Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] from イアンフェッティ on 2012-10-24 (public-tracking@w3.org from October 2012)

From: イアンフェッティ <ifette@google.com>
Date: Tue, 23 Oct 2012 17:54:26 -0700
To: Fred Andrews <fredandw@live.com>
Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <CAF4kx8fKEeDJ=pems4c9zyOcwLvt8YJ=hTQWFbkC43Cdjyt5hw@mail.gmail.com>
I did not see that proposal from Mike nor do I agree to that proposal, so I
don't see how that "makes this irrelevant now"

-Ian

On Tue, Oct 23, 2012 at 5:45 PM, Fred Andrews <fredandw@live.com> wrote:

> I don't care if the site thinks it 1st or 3rd party.
>
> I do expect the site to correctly inform the browser if it conforms
> to the 1st or 3rd party requirements and I do expected some browsers
> to want to block resources that do not meet their expectation.
>
> Keep in mind that Mike has already proposed  that the UA can request
> a resource to conform to the 1st or 3rd party requirements irrespective
> of what the site thinks of its resources so this is irrelevant now.
>
> cheers
> Fred
>
>
> ------------------------------
> From: ifette@google.com
> Date: Tue, 23 Oct 2012 16:58:57 -0700
>
> Subject: Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value
> for EU [Tracking Preference Expression (DNT)]
> To: fredandw@live.com
> CC: public-tracking@w3.org
>
>
> It's not clear why this matters. You say you support DNT. That's all that
> should matter, unless you expect the browser to do something differently
> depending on  whether the site thinks it's a first or third party. I don't
> expect the browser to do anything differently. What do you mean by "defend
> the users tracking preference?"
>
> -Ian
>
> On Tue, Oct 23, 2012 at 4:34 PM, Fred Andrews <fredandw@live.com> wrote:
>
>
> 'Yes, I support DNT' is not a clear answer as currently defined.
>
> Does this mean 'Yes, I support DNT and conform to the 1st party
> requirements'
> or does it mean 'Yes, I support DNT and conform to the 3rd party
> requirements'?
>
> User agents do have a real need for a specific answer so they can defend
> the
> users tracking preference.  Mike has also mentioned concern about EU
> requirements.
>
> cheers
> Fred
>
> ------------------------------
> From: ifette@google.com
> Date: Tue, 23 Oct 2012 16:02:37 -0700
> To: michael.oneill@baycloud.com
> CC: fielding@gbiv.com; npdoty@w3.org; public-tracking@w3.org
>
> Subject: Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value
> for EU [Tracking Preference Expression (DNT)]
>
> I still don't understand the need for this. The server should simply state
> "Yes, I support DNT" or "No, I don't support DNT" (or alternately "Yes, I'm
> honoring your request" or "No, I'm not honoring your request.")
>
> By creating this desire for the server to differentiate between parties,
> we've created this rathole that has turned into multiple over-long threads.
> There is no fundamental need for this. If someone feels that their request
> has been improperly handled, they are free to dig into all of this offline.
> As a browser, I have no intention of doing anything with this data, thus I
> don't see why there is any need. We are just over-complicating the protocol.
>
> Personally, this has gotten to a level of unnecessary complexity where I
> believe it would hurt adoption and as a result would vote against its
> inclusion in the protocol. I think we should go back to a simple "Yes I'm
> honoring your request" or "No I'm not honoring your request" 1/0 approach.
> Any additional information can be spelled out in the tracking resource
> document if someone chooses but need not be included in every response.
>
> -Ian
>
> On Tue, Oct 23, 2012 at 3:50 PM, Mike O'Neill <michael.oneill@baycloud.com
> > wrote:
>
> Ian,****
> ** **
> I would agree with you if we don’t have to differentiate between parties,
> but as it is we need to have a way for resources (handlers, what have you)
> to indicate what they claim to be.****
> ** **
> If there was no difference all we would need would be a status resource
> reporting compliance with the spec.****
> ** **
> Thanks for pointing out the https/http problem with the Referer header, I
> forgot to mention that in my reply to Roy.****
> ** **
> Mike****
> ** **
> ** **
> *From:* Ian Fette (イアンフェッティ) [mailto:ifette@google.com]
> *Sent:* 23 October 2012 22:15
> *To:* Roy T. Fielding
> *Cc:* Mike O'Neill; Nicholas Doty; public-tracking@w3.org Group WG
>
> *Subject:* Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status
> value for EU [Tracking Preference Expression (DNT)]****
>
> ** **
> On Tue, Oct 23, 2012 at 12:24 PM, Roy T. Fielding <fielding@gbiv.com>
> wrote:****
>
> On Oct 23, 2012, at 3:15 AM, Mike O'Neill wrote:
>
> > The point about particular resource URIs changing from 3rd to 1st party
> > context is one of the reasons for the change I suggested in issue-182.
> The
> > user-agent has the party information at hand when it sends out a request,
> > and it would be simple for it to communicate this to the server in the
> DNT
> > header.****
> No, it does not.  The fact is that neither the browser nor the server
> knows what requests are first party and what requests are third party.
> Just clicking on a link doesn't make it the first party -- the identifier
> would have to be compared to the contextual user information (the
> information that gave the user the idea that they wanted to click
> on that link).
>
> In theory, the only way we could mechanically distinguish between
> first and third party references would be to change the URIs
> (not going to happen) or add additional metadata to the mark-up to
> indicate which is which; in practice, we already know that authors
> won't correctly mark-up such links, and I suspect TLR would be
> somewhat upset if I started redefining HTML here.
>
> Of course, this has no impact on enforcement of the standard.
> The people building Web sites know which links are to third parties,
> even if they don't have a special mark-up.
> Regulators are fully capable of distinguishing between where they
> intend to visit and other entities that might be performing data
> collection -- a simple browser extension or protocol stream capture
> will reveal all they need to know, and is easily packaged as a tool.****
>
>
> > For example the handler associated with a social widget will
> > normally receive a request indicating 3rd party context usage ( DNT: 1)
> and
> > the handler will return Tk3. If a user clicks on it a request will be
> sent
> > out with the f qualifier ( DNT: 1f)  and the handler can return a Tk1
> > response if it now conforms to 1st party rules.
> >
> > In the DNT = 0 case the exception API will have been called. In a 3rd
> party
> > context the DNT header would now be DNT: 0t=toplevel.com indicating the
> > document origin of the top level page, which is also the origin host
> which
> > initiated the exception. This can be used to prove compliance (by
> retaining
> > logs in the DNT:0 case) or to debug script errors on the top level site.
> ****
>
> HTTP already has Referer header fields.
>
> ....Roy
>
> ****
>
> ** **
> Referer is not sent though with https if the site is on a different origin.
> ****
> ** **
> Stepping back though, we're spending a lot of time defining all of these
> more complex response codes, has anyone expressed any interest in using
> them? I believe this is already more complex than we have any interest in
> using, and wonder if others are in a similar position.****
> ** **
> -Ian****
> ** **
>
>
>
>
Received on Wednesday, 24 October 2012 00:54:55 UTC