W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

RE: tracking-ISSUE-167 (mikeo): Multiple site exceptions [Tracking Preference Expression (DNT)]

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 26 Sep 2012 12:34:02 +0100
To: "'Rigo Wenning'" <rigo@w3.org>
Cc: <public-tracking@w3.org>
Message-ID: <023101cd9bda$d4fdefc0$7ef9cf40$@baycloud.com>
Hi Rigo,

I read the same-party member as being a list of 3rd party elements on the 1st party page that can be taken as also 1st party, i.e. if an ad from webmail.com gets hit when someone visits a bigisp.net page they can track because they say they are joint 1st party. If the meaning was expanded so as to apply also to sites not referenced by elements on any page, it might work, though the list could get very long (one of the Multibrand-Incs I know has over 2000 sites). I suppose a new same-party list could add to an existing one  in the grants db, but how would you match them up? 

It also bypasses the same-origin security model, which I think is a good aspect of the present TPE spec. If that was avoided here there would be no point in keeping it.

I think the use case also applies outside the EU context. If sites inserted 1st party script to check for DNT:1 and then get exceptions for their 3rd parties then they may want to do that across all their domains in one go, and not annoy their users. If users get too many demands for exceptions then they could end up being ignored, a blanket ban enabled if the user-agent supports it, or DNT being returned to unset.

BTW the OriginalDomainOrigin parameter is unnecessary (it is implicit in the returned trackingExceptionID), it's only there to show how the same-origin policy can be leveraged.

Thanks


Mike

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: 26 September 2012 10:54
To: public-tracking@w3.org
Cc: Mike O'Neill; 'Nicholas Doty'
Subject: Re: tracking-ISSUE-167 (mikeo): Multiple site exceptions [Tracking Preference Expression (DNT)]

Mike, 

I see what you want to accomplish. But can't you do that by normally requesting an exception for one entity and declaring all the others in "same-party". Can you verify whether the wording in the TPE- specification would fit your use case? In this case, the first site the user hits would ask for an exception and all the others are in the "same-party" field anyway. So if the browser hits bar.org it gets an exception. If the browser now hits foo.org it reads "same- party" in the WKL and finds that foo.org and bar.org are the same- party, thus the exception applies. I recognize that there are security issues here as someone can just claim to be the same-party as a well known site. 

Nick, I think Mike is trying to accomplish a cookie-consent for one entity over many sites. And in the EU context, the first party - third party distinction doesn't really play that same role. So the goal here is to disturb the user only once for a large array of sites belonging to the same legal entity, regardless of whether those are first or third parties. But I may be wrong. 

Rigo

On Tuesday 25 September 2012 15:00:23 Mike O'Neill wrote:
> For instance if I go to multi-brand.yummycatford.co.uk I could see
> their tracking policy is from Multibrand Inc. I agree to their
> cookies using a UI meeting the EU PECR requirement and
> simultaneously agree to an exception for a set of embedded 3rd
> party content on that site. Multibrand Inc. record my agreement
> to their cookies (I have also agreed to their cookies/storage so
> that’s fine) and also a record of the domain-origin
> (multi-brand.yummycatford.co.uk) together with  the
> trackingExceptionID returned with the exception grant callback.
Received on Wednesday, 26 September 2012 11:34:41 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:34 UTC