- From: Joseph Lorenzo Hall <joe@cdt.org>
- Date: Fri, 19 Aug 2016 14:39:27 -0400
- To: "Mike O'Neill" <michael.oneill@baycloud.com>
- Cc: public-tracking@w3.org, Jeff Jaffe <jeff@w3.org>
The point being Tk: 1 cannot serve as an analog to Tk: T as that's not actually what is happening on the sites that are doing this now? On Thu, Aug 18, 2016 at 11:56 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > Bouncer lets you quickly see how sites respond to DNT. It shows there ae quite a few sites responding with Tk: 1 , which is not one of the valid values in the TPE https://www.w3.org/TR/tracking-dnt/#tracking-status-value > Sites that do this include the GCHQ! www.gchq.gov.uk, but also w3.org. I imagine the reason so many sites gets this wrong is because of the W3C example. > > I think the reason the w3.org site team did this may have been confusion on what TSV to use. If no tracking occurs then the obvious response would be Tk: N, but the W3C also uses an authentication cookie UID. Because images are often loaded on other sites e.g. https://w3.org/2008/site/images/logo-w3c-mobile-lg > w3.org ends up being an embedded third-party, so should return Tk: T when the authentication is present, but this breaks expiration caching as Roy has pointed out. > > If this was the reason it is unfortunate that it wasn’t brought up here. > > The situation could be addressed in 3 ways. > > 1) W3C site is changed to return Tk: T for DNT logged in users, otherwise Tk: N, and support verification caching. This would create a bigger load on W3C servers though for UAs other than IE (assuming w3.org also uses the API). > 2) We add a new permitted use to the TPE with a new qualifier code L for first-party login. It can only be used for that purpose, and is discarded if seen as an embedded third-party. > 3) We do 2) but also accept the situation as de-facto, and make a TSV of "1" an alias for "C" with an assumed qualifier of "L" (and an implied commitment to discard the UID as above) > > > Mike > > > > -----Original Message----- > From: Mike O'Neill [mailto:michael.oneill@baycloud.com] > Sent: 10 August 2016 19:12 > To: public-tracking@w3.org > Subject: Bouncer, Guide > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Following today’s call, here again is the Chrome browser extension Bouncer > https://chrome.google.com/webstore/detail/baycloud-bouncer/bplgfejjkplajgmkcbbgaeceamceohkc?hl=en-GB&gl=GB > > It shows how sites and third-parties respond the DNT, if they have a TSR, EFF Policy, TSV response header etc. Click on the TSR one to see the actual TSR > > It implements the full API, use this test page to exercise it: > https://baycloud.com/api/test > > and here again is the DNTGuide document: > > https://trackingprotection.github.io/Implementation/DNTGuide/ > > Mike > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/ > Charset: utf-8 > > iQIcBAEBAgAGBQJXq25gAAoJEOX5SQClVeMPMxQP/12nPX0vU2W3A9fCDL5NKPal > BwUtJAq4WXl+PZbsaEJpHfnhIOuZoDfiYbOX4qQpeEQ0Js5+AXMNJ/3efxY2J37b > OWxWhkg076Et/hm0Z2J8iwEuumrrct0+eAQMZXy+zXv6GQkk6W2RxGAbs8KgWmX7 > gBSvu6wH/Ttpqlmd/cr1OKmuOB6D3RlYtaUiE0dqvQZKnfLnVF8frzozC4cRR0gx > aOu7F/QjBRqBX6U4SUn6hsnvIwNSvKyQwS9rrPFSyo24kV+mDAhBwLOyqZ17yzff > R2iD9Fh5LHUrcx3kXekr+jyIcLXD2roNCLdQXIhv3qilNPIxng9OgHyKLiRl/UMu > 9u3sneVF16By4Bwt9heNMe/RfuvGs8wslRY7xJXphSiuyYDpYkTob6uyEQ2ayKn/ > XVvses/T/HsI0VNX+DqIPwbwQcjj6yb/WTSMi0A14psY8jhcAxsyu9g63YJS0haK > TgaKqlPJ6GD0WKVZjAIRBfVOFgQWRCiPydEkIJQImw02beOsSo9J0JmDsR1LGiNE > VF9ci7qHTEiCHrO2O3uY2Nka853TKOMXKKQJb1CkOLocn0XupiNFAmweQsb155/W > LjfYpo9Xw6Ma/nrjFuU8QK7sZkdgoqivFUbc8fuI0nMQunufHcagrszBamlMYe0N > OcVFXJLlquq16W8fzMiM > =i1Dg > -----END PGP SIGNATURE----- > > -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871
Received on Friday, 19 August 2016 18:40:19 UTC