Re: Super Cookies in Privacy Browsing mode from David Singer on 2015-01-20 (public-privacy@w3.org from January to March 2015)

From: David Singer <singer@apple.com>
Date: Tue, 20 Jan 2015 09:11:26 -0500
To: Rigo Wenning <rigo@w3.org>
Cc: public-privacy@w3.org
Message-id: <B7EC27A9-3BE5-4F25-967D-CBA4C921FEDB@apple.com>
> On Jan 20, 2015, at 4:42 , Rigo Wenning <rigo@w3.org> wrote:
> 
> On Monday 19 January 2015 16:01:07 David Singer wrote:
>>>> But that’s not what it is.  It is NOT asking “don’t profile” it’s asking
>>>> “segregate records”.
>>> 
>>> This is much better done on the client side.
>> 
>> I fail to see how I can segregate Google’s history of me, solely on the
>> client side.
> 
> By giving Google a different identity when shopping gifts. This is done using 
> another login/cookie/ID. Ok, they theortically can correlate you via the IP 
> address, but doing so would be clearly abusive. 

So, you’re suggesting that for every server I visit, I have to log off and make a new account?  I don’t think that that is practical or pleasant.

>> 
>> Private Browsing DOES this on on the client side;  I am exploring conveying
>> this to the servers as an addition.
> 
> Private browsing is just ONE persona you're offering.

No, a browser might make a new persona at the start of each private browsing session.  Or it might allow you to resume a previous persona. That’s UA design.

>>> Secondly, you have to define what "segregation" means. If it just means
>>> that my website is less stupid so that your wife won't find out about the
>>> gifts you ordered online, than this is rather intelligent web design than
>>> a new feature. All you need is stateful interaction.
>> 
>> well, I roughly agree.  Not sure what you mean by the last, 
> 
> stateful means that they know that this is still the same visitor. This means 
> they can attach "forget after this session" to whatever trace they collect. 

And indeed a change of persona separates the previous state from the current one.  Whether the server has to delete it is a separate question (that’s a different control).

> 
>> but in general,
>> they promise that your activity in one persona will not affect what is
>> visible in another, except that they may initialize named persona from the
>> anonymous one.
> While shopping, you're not anonymous anyway.

I use the name ‘anonymous persona’ to identify what your persona is when you don’t send a header.  I should use a different label ‘base persona’ or ‘default persona’ or something, it’s clearly confusing.  Anonymous — without name, i.e. without the identifier of the persona carried in the header.  It’s not when I am ‘anonymous’ online (very hard to achieve).

> I even would say that without 
> using Tor you're not anonymous. But nobody wants to be anonymous. I just don't 
> want to be confronted with my surfing habits from 1995. 

I have confused you.

> 
>>> In times when ugly cookie - banners trump smart technology like DNT,
>>> you'll
>>> have to offer an added value (legal certainty) in order to get anything.
>>> And I also think that hardcoding the personae into the one use case is
>>> too little.
>> I am not sure a nice ask, that’s not about tracking/secrecy but about being
>> nice in linking data, needs legal backing.
> 
> If it wouldn't we would have a different discussion. Linking those traces is 
> true money.

The header does NOT ask the server to forget data or not link it to me; they are free to remember that all these personae are the same person.  It’s a request to keep the data segregated, especially when presenting it or affecting the user’s experience.

> And the Zeitgeist is to disrespect you even without money. The 
> challenge is to exploit the unknown click-sheep the best one can. As I said, 
> DNT would have been done long ago, had it allowed continued linking that isn't 
> just shown to the user. But as long as the links are there, they will occur 
> inadvertently with gifts for your wife. Because you would need two personae to 
> avoid it. And here we are back. Instead of doing that server side, it is much 
> smarter to do that client side. In the seventies, data protection was also 
> about smarter computing. Here we go again. 
> 
>>>> 
>>>> Cookies are useless here; cookies are specific to a domain, and this
>>>> request is quite general.  One would need infinite numbers of cookies.
>>> 
>>> Why? We already have an infinite number of cookies (have you looked? :)
>> 
>> Because I am asking every server I visit, whether or not visited before.
>> Cookies are set by the servers, and have a syntax that is specific to each
>> server.
> 
> You seem to want a general statement of the type: Don't be so stupid to reveal 
> the gifts I've bought with stupid those-who-bought-this-also-bought-that 
> statements. Do we really need an http-header for that? And how do you switch?

You switch however the UA allows you to.  Trivially, a UA might mint a new persona each time a new private browsing session starts.

> In fact, what you want is a mode saying: "Hey, this should not be added to my 
> profile if you respect me.”

No, I don’t.  That’s do-not-track.  I am asking “please keep the records associated with this persona separate”.

> Again, we are in personae. You could switch DNT on 
> and off to do the same.

No, DNT asks the server to stop recording completely.  This does not.

> Ok, we have middle states where I still want my 
> fidelity points for the gift I bought but I don't want this to be revealed. 
> This is a persona in the middle between track me and do not track me. 

Yes.

Indeed, one way a server can segregate is not to keep records at all, but it is only one way.


David Singer
Manager, Software Standards, Apple Inc.
Received on Tuesday, 20 January 2015 14:12:21 UTC