RE: explicit-explicit exception pairs from Shane Wiley on 2012-05-03 (public-tracking@w3.org from May 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Thu, 3 May 2012 10:44:34 -0700
To: Kevin Smith <kevsmith@adobe.com>, Matthias Schunter <mts-std@schunter.org>, Rigo Wenning <rigo@w3.org>
CC: Jonathan Mayer <jmayer@stanford.edu>, "ifette@google.com" <ifette@google.com>, Nicholas Doty <npdoty@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8023D16AA30F1@SP2-EX07VS02.ds.corp.yahoo.com>

I know we're not supposed to add "+1" but I do want to pile on a bit here to support Kevin and Ian in that I can't see the value in overloading the standard to add such a high-level of complexity to meet a very small percentage of likely use cases.

>From a web browser vendor perspective, this is going to become fairly complex quickly and will likely deter all but the most advanced users attempting to manage preferences at this level of granularity.  Those very same users are probably savvy enough to simply reset or block 3rd party cookies already -- AND/OR -- go into "Privacy Mode" in their browser -- AND/OR -- leverage 3rd party tools that already solve much (all?) that is attempting to be solved here.

>From a publisher perspective, attempting to support a static list of known 3rd parties is going to be significantly difficult to impossible.  And the rate of change will require continuous repermissioning of users to gain a "user granted exception".  I understand there are a very small sub-set of publishers that could find value in the origin/origin approach, but appears this weight comes to bear on larger publishers to some degree -- all depending on how the UA UI is built (which as we've already discussed is going to be fairly complex).

- Shane

-----Original Message-----
From: Kevin Smith [mailto:kevsmith@adobe.com] 
Sent: Wednesday, May 02, 2012 1:50 PM
To: Matthias Schunter; Rigo Wenning
Cc: Jonathan Mayer; ifette@google.com; Nicholas Doty; public-tracking@w3.org
Subject: RE: explicit-explicit exception pairs

I really do not understand this proposal.  This seems to incorporate all of the negatives of explicit-explicit exceptions without realizing the possible benefits.  The ad network (and so on down the chain) does not have direct interaction with the user.  How would they add elements to the list and when would that list be shown to the user?  It would be impossible to show it to the user at a useful time, such as early enough for the publisher to make an intelligent decision based on the outcome.

So, the standard still requires the complication of explicit/explicit exceptions.  The browsers still have to support it.  Implementing 1st parties still have the expense of partial exceptions, and yet users still do not know all 3rd parties involved.  Sounds like the worst of all worlds.

Kevin Smith  |  Engineering Manager  |  Adobe  |  385.221.1288 |  kevsmith@adobe.com


-----Original Message-----
From: Matthias Schunter [mailto:mts-std@schunter.org] 
Sent: Wednesday, May 02, 2012 1:35 PM
To: Rigo Wenning
Cc: Jonathan Mayer; ifette@google.com; Nicholas Doty; public-tracking@w3.org
Subject: Re: explicit-explicit exception pairs

Hi!

I second Rigo's point that the following solution seems workable while satisfying our requirements:
1. A site only needs to declare the third parties that it directly uses (e.g., an ad network) 2. A site is not required to name any other third parties that are then used indirectly (e.g., recursively loaded ads) 3. The ad network (in this example) is then permitted to further include any subsequent third parties
    (i.e.  the ad network basically obtains a "*" exception for its third parties)

This has the following advantages (from my subjective point of view) 1. The user will obtain some transparency and choice 2. The list of third parties should be limited and known to the 1st party 3. The UI should be manageable and the feedback/consent somewhat meaningful 4. The ad network will then inherit some responsibility (at least in in the EU context)

What do others think?


Regards,
matthias

On 02/05/2012 17:34, Rigo Wenning wrote:
> The legal solution that results in the right incentives is simple. 
> Make the site responsible for the choice of services they make. We can 
> at least write that assumption into the compliance Spec or in the "how-to".
>
> I don't believe we should go down the DRM - route and want to control 
> every subservice of a subservice, neither technically nor legally. 
> This is guaranteed to go wrong. We know that from DRM. It would also 
> overcharge the DNT Specifications IMHO.
>
> Rigo
>
> On Monday 30 April 2012 16:09:51 Jonathan Mayer wrote:
>> 2) How does a website determine which third parties presently have an 
>> exception?
>>
>> I agree that this is a non-trivial problem for websites with many 
>> third parties, especially chained third parties.  I disagree that 
>> it's a particularly challenging problem, as I've explained several 
>> times in other threads.  Moreover, it's a problem that already exists 
>> for the self-regulatory opt-out programs.  At any rate, if local law 
>> allows, those websites might choose to use a site-wide exception.  
>> Allowing explicit-explicit exceptions doesn't make the problem any harder.

Received on Thursday, 3 May 2012 17:45:22 UTC