RE: "cross-site" from Shane Wiley on 2011-11-18 (public-tracking@w3.org from November 2011)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Fri, 18 Nov 2011 07:27:27 -0800
To: Karl Dubost <karld@opera.com>
CC: "<public-tracking@w3.org> (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8023D03B9B8B4@SP2-EX07VS02.ds.corp.yahoo.com>

Karl,

In this isolated use case where a 1st party is DIRECTLY passing user data to a 3rd party on their web site (again, very rare in the real world), any company - including "simple sites" such as BADABOUM.example.net - would not pass that user specific data to the 3rd party if the DNT signal is turned on.  If a "simple site" is able to dynamically pass user specific data to a 3rd party on their site, then I believe they should have the technical sophistication to develop a method to halt this when the DNT signal is present.

User 1234 is meant to demonstrate that one user should be treated than another user based on their specific preference - in this case the DNT signal.  "Remembering" the user's preference could be as simple as setting a DNT or Opt-Out Cookie.  If the user is registered with the 1st party, then this could also be stored in their account preferences.

- Shane

-----Original Message-----
From: Karl Dubost [mailto:karld@opera.com] 
Sent: Thursday, November 17, 2011 9:30 PM
To: Shane Wiley
Cc: <public-tracking@w3.org> (public-tracking@w3.org)
Subject: Re: "cross-site"


Le 17 nov. 2011 à 21:56, Shane Wiley a écrit :
> On the "how" - in the use case we were exploring, example.org dynamically assembles its pages and at that time includes the beacon for stats.com - and typically passes some information about users to stats.com for independent use (I don't believe this happens very often in the real world but our goal here is to close on a suspected loop hole).


So anonymousJoe creates an HTTP request on SWEET.example.org with DNT:1 for the first time. The page is dynamically created with either a variable in the page saying DO NOT TRACK this page and/or a cookie saying DNT. If I continue to follow your reasoning for each potential services that have been put in the initial page there will be a different beacon (let say cookies). STATS and SUPERTRACKING, because the first one is just STATS and the second one is tracking. 

The user then is going on BADABOUM.example.net with DNT:1 which has also deals with STATS and SUPERTRACKING, but BADABOUM.example.net is a simple web site with no complex infrastructure. They can't implement the specific cookie dance. 

* What is happening for the user anonymousJoe?
* What is SUPERTRACKING doing with the received data in the two cases?



> If example.org sees the DNT signal from user 1234, for all subsequent pages built for user 1234 they would no longer include this add'l information in the beacon call.  This happens server-side during page assembly to be sent to the user's web browser (which is what I meant by outside of browser controls).

Here you assume you have a user 1234 with an account? Correct?



-- 
Karl Dubost - http://dev.opera.com/
Developer Relations & Tools, Opera Software

Received on Friday, 18 November 2011 15:28:44 UTC