Re: User intended interactions [1st & 3rd Parties] from Karl Dubost on 2011-11-14 (public-tracking@w3.org from November 2011)

From: Karl Dubost <karld@opera.com>
Date: Mon, 14 Nov 2011 17:09:17 -0500
To: Vincent Toubiana <v.toubiana@free.fr>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Tom Lowenthal <tom@mozilla.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <6307D49C-8005-4CC3-8068-3AFB2FE458E5@opera.com>

Le 12 nov. 2011 à 09:21, Vincent Toubiana a écrit :
> I think the point here  - and the big difference with example 11 -  is that the user knows that he'll go through "bit.ly" redirection 

Is it always true?
There are cases the user just doesn't know.

1. clicking on a pattern <a><img/></a>
   the image doesn't necessary gives an insightful hint on the link we are about to click
2. just not understanding that bit.ly is  a redirection service.
3. Multiple redirections.
   Let's say I retweeted something from someone
   "tracking protection WG home page http://t.co/t9CdCBEb #test"


curl -sI http://t.co/t9CdCBEb

HTTP/1.1 301 Moved Permanently
Date: Mon, 14 Nov 2011 22:05:49 GMT
Server: hi
Location: http://bit.ly/vz5OpK
Cache-Control: private,max-age=300
Expires: Mon, 14 Nov 2011 22:10:49 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

Ah a Location header let's explore

curl -sI http://bit.ly/vz5OpK

HTTP/1.1 301 Moved
Server: nginx
Date: Mon, 14 Nov 2011 22:06:11 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: _bit=4ec190d3-00041-06ef4-271cf10a;domain=.bit.ly;expires=Sat May 12 22:06:11 2012;path=/; HttpOnly
Cache-control: private; max-age=90
Location: http://c8l.ca/1gf
MIME-Version: 1.0
Content-Length: 109

Ah yet another one


curl -sI http://c8l.ca/1gf

HTTP/1.0 301 Moved Permanently
Date: Mon, 14 Nov 2011 22:07:05 GMT
Server: Apache/2.2.8 (EL)
X-Powered-By: PHP/5.2.6
Set-Cookie: bb2_screener_=1321308425+24.53.13.170; path=/
Location: http://www.w3.org/2011/tracking-protection/
Content-Length: 160
Connection: close
Content-Type: text/html; charset=UTF-8



Finally the link. What is my user consent in all these redirections. They just happen because the HTTP protocol is designed like this. The social networks and mobile usage have increased a lot these interaction patterns lately. The mechanism was not really built for this at the origin.

All these intermediaries have some capabilities of tracking. 


-- 
Karl Dubost - http://dev.opera.com/
Developer Relations & Tools, Opera Software

Received on Monday, 14 November 2011 22:09:58 UTC