W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

Re: tracking-ISSUE-167 (mikeo): Multiple site exceptions [Tracking Preference Expression (DNT)]

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 26 Sep 2012 14:31:50 +0200
To: public-tracking@w3.org
Cc: Mike O'Neill <michael.oneill@baycloud.com>
Message-ID: <2239034.Ux2eob2Zya@hegel.sophia.w3.org>
Mike, 

On Wednesday 26 September 2012 12:34:02 Mike O'Neill wrote:
> I read the same-party member as being a list of 3rd party elements
> on the 1st party page that can be taken as also 1st party, i.e.
> if an ad from webmail.com gets hit when someone visits a
> bigisp.net page they can track because they say they are joint
> 1st party. 
That was the initial use case. So yes, that's the current meaning. 
We can either extend that meaning or create another element if that 
would be one solution to your use-case, but I have doubts about my 
own suggestion now. 

> If the meaning was expanded so as to apply also to
> sites not referenced by elements on any page, it might work,
> though the list could get very long (one of the Multibrand-Incs I
> know has over 2000 sites). I suppose a new same-party list could
> add to an existing one  in the grants db, but how would you match
> them up?

>From an implementation point of view, you would give them a unique 
ID. From a specification point of view, I wouldn't proscribe 
anything. 
> 
> It also bypasses the same-origin security model, which I think is
> a good aspect of the present TPE spec. If that was avoided here
> there would be no point in keeping it.

This is, I think, a decisive argument against my suggestion. But as 
your use case is valuable, what are the alternatives? With 2000 
sites belonging to the same entity, we are also at the limit of what 
notice & choice, let alone data self determination, can do. A user 
will not understand this. What a user would understand is a message 
saying: "This site belongs to example Inc. You have already agreed 
to share data with example Inc in your decision on example.com, 
proceed?" But that is annoying the user too much. Creative ideas 
welcome. We could though have the exception dialog mention the legal 
entity and shoot a list of domains to the user agent that contains 
all the sites belonging to that same entity. But that kills the nice 
simplicity of the protocol and the model. 
> 
> I think the use case also applies outside the EU context. 

I agree. Shane had taken that up with web-wide exceptions of third 
parties. Shane's use case is one (third party) in conjunction with 
many (first parties). Here you want a format to express that those 
many are really only one. A list helping the browser to understand 
would help. But this requirement would not oblige the browser to do 
something with it. It could just use it to determine whether to 
prompt or not. This could be done in the exception mechanism or in 
the WKL discovery. If it is just an offer for information for a user 
agent, it would also not break the same-origin security model.

Question is whether the browser folks find that useful and 
implementable. 

Rigo
Received on Wednesday, 26 September 2012 12:32:16 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:34 UTC