Re: Signals for internal / external usage of site elements (the signals formerly called "1" and "3")

Matthias,

You lost me…
In the scenario you give Matthias' site would not be tracking; rather it would arguably be putting Google in a position where it unintentionally became a tracker.  I would assume that if Matthias' home page took the Google logo and, without Google's permission placed its fully qualified URL on his site, that Google would not likely respond by sharing the data thereby collected in its unintentional 3rd party context with Matthias.

If Matthias' site reuses a Google element by embedding img src=http://www.google.com/images/logo.gif  on Matthias.com, how does Matthias.com respond with anything to this request?  It never goes to Matthias.com?

-Brooks

--

Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the Wunderman Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
brooks.dobbs@kbmg.com

[cid:67AC0F82-68F2-4E78-8CDA-21EBA82FFDF2]

This email – including attachments – may contain confidential information. If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender immediately and delete the message.

From: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org<mailto:mts-std@schunter.org>>
Date: Monday, January 6, 2014 3:23 PM
To: "public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Signals for internal / external usage of site elements (the signals formerly called "1" and "3")
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Monday, January 6, 2014 3:23 PM

Hi Team,


as part of removing dependencies in the compliance spec, Roy removed the "1" and "3" signals.
I would like to make a case for keeping these two signals in a revised form.

SCENARIO TO PREVENT

The reason these signals were included is to detect/prevent the following scenario:
1. - A party designs an element to be used _only_ within its own web-site (e.g., the google logo).
2. - The party uses this element for some kind of tracking
3. - Another site (say Matthias's homepage) re-uses the element and, e.g., claims "not to do tracking"
4. - However, in fact, the other site does tracking (by accidentially embedding the tracking element)


OLD TEXT
This is the text, I copied from an older version of the DNT spec.



3       Third party: The designated resource is designed for use within a third-party context and conforms to the requirements on a third party.
1
        First party: The designated resource is designed for use within a first-party context and conforms to the requirements on a first party. If the designated resource is operated by an outsourced service provider, the service provider claims that it conforms to the requirements on a third party acting as a first party.

Roy had to remove the text since it references "requirements on a first party" (that is undefined in the TPE and will be defined in the compliance regime)

PROPOSED NEW TEXT
I think that the signaling of "elements for site-internal use" and "elements re-usable by other sites" remains useful.



3       Third party: The designated resource is designed for re-use by other parties.
1
        First party: The designated resource is designed for use within the serving party.


In the scenario above,  this would work as follows:
1. - A party designs an element to be used _only_ within its own web-site (e.g., the google logo) ("1")
2. - The party uses this element for some kind of tracking  ("T")
3. - Another site (say Matthias's homepage) re-uses the element and, e.g., claims "not to do tracking" ("N")
4. - However, in fact, the other site does tracking (by accidentially embedding the tracking element)
The result (detectable by a browser or by the site owner) is that a "1+T" element from another site would
show up on the page that claims "N".  This may indicate a potential problem.

Any opinions/feedback/improvements?


Regards,
matthais