RE: fyi: Fingerprinting risk from Mike O'Neill on 2017-05-08 (public-tracking@w3.org from May 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Mon, 8 May 2017 09:02:08 +0100
To: "'Matthias Schunter $Intel Corporation$'" <mts-std@schunter.org>, "'David Singer'" <singer@apple.com>, "'Rob van Eijk'" <rob@blaeu.com>
Cc: <public-tracking@w3.org>
Message-ID: <074101d2c7d1$6487cf40$2d976dc0$@baycloud.com>
The site-specific call already has the option for a restricted list to receive DNT:0 via the arrayOfDomainStrings argument, otherParties would not add anything if it only affected DNT. The reporting API is additional to both anyway.

The initial reason for otherParties was to enable third-party behavioural advertising in an opt-in only legal environment, though there are advantages in other use cases also (such as controlling malware).

Blocking is already a major factor for the web, through ad blocking or other content blocking. Using otherParties array will help sites regain some control over arbitrary blocking because UAs will tend over time to take account of it.






-----Original Message-----
From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org] 
Sent: 07 May 2017 21:28
To: David Singer <singer@apple.com>; Rob van Eijk <rob@blaeu.com>
Cc: public-tracking@w3.org (public-tracking@w3.org) <public-tracking@w3.org>
Subject: Re: fyi: Fingerprinting risk

Hi David,


I agree that this is a potential can of worms.

Background: Shane proposed that a publisher can list all known/expected
third parties in an other-party field. He also suggested that the
publisher can request that other third parties are blocked. Since this
blocking is triggered by the publisher himself, it may be less
controversial. The basic idea is that it helps the publisher to ensure
that only compliant third parties are loaded.

On the downside, it would allow the publisher to constrain the business
of third parties that the publisher uses.

An alternative could be to indeed only talk about DNT;0/1.

In such a version (with no explicit blocking), the outcome would look as
follows:
1. other-parties declares a list of third party
2. A site-wide exception triggers sending DNT;0 to those listed third
parties (all unlisted third parties continue to receive DNT;1)
3. The publisher can use a JS API to ask "what additional third parties
occured on the site".

This whole scenario would not use blocking.

I guess it is up to shane to decide whether a non-blocking version
satisfies his requirements or not.


Regards,
matthias


On 05.05.2017 23:28, David Singer wrote:
> 
>> On May 5, 2017, at 10:41 , Rob van Eijk <rob@blaeu.com> wrote:
>>
>>
>> I understand that when a user is visiting a site, site-wide consent (initiated by the publisher) is Exceptions are all-or-nothing, based on the current TPE text (i.e., site-wide exception).. 
>>
>> Two questions come to my mind when I turn the perspective to the 3rd parties. 
>> - If there any third parties left not listed in OtherParties of SameParty that do not have OOBC consent and are not being blocked by the browser? 
>> - If so, these 3rd parties could ask a user-granted exception through the API and he exception would only apply to that specific 3rd party, right? (i.e., site-specific user granted exception)
> 
> I think any site from which scripts are pulled can then ask for exception; it doesn’t have to be top-level. So if the top-level pulls in scripts etc. from site B, site B can run a script that asks for an exception for it.
> 
> I don’t think DNT has opened the can of worms of blocking, and I’m not sure I am ready to deal with all those worms just yet
> 
>>
>> Rob 
>>
>> -----Original message-----
>> From: David Singer
>> Sent: Friday, May 5 2017, 7:17 pm
>> To: Matthias Schunter (Intel Corporation)
>> Cc: public-tracking@w3.org (public-tracking@w3.org)
>> Subject: Re: fyi: Fingerprinting risk
>>
>>
>>> On May 5, 2017, at 0:43 , Matthias Schunter (Intel Corporation) <mts-std@schunter.org> wrote:
>>>
>>> Hi Folks,
>>>
>>> I would like to elaborate why I changed my mind and why I now believe
>>> that the fingerprinting risk has been mitigated ;-)
>>>
>>> MY PAST MISUNDERSTANDING
>>> - I assumed that users can do fine-grained choosing what subset of an
>>> exception to accept and what to block
>>> - The subset of blacklisted domains could be fairly individual
>>> - Reporting back the list of blocked domains (the intersection between
>>> the used third parties and the blacklist of a user) would be very
>>> individual too
>>> - As a consequence, reporting back this list would identify individual users
>>>
>>> MY CURRENT THINKING
>>> - Exceptions are all-or-nothing and sites may publish a list of known
>>>  third parties
>>> - None of the domains listed shall be blocked
>>
>> The DNT spec. is silent about blocking. What it talks about is what headers you send and what they mean, and indeed exceptions are granted or denied as units. 
>>
>>> - All the domains not listed shall be blocked and returned
>>> - The list of domains that are blocked almost only depend on the
>>>  site (i.e. what stuff it is including) and not on user specifics.
>>> - As a consequence, the list of blocked sites should not allow
>>>  identifying users.
>>>
>>> [The only exception could be cases where the unknown sites loaded depend
>>> on the user; e.g. an ad auction that pulls in unknown sites based on
>>> user cookies. I hope that those are rare corner cases.]
>>>
>>> Regards,
>>> matthias
>>>
>>>
>>>
>>
>> Dave Singer
>>
>> singer@mac.com
>>
>>
> 
> David Singer
> Manager, Software Standards, Apple Inc.
>
Received on Monday, 8 May 2017 08:03:59 UTC