W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: Well-known URI vs response headers? [ISSUE-81, ISSUE-47, ISSUE-80]

From: David Singer <singer@apple.com>
Date: Fri, 28 Oct 2011 09:55:31 -0700
Message-id: <54EF4CE3-2AE3-4BE3-A85E-6609482A6F9E@apple.com>
To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>

On Oct 27, 2011, at 4:49 , Ronan Heffernan wrote:

> The well-known URI solution offers superior tracking prevention, as the user agent can decide that the response from the well-known URI is incompatible with the users' preferences, and abort the loading of the rest of the site.  

Indeed, I was thinking that some user-gents might 'probe' sites they don't know about by fetching 'robots.txt' or some other well-known file, with DNT set, and seeing what the response header says.

However, we can make two huge improvements here: having a well-known URL for the policy (e.g. privacy-policy.htm, in top-level), and allowing URIs in the return response.  Imagine also that the return URI could be relative, whereupon it's relative to the policy.

Now, the UA is loading a page, and sees a 'new' site called in as a third party by that page (say user is visiting example-news.com and the page loads something from example-tracker.net).

The UA, being cautious for its user, doesn't immediately load the content requested, but fetches http://example-tracker.net/privacy-policy.htm, with DNT turned on.  Lots of very informative outcomes can now occur:

* I get a success response with the privacy policy (I hope it's small), and a "I never track anyone" response, or a "I respect your DNT request" response; all is good!
* I get a success response with the privacy policy, but no response to the DNT request; I might stop loading that site, or I might suggest to the user that they read the supplied policy and tell me whether to block the site, as it doesn't seem to handle DNT;
* I get success on the policy, but the site says in the response "I am still tracking you for reason #express-permission";  I can now say to the user "the site claims to have your permission, and you can read exactly what they claim here [http://example-tracking.com/privacy-policy#express-permission]"
* I get a failure on the policy (404), but the DNT is respected; not so great, but we're probably OK;
* I get a failure on the policy and silence on the DNT request; we have an old site that pre-dates this work; probably not safe to visit.

and so on...

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Friday, 28 October 2011 16:56:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:26 UTC