W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

RE: tracking-ISSUE-184 (Walter van Holst): 3rd party dependencies in 1st party content [Tracking Definitions and Compliance]

From: Fred Andrews <fredandw@live.com>
Date: Wed, 24 Oct 2012 21:14:23 +0000
Message-ID: <BLU002-W1437803C20BA60B387DE8C9AA780@phx.gbl>
To: Tracking Protection Working Group <public-tracking@w3.org>
DNT should be able to provide a protocol that allows the user to be informed and

to at least make a decision about using the services.  The server would be asking
for consent to use the bundle of services - take it or leave it.

Not sure that a w3c spec. can dictate their terms, however if they are
using private UA state to discriminate against users then this might be a matter
that can be blocked with a technical solution.  However they could just amend their
terms to require visibility over your UA operation to use the service and they may
be able to detect this in a manner that is hard to spoof so in the end you may just
need to move on if you do not accept this.

I suspect the main reason that these servers can do this now is that they can do

so covertly and that the platform has been so poorly designed.

Would you use a cable tv network that demanded you run a camera on top of
your tv so that the network provider could enforce a term that requires you to watch
all the ads, and so that they could listen in on your conversations to detect ad
opportunities?

If the 1st party can not actually view the status of the request to the 3rd party then
a UA could conceivably mount a defense against this.  If the 1st party server can
see the defense then it could block further use, and with current DOM/script design
this is quite likely.   This is an unfortunate result of the poor consideration of privacy
in the HTML standards, and the PUA CG is trying to address this and expects to
prevent the leaking of private UA state such as the use of such defenses.

The DNT consent API may be creating the same problem by enabling nag-ware to
just continue prompting the user for consent!

cheers
Fred

> Date: Wed, 24 Oct 2012 17:07:50 +0000
> To: public-tracking@w3.org
> From: sysbot+tracker@w3.org
> Subject: tracking-ISSUE-184 (Walter van Holst): 3rd party dependencies in 1st party content [Tracking Definitions and Compliance]
> 
> tracking-ISSUE-184 (Walter van Holst): 3rd party dependencies in 1st party content [Tracking Definitions and Compliance]
> 
> http://www.w3.org/2011/tracking-protection/track/issues/184
> 
> Raised by: Walter van Holst
> On product: Tracking Definitions and Compliance
> 
> As anyone that plays around with ad blockers, selective javascript tools, cookie killers and assorted privacy-enhancing browser extensions can attest there is a steady increase of content provided by what under the current text would be a 1st party that cannot be viewed unless content from a 3rd party is also accepted by the UA, be it cookies or javascript.
> 
> This raises an interesting situation if we have DNT. For example we have a 1st party that is trusted by the user and also claims to comply to DNT and a 3rd party that is neither. Since the 1st party content is technically dependent on 3rd party content, the user has the choice between either granting consent to the 3rd party in order to have the 1st party function properly or not getting the content at all. 
> 
> To what extent is such consent informed, genuine and meaningful?
> 
> 
> 
 		 	   		  
Received on Wednesday, 24 October 2012 21:14:51 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:37 UTC