W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

RE: ACTION-69: Renaming ISSUE-54

From: JC Cannon <jccannon@microsoft.com>
Date: Fri, 24 Feb 2012 23:48:57 +0000
To: David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <DB4282D9ADFE2A4EA9D1C0FB54BC3BD76E4E09A2@TK5EX14MBXC139.redmond.corp.microsoft.com>
How would personalization of content from the social site be covered if tracking didn't occur?


-----Original Message-----
From: David Singer [mailto:singer@apple.com] 
Sent: Friday, February 24, 2012 3:36 PM
To: public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: ACTION-69: Renaming ISSUE-54

On Feb 23, 2012, at 13:43 , Karl Dubost wrote:

> Le 23 févr. 2012 à 16:19, Karl Dubost a écrit :
>> Le 15 févr. 2012 à 04:36, TOUBIANA, VINCENT (VINCENT) a écrit :
>>> As long as we have a common format used to describe exceptions -- and I think that should be the case -- bookmarks synchronization tools can be used to synchronize exceptions.
>> A common format for describing exceptions is key 
>> if we want to promote interoperability in between user agents
> Another element to this: 
> The hard time that users will have to configure anything on mobile browsers.

I think this, and other reasons, are possibilities for the "out of band opt-in".  For example, you visit social-network.com, and you explicitly tell it (in its preferences) "It's OK to recognize me and track my visits when a social-network widget is embedded in other sites".

Then I would expect to see the [response header | well-known URI CGI] tell me "I have an opt-in from you" (and the UA may want to check with the user the first time this claim is made).

I return to the (perhaps simplistic) formulation that we've had before
    "treat me as someone about whom you know nothing and remember nothing"
and observe that it's probably somewhat confused of the UA to send a 3rd party a DNT signal ('please don't track me') along with a cookie that says "Hi! It's Dave again!".  In the absence of that cookie, the 3rd party receiving a DNT signal has no business applying 'heuristics' (fingerprints etc.) to guess who I am.

But even if the UA is confused, I think the correct state is the 'safe' state: in the absence of an opt-in, the 3rd party does NOT use or add to its data about you, EVEN IF it can identify you.  That's what opt-ins are for.

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Friday, 24 February 2012 23:49:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:34 UTC