W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: explicit-explicit exception pairs

From: Rigo Wenning <rigo@w3.org>
Date: Fri, 04 May 2012 22:31:18 +0200
To: ifette@google.com, Nicholas Doty <npdoty@w3.org>
Cc: public-tracking@w3.org, Matthias Schunter <mts-std@schunter.org>, rob@blaeu.com
Message-ID: <5384840.Pu0FOM1JcH@hegel.sophia.w3.org>
Ian, 

this is very clear and I think we are at the core of the issue. I have to 
leave it to Rob (and it may take some time) to answer the question whether 
informed consent can be given to an unknown list of third parties tracking 
me. From my german and french law roots, I have a feeling it doesn't work, 
but maybe I'm wrong. 

Your protocol would look like this:

-> GET example.org/index.html
<- only if you accept my third parties
-> "*", now gimme the content 
<- DNT:t 200 OK
[flood of subsequent uncontrolled requests]

Very simple. This mainly implements the use case to allow sites to turn 
users down if they have DNT on. It is very service centric. Simple, 
efficient, addressing the one use case that is of interest to the service. 
But the effort started because of user concerns. We are not here because the 
services have complained that they can't turn down users. 

It is also absolutely centric on the first party. In this scenario, a web-
wide exception doesn't buy you anything anymore, because a user will either 
accept tracking for all or being turned down. There is no other possibility, 
apart from a friendly site allowing you to get the content without tracking.

But wait, in this case it would be even simpler to send the DNT;0/1 header 
to the first party and get a 0/1/2 header back that tells my browser whether 
I'm blocked, tracked or not. This header would only be sent to the first 
party, because once the blocking was overcome, everybody gets a DNT;0 
anyway. 

This way we can remove at least 50% of the wording in the TPE Specification. 
I think this is already implemented in most browser and we would just have 
to adapt the feedback headers and a box saying: You only get the content if 
you click OK.

And you're right: What you call  la carte is perhaps too much data self 
determination and too much believe that the browser actually knows where it 
is sending requests to. If it knows that, shouldn't it accept the user's 
preferences on where to send what? I still believe the burden of  la carte 
is justified and that the blocking situation that you describe is 
effectively a prompt for login, only faster. 

Best, 

Rigo

On Friday 04 May 2012 09:39:54 Ian Fette wrote:
> You seem to believe that for European use cases to be met, a site must
> request an explicit list of third parties rather than *. If that's true,
> it basically renders * useless, and would require polling on each site
> and introducing 1 round trip to the server to figure out if all third
> parties on your site are covered by exceptions. The browser can't tell
> the site "all your third parties are covered" a-priori in the  la carte
> case because the browser knows what third parties are covered, but not
> what third parties will actually be present on the site. This means that
> if a site only wants to show content if it's gotten an exception, it must
> first serve some javascript to poll which sites have exceptions, send the
> result back to the server, and then do something. This adds a HUGE amount
> of latency and is unacceptable.
Received on Friday, 4 May 2012 20:31:46 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC