- From: Nicholas Doty <npdoty@w3.org>
- Date: Mon, 5 Mar 2012 15:04:04 -0800
- To: Kevin Smith <kevsmith@adobe.com>
- Cc: Ronan Heffernan <ronansan@gmail.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-Id: <208C1480-4E8B-498D-AF59-A301A51CC021@w3.org>
Hi Kevin, I don't think we had a solid distinction between user-agent-managed and out-of-band exceptions/opt-back-in back in October. I'm particularly concerned here about the out-of-band case, though it might also apply when the user agent sends a different DNT value. Can a site that offers out-of-band opt-back-in (and wants to start tracking as soon as that permission is granted) allow significant caching of the relevant well-known tracking status resource? Thanks, Nick On Mar 5, 2012, at 2:51 PM, Kevin Smith wrote: > Are your first two points talking about site specific exceptions, or alternate opt-ins provided directly by the 1stparty? Regardless, I think the answer is yes, a dynamically generated doc at a well-known URI could absolutely do these things, however, the extent to which it must be generated dynamically also increases the percentage of time that it needs to be requested > > From: Nicholas Doty [mailto:npdoty@w3.org] > Sent: Monday, March 05, 2012 3:26 PM > To: Ronan Heffernan; public-tracking@w3.org (public-tracking@w3.org) > Subject: Re: Well-known URI vs response headers? [ISSUE-81, ISSUE-47, ISSUE-80] > > [I recently discovered that part of this thread from October wasn't shared with the public list due to an address mix-up. With Ronan's permission, I'm sending these messages to the public list now; I think these questions are still relevant, though some points are of course affected by the details of the well-known URI proposal as published by Roy in February. > On Oct 27, 2011, at 8:05 PM, Nicholas Doty wrote:] > > I'm not convinced that a well-known location alone (even if dynamically generated) has enough granularity to communicate to the user what's going on. > > * How often should the user agent load the well-known location to check whether a tracking party has registered an opt-back-in? > * Can a user opt-back-in to trackers only for a particular site? (The New York Times asks me to consent to tracking, I trust their decision and accept that third parties will track me on their site, but don't expect to be tracked by the same parties on other sites.) > * Could a well-known URI tell the user that some items on a page are tracking her and others aren't? (I click a widget -- the tracking party decides it can track me under a first-party exception, say -- on a page that also has a 1x1 pixel gif from the same tracking party.) > * Will a tracking party that uses LSOs, browser fingerprinting or some other non-cookie technology be able to distinguish users who later access the well-known location? If the opt-back-in is communicated via postMessage or stored in localStorage, how will the well-known location script inform the user that they're opted back in? > > Thanks, > Nick
Received on Monday, 5 March 2012 23:04:04 UTC