identify me across multiple visits to their site.
>>
>> I'm sure you will argue that it's already trivial to fingerprint
>> users if you're a "bad actor", and I concede that point, but if
>> we're going to make it easier (or a more statistically-strong
>> confidence), we better have some really good use cases that we
>> cannot get from other, similar features that don't carry the same
>> fingerprinting "enhancement".
>>
>> -Sid
>>
>> On 3/14/12 11:38 AM, Kevin Smith wrote:
>>> Before we resurrect this topic, can we please address the fact
>>> that it would only work in a very minimal set of use cases and
>>> make sure it is worth our time.
>>>
>>> This API only has value if we allow partial exceptions (to some
>>> but not all 3rd parties on a site). As I have stated in other
>>> threads, there are many many problems with allowing partial
>>> exceptions. There are also real privacy and business incentives
>>> to do so, and so it may be worth trying to work through some of
>>> the problems. However, there is a single core problem that would
>>> need to be solved prior to considering any of the additional work
>>> which is: How do you request exceptions for a potentially ever
>>> changing, dynamic, unknown list of 3rd parties which make up
>>> common advertising chains.
>>>
>>> The cnn example below simply does not work. It is worthless to
>>> grant doubleclick (more accurately DFP) an exception because
>>> doubleclick usually does not serve the ads. The publisher's ad
>>> server's responsibility is to find the ads which will yield the
>>> highest CPM for the publisher. The process of doing so may
>>> involve several different services and redirects, and these
>>> services may change per user, per page or even per time of day.
>>> Granting doubleclick the ability to track does not grant them the
>>> ability to perform their task unless the other steps in the chain
>>> also have an exception.
>>>
>>> I am sure there are simple scenarios in which the 1st party will
>>> know all 3rd parties and may be willing to offer variable content
>>> based on which 3rd parties have exceptions. I think before we
>>> talk about changing the functionality we should list some of
>>> these scenarios and determine whether it is worth our time or the
>>> browser's time to implement the API.
>>>
>>> On a side note - if we can satisfactorily answer the above
>>> questions and feel that we do want to move forward with it, I
>>> agree with Jonathon that we can do so in a way which does not
>>> carry strong fingerprinting risks. I think Jonathon's proposal
>>> would work.
>>>
>>> -kevin
>>>
>>> -----Original Message----- From: Jonathan Mayer
>>> [mailto:jmayer@stanford.edu] Sent: Wednesday, March 14, 2012
>>> 11:42 AM To: Tracking Protection Working Group WG Subject: A
>>> First-Party List API for Site-Specific Exceptions (ISSUE-59,
>>> ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114)
>>>
>>> There have been renewed expressions of interest in a first-party
>>> API that lists which third parties have an exception. Rationales
>>> include making it easy and fast for a first party to learn about
>>> exceptions (relative to alternatives that use existing web
>>> technology) and facilitating non-blanket exceptions and possibly
>>> third-party blacklisting by users.
>>>
>>> The proposed siteSpecificTrackingExceptions API did just this; it
>>> was removed out of concern for third-party fingerprinting. I'd
>>> like to bring back the proposal, but limit access to script
>>> running in the context of a top-level (first-party) origin.
>>> Browsers already have the necessary building blocks; they know
>>> the top-level origin and the context origin associated with
>>> script execution.
>>>
>>> Here's a concrete example: A CNN visitor has granted a web-wide
>>> exception to Google ("*", "doubleclick.net"), but nobody else.
>>> When a cnn.com script calls
>>> navigator.siteSpecificTrackingExceptions, it gets back
>>> ["doubleclick.net"]. If a yahoo.com script calls
>>> navigator.siteSpecificTrackingExceptions, it gets no return
>>> value, and an error is thrown.
>>>
>>> I don't see much marginal privacy risk to including this API.
>>> Third parties already have countless stateful and stateless ways
>>> of tracking a browser, including with scripts running in the
>>> context of both their own and first-party origins. This is just
>>> another API for compliance monitors to keep tabs on.
>>>
>>> As for a first party handing a fingerprintable exception list to
>>> a third party, the same reasoning applies. A first party could
>>> just as easily pass a unique identifier (e.g. a first-party ID
>>> cookie). We should be clear in the document that the usual
>>> limits on first parties handing data to third parties apply.
>>>
>>>
>>>
>
>
Received on Wednesday, 14 March 2012 22:51:44 UTC