RE: [w3c/dnt] Add more meta data in the Tracking Status Resource (#22) from Mike O'Neill on 2017-05-24 (public-tracking@w3.org from May 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 24 May 2017 05:53:49 +0100
To: "'TOUBIANA Vincent'" <vtoubiana@cnil.fr>, "'David Singer'" <singer@apple.com>
Cc: "'Rob van Eijk'" <rob@blaeu.com>, <public-tracking@w3.org>
Message-ID: <0a5b01d2d449$bc44c3d0$34ce4b70$@baycloud.com>
In reality domains can be categorised in multiple ways, e.g. analytics or
advertising, or one analytics only (perhaps) domain causes a redirect or
embeds another subresource that is clearly for advertising. This happens a
lot.

Dare I say this is a good use case for a slightly elaborated otherParties
array? The potential rich structure available via JSON could allow for
arbitrary categorisation by sites of the other domains they know about. This
is already done in many incompatible and  non-standard ways by most European
sites.

e.g.
{
               "categories":[
		"analytics", [
				"www.exampleanalytics.com",
				"*.anlyticsleadingtoadvertising.com",
		       	],
		"advertising": [
				"www.advertising.com",
				"*.analyticsleadingtoadvertising.com",
		          	 ],
		"functional": [
				"jquery.com",
				"fonts.com"
			         ]
	]
}

BTW I think partial wildcards makes implementation by websites a lot easier.

Mike


-----Original Message-----
From: TOUBIANA Vincent [mailto:vtoubiana@cnil.fr] 
Sent: 23 May 2017 21:55
To: David Singer <singer@apple.com>
Cc: Rob van Eijk <rob@blaeu.com>; public-tracking@w3.org
(public-tracking@w3.org) <public-tracking@w3.org>
Subject: RE: [w3c/dnt] Add more meta data in the Tracking Status Resource
(#22)

Sure,  but the target can never be a "*"  otherwise you could not grant an
exception for one category and not to another (at least you can not store
these exceptions in the browser). So that mean that a publisher would have
to list for each category all the domains that are associated to it, and in
the case of advertising it may not always be possible (as far as I
understand).

Vincent
________________________________________
De : singer@apple.com <singer@apple.com> de la part de David Singer
<singer@apple.com>
Envoyé : mardi 23 mai 2017 20:14
À : TOUBIANA Vincent
Cc : Rob van Eijk; public-tracking@w3.org (public-tracking@w3.org)
Objet : Re: [w3c/dnt] Add more meta data in the Tracking Status Resource
(#22)

I am not sure what you mean.  A site can make several different, additive,
calls with different explanation strings (and one assumes different
targets).

Sent from my iPad

> On May 23, 2017, at 11:12 AM, TOUBIANA Vincent <vtoubiana@cnil.fr> wrote:
>
>
>
> Yes that works to inform the user, but I'm not sure you can store the
exception and the information in the browser.
> ________________________________________
> De : singer@apple.com [singer@apple.com]
> Envoyé : mardi 23 mai 2017 17:44
> À : TOUBIANA Vincent
> Cc : Rob van Eijk; public-tracking@w3.org (public-tracking@w3.org)
> Objet : Re: [w3c/dnt] Add more meta data in the Tracking Status Resource
(#22)
>
>> On May 23, 2017, at 1:10 , TOUBIANA Vincent <vtoubiana@cnil.fr> wrote:
>>
>> Hi David,
>>
>> As Rob mentioned it would be very helpful if publisher could store
multiple site specific exceptions, one for each category. However, my
understanding is that site-specific-exceptions are stored as duplets
[origin, target] or [origin,*] so it is not possible to record an exception
for a purpose.
>
> Ah but you can explain; there is
>
> explanationString
> A short explanation of the request.
>
> in every request.  Since it’s just to explain to the user, this would seem
to suffice.
>
>>
>> We may have to store triplets instead [origin, *, category] but that's
not a minor change I guess.
>>
>> Best regards,
>>
>> Vincent
>>
>> -----Message d'origine-----
>> De : singer@apple.com [mailto:singer@apple.com]
>> Envoyé : vendredi 12 mai 2017 16:38
>> À : Rob van Eijk <rob@blaeu.com>
>> Cc : public-tracking@w3.org (public-tracking@w3.org)
<public-tracking@w3.org>
>> Objet : Re: [w3c/dnt] Add more meta data in the Tracking Status Resource
(#22)
>>
>>
>>> On May 11, 2017, at 22:39 , Rob van Eijk <rob@blaeu.com> wrote:
>>>
>>>>> So, I am having a hard time with finer-grained exception handling on
both ends — unlikely to be used at the UA, and unlikely to make sense for
sites. Why do we keep exploring it?
>>>
>>> In Europe most sites allow for granular consent based on categories of
embedded 3rd parties, e.g.,
>>>     • Functional cookies
>>>     • Analytics
>>>     • Social media
>>>     • Advertising cookies
>>>     • (Re)targeting cookies
>>> Would the publisher still be able to allow for such granularity based on
the current text in the TPE?
>>
>> Yes.  If the publisher has more than one ‘bundle’ of third parties, it
can call the exceptions API multiple times, to store site-specific
exceptions (a) for my advertisers (b) for my social media connections, etc.
>>
>> In each case, it knows it either has the complete requested exception
granted, or not; there’s no partial exception. Either I have advertising
tracking go-ahead, or I don’t.
>>
>>
>>>
>>> Rob
>>> —
>>> PGP id: CC4F3863 [public key]
>>> PGP fingerprint: 1D00 A9FD 7CCB A5A5 850E 2149 BEA0 20B7 CC4F 3863
>>>
>>> Social media: @rvaneijk, github, linkedin, ssrn, stackoverflow.
>>>
>>>
>>> -----Original message-----
>>> From: David Singer
>>> Sent: Friday, May 12 2017, 12:28 am
>>> To: public-tracking@w3.org (public-tracking@w3.org)
>>> Subject: Re: [w3c/dnt] Add more meta data in the Tracking Status
Resource (#22)
>>>
>>>
>>>> On May 11, 2017, at 9:39 , Mike O'Neill <michael.oneill@baycloud.com>
wrote:
>>>>
>>>> Matthias,
>>>>
>>>> The user can already "choose to constrain an exception to a subset of
third parties" if the server allows him to.  That is what the
arrayOfDomainStrings parameter is for.
>>>>
>>>> At the moment, because the TPE must enforce "one out, all out", the
user agent in its own UI can only allow the user to change what has been
established during their interaction with the server by revoking all of them
at once. It cannot allow the user to selectively change the set of
third-parties once they are granted.
>>>
>>> Agreed. I also think that the likelihood that a UA will want to offer a
finer-grained UI is very small. Let’s look at cookies: Firefox allows you to
delete individual cookies, but Safari only offers ‘all for a site’ and as
far as I can tell, Chrome only offers ‘all cookies and other state from all
sites for the past N hours’.
>>>
>>> I also have trouble imagining how a site would ‘feel’ if it says “look,
for you to get free access I need tracking for <these advertisers> and
<these audit companies>”, and you say ‘ok’ but then send DNT:0 only to the
audit companies.
>>>
>>> So, I am having a hard time with finer-grained exception handling on
both ends — unlikely to be used at the UA, and unlikely to make sense for
sites. Why do we keep exploring it?
>>>
>>>
>>> Dave Singer
>>>
>>> singer@mac.com
>>>
>>>
>>
>> David Singer
>> Manager, Software Standards, Apple Inc.
>>
>>
>
> David Singer
> Manager, Software Standards, Apple Inc.
>
Received on Wednesday, 24 May 2017 04:54:44 UTC