- From: Erik Wilde <dret@berkeley.edu>
- Date: Mon, 18 May 2009 16:43:36 -0700
- To: public-geolocation@w3.org
- CC: Doug Turner <doug.turner@gmail.com>, Rigo Wenning <rigo@w3.org>
hello doug. > I am not sure I follow the argument. so, say urchin.js starts > requesting geolocation. That would mean that _EVERY_ site that you > visit which uses this script (cnn.com, google,com, espn.com, etc) would > prompt the user for geolocation. We are basing asking for permission on > the document's origin -- not some script that it loads. that's the basic problem of 3rd party tracking; it hides a much more centralized data aggregation layer behind a seemingly disconnected set of sites using these 3rd party trackers. > I did suggest before that we may want to consider restricting > geolocation to parent documents (eg. not allow geolocation access from > iframes) as a way to mitigate xss and other attacks. Is that what you > are thinking about here? right now, i don't have an answer for this. i just wanted to suggest that many people (including me ;-) might be uncomfortable with the fact that the few big 3rd party trackers might easily aggregate a more or less complete location profile of them. figuring out the best compromise between functionality and privacy will not be easy (it never is, i am afraid), but it seems to me that location information (at GPS precision) is sensitive enough to make sure it's handled responsibly. cheers, dret.
Received on Monday, 18 May 2009 23:44:26 UTC