W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: definition of (cross-site) tracking

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 12 Jan 2012 17:01:10 -0800
Cc: Tracking Protection WG <public-tracking@w3.org>
Message-Id: <37E5AF39-2E74-4218-8450-3B03EF04F31D@gbiv.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
On Jan 12, 2012, at 3:48 PM, Bjoern Hoehrmann wrote:

> * Roy T. Fielding wrote:
>> As I said, and we have discussed before, the reason for that is simply because
>> the input documents redefined or limited the scope of the single word "tracking"
>> to mean tracking from same-branded set of sites to some other-branded set of
>> sites (i.e., cross-site tracking).  The reason for that is because content
>> providers will not implement DNT (or at least will require opt-back-in before
>> site usage) if the scope of DNT includes first-party data collection for the
>> sake of web analytics or personalized customer experience.  Non-shared
>> tracking data and non-shared data collection is so central to how commercial
>> websites operate that they simply won't turn it off.  That is why attempts
>> to limit or marginalize Cookies failed in 1995-98.
> 
> There is a difference between Amazon storing on their servers that you
> loaded product page A and then product page B and then telling you the
> product sites you have recently visited, and a site probing your system
> for all the fonts you have installed to covertly re-identify you even
> though you changed browsers, cleared all cookies, switched IP addresses,
> and so on.

Generally speaking, first-party sites use fingerprinting for what is
essentially fraud control -- limiting access to a given user agent for
a given number of minutes or actions per day/month/year and not allowing
them to bypass that limitation simply by deleting cookies.  I can see why
you would want DNT to apply in this situation, but I don't expect it will
help given the exceptions already listed.

[I am not discounting the possibility that there are bad actors out there
that use fingerprinting for nefarious means, but such actors would continue
to do so regardless of the user's DNT setting.]

Nevertheless, could you raise it as an issue?

> If the user indicated they do not want to be tracked, and a site does
> the latter, then that is very clearly not in keeping with the wishes of
> the user. The Working Group might decide that this distinction between
> kinds and degrees of first-party tracking is out of scope of its work,
> but the argument for doing so can't be that all first party tracking is
> the same and limiting first party tracking in any way would result in
> failure.

Essentially what you are saying is that we should prevent resurrection
of tracking data across sessions if the normal source of that data has
been deleted (i.e., cookies) and DNT is enabled, except for the purpose
of some limited set of exceptions?

> If, for instance, the Working Group decides to say, if you attempt to
> re-identify users based on the fonts they have installed on their system
> then you do not comply with the group's specifications, then I do not
> think that would cause many, if any, sites to ignore "dnt" completely,
> even though such a restriction would rule out limiting the mechanism to
> "cross-site tracking". It would be helpful if you could explain how you
> see "dnt" in the context of unusual and intrusive first-party behavior
> like re-identification through installed fonts.

I haven't really thought of it as a DNT concern.  Personally, I prefer a
more proactive approach of providing the user with a link to a page where
they can reliably delete all prior associations, for those sites where
repeat-visit fraud control is not an issue.

....Roy
Received on Friday, 13 January 2012 01:04:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC