Re: Super Cookies in Privacy Browsing mode from David Singer on 2015-01-19 (public-privacy@w3.org from January to March 2015)

From: David Singer <singer@apple.com>
Date: Mon, 19 Jan 2015 10:35:53 -0500
To: Rigo Wenning <rigo@w3.org>
Cc: public-privacy@w3.org, Nicholas Doty <npdoty@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>
Message-id: <177AF86D-6AFE-4E72-B095-CD09E075ACD1@apple.com>

> On Jan 17, 2015, at 18:26 , Rigo Wenning <rigo@w3.org> wrote:
> 
> On Friday 16 January 2015 13:22:20 David Singer wrote:
>>> Yes, this could be a signal that could be carried over an extended DNT 
>>> infrastructure. And you need the feedback from the server to make sure
>>> they're  actually doing it. And if they lie, let the legal system do the
>>> work…
>> Actually, I disagree.
>> 
>> a) It’s independent of DNT.  Orthogonal.
> 
> It is yet another signal. Ok, it is not DNT, but it follows the same paradigm. 
> I understand the branding issue, so let's call it BND (Be Nice Don’tprofile)

But that’s not what it is.  It is NOT asking “don’t profile” it’s asking “segregate records”.

> 
>> b) Unless you are paranoid, you don’t need the feedback. Anything they do is
>> an improvement on today, and I don’t expect there to be much in the way of
>> conformance rules, since the details of the handling are very much specific
>> to the nature of the service.
> 
> Nothing to do with being paranoid. "Denn nur was ihr schwarz auf weiss 
> besitzt, könnt ihr getrost nach Hause tragen" says Goethe. And he is right :)

OK, I don’t mind a general statement of “we support this feature”, and you can make this machine-readable if you think it’ll result in any action by the UA.  I rather suspect that having it human-readable is enough, that’s all.

> 
> Because, without feedback, you're in non-binding hand waving.

There is a difference between saying that, for users to know that a server supports the feature, they need to say so somehow, and in requiring that that statement of support be machine-readable.

> At this level 
> and point, a cookie would do. And if you're concerned about the cookie being 
> ephemeral, use a super-cookie. It is the feedback message, that changes the 
> nature of protocol and message value, legally… 

Cookies are useless here; cookies are specific to a domain, and this request is quite general.  One would need infinite numbers of cookies.

> 
> Which means feedback is the difference between the real thing and the "making 
> of". 
> 
> --Rigo

David Singer
Manager, Software Standards, Apple Inc.

Received on Monday, 19 January 2015 15:36:45 UTC