W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: ISSUE-111 - Exceptions are broken

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 28 Mar 2012 18:26:11 +0200
Cc: Shane Wiley <wileys@yahoo-inc.com>, David Singer <singer@apple.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <F6333C7B-8726-4500-801B-05224AA21F98@gbiv.com>
To: Vincent Toubiana <v.toubiana@free.fr>
On Mar 28, 2012, at 11:17 AM, Vincent Toubiana wrote:

> Shane,
> 
> IMHO it just means "I'm ok being tracked on this site". I believe this is quite different, I trust my bank website but would not be ok to be tracked while I'm browsing it.
> Furthermore, trusting a website is not enough if even the 1st party does not know which third parties will be called on its site (it can not trust them).
> 
> Vincent

The first party doesn't need to know what domains are being used by third-party
ad services because it is the exchange that monitors and enforces compliance
with its own service policies.  Otherwise, you would see inappropriate ads all
the time (because the bad guys always bid more and don't pay the bill).
The first party needs to trust the exchange.

More importantly, IIRC, the decision about what ad service is selected is
highly dependent on context, with much of that context being potentially
identifiable of a user (because there is no minimum sample size), so once
the process of using an ad exchange has begun ... we are wasting our time
worrying further about tracking that request.

I agree with Kevin.  The site-specific exception model doesn't work
unless it includes all subrequests on the first-party page.

If a user doesn't want to be tracked, they need to send DNT:1 to everyone.
If a first party doesn't want DNT:1 users, then they have to convince the
user to turn it off or design a separate site that tracks based on account
login and prior consent.  Regardless, first-parties will have to communicate
with ad exchanges (via contract or parameter passing) about how to handle
clients that send DNT:0 (or no header at all) to the first-party but DNT:1
to its ad servers.  A UI for selective exceptions of specific domains per
first-party site is worse than useless.

....Roy
Received on Wednesday, 28 March 2012 16:26:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC