RE: action-334, issue-112, a summary on sub-domains for exceptions from Shane Wiley on 2012-11-30 (public-tracking@w3.org from November 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Fri, 30 Nov 2012 21:02:12 +0000
To: "Mike O'Neill" <michael.oneill@baycloud.com>, "'JC Cannon'" <jccannon@microsoft.com>, "'Grimmelmann, James'" <James.Grimmelmann@nyls.edu>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <DCCF036E573F0142BD90964789F720E307061603@GQ1-EX10-MB03.y.corp.yahoo.com>
Mike,

I'm with JC here.  I don't see the value in a bad actor attempting to purchase a domain to piggyback an exception when it's easier to not support DNT at all.  If you're concerned this is somehow a valid use of exceptions, we can call out that it's not.

- Shane

-----Original Message-----
From: Mike O'Neill [mailto:michael.oneill@baycloud.com] 
Sent: Friday, November 30, 2012 12:27 PM
To: 'JC Cannon'; 'Grimmelmann, James'
Cc: public-tracking@w3.org
Subject: RE: action-334, issue-112, a summary on sub-domains for exceptions

Hi JC,

The concern is more that there is little point complicating the API with functionality that does not meet the entire use-case, and could let bad actors lower the credibility of the DNT:0 signal. Especially as we already have a solution (the same-party list in the tracking resource).

If the problem with that is that it might be difficult in some situations to change an existing  tracking resource or create a new one, then we could have an optional parameter that can instantiate a proxy for it.

Mike



-----Original Message-----
From: JC Cannon [mailto:jccannon@microsoft.com]
Sent: 30 November 2012 18:13
To: public-tracking@w3.org wg
Subject: RE: action-334, issue-112, a summary on sub-domains for exceptions

Is the concern that a bad actor would take advantage of the wildcard feature to piggy back off of a trusted domain versus just ignoring the DNT signal all together?

Thanks,
JC

-----Original Message-----
From: Grimmelmann, James [mailto:James.Grimmelmann@nyls.edu]
Sent: Friday, November 30, 2012 10:09 AM
To: public-tracking@w3.org wg
Subject: Re: action-334, issue-112, a summary on sub-domains for exceptions

Even if the proposal is to allow only the TLD to be wildcarded, there is still a similar issue:

yahoo.kp (.kp registrations are operated by the North Korean government) yahoo.aero (depends on integrity of the .aero registration process)

And then there are the nearly 1500 new TLDs that ICANN is currently considering, including:

yahoo.cam
yahoo.casino
yahoo.corp
yahoo.foo
yahoo.game
yahoo.international
yahoo.삼성

James

--------------------------------------------------
James Grimmelmann              Professor of Law
New York Law School                 (212) 431-2864
185 West Broadway       james.grimmelmann@nyls.edu
New York, NY 10013    http://james.grimmelmann.net


On 2012-11-30, at 11:50 AM, Shane Wiley <wileys@yahoo-inc.com>
 wrote:

> Mike,
> 
> It would be that use case that wouldn't be allowed.  The parent domain would never allowed to be wildcarded.
> 
> - Shane
> 
> -----Original Message-----
> From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
> Sent: Friday, November 30, 2012 9:42 AM
> To: Shane Wiley; 'Joseph Lorenzo Hall'
> Cc: public-tracking@w3.org; 'Nicholas Doty'
> Subject: RE: action-334, issue-112, a summary on sub-domains for 
> exceptions
> 
> Shane,
> 
> If we allow *s in the suffix someone could make the call  for yahoo.badguy.com with yahoo.* .You could only allow it in TLDs (.fr, .com, co.uk, .co etc.) but some of them have more than one component so you would need a lookup table to isolate them. Even if you just matched  for subdomains you would have to have another parameter in the UGE API function to specify the range of origins, and the domain matching implementation by user-agents might be more complex. I think it would be a lot easier to use the same-party list which can be as long as you need.
> Anyway wildcard or regex matching would not be able to handle same parties with different domains which is common in Europe (because of different languages).
> 
> But I agree let's get it in text then we can have a poll.
> 
> Mike
> 
> -----Original Message-----
> From: Shane Wiley [mailto:wileys@yahoo-inc.com]
> Sent: 30 November 2012 14:16
> To: Joseph Lorenzo Hall
> Cc: public-tracking@w3.org; Mike O'Neill; Nicholas Doty
> Subject: RE: action-334, issue-112, a summary on sub-domains for 
> exceptions
> 
> Joe,
> 
> As the root domain is consistent, I don't see how a 3rd party could "sneak" in via a wildcard here.
> 
> - Shane
> 
> -----Original Message-----
> From: Joseph Lorenzo Hall [mailto:joe@cdt.org]
> Sent: Friday, November 30, 2012 5:17 AM
> To: Shane Wiley
> Cc: public-tracking@w3.org; Mike O'Neill; Nicholas Doty
> Subject: Re: action-334, issue-112, a summary on sub-domains for 
> exceptions
> 
> Shane, it sounds like maintaining such a list without wildcards, from 
> your perspective, would be difficult and potentially error-prone? Is 
> there a way to reach unaffiliated third parties that might "sneak" in 
> via a wildcard? best, Joe
> 
> On Wed Nov 28 18:16:40 2012, Shane Wiley wrote:
>> Mike,
>> 
>> Our list is longer than you assume – and I believe others will run 
>> into as well.  Suggest we place both options in the TPE draft and go 
>> from there on the normal consensus process to have others weigh in.
>> 
>> - Shane
>> 
>> *From:*Mike O'Neill [mailto:michael.oneill@baycloud.com]
>> *Sent:* Wednesday, November 28, 2012 3:14 PM
>> *To:* Shane Wiley; Nicholas Doty
>> *Cc:* public-tracking@w3.org
>> *Subject:* RE: action-334, issue-112, a summary on sub-domains for 
>> exceptions
>> 
>> Hi Shane,
>> 
>> I don’t think the server side work is too onerous. If we represented 
>> the TrackingResource in webIDL:
>> 
>> interface *TrackingResourceDescriptor* {
>> 
>>    attribute sequence<DOMString>? same-party 
>> <#widl-TrackingResourceDescriptor-same-pa>;
>> 
>>    attribute sequence<DOMString>? third-party 
>> <#widl-TrackingResourceDescriptor-third-p>;
>> 
>>    attribute sequence<DOMString>? audit 
>> <#widl-TrackingResourceDescriptor-audit>;
>> 
>>    attribute DOMString? policy
>> <#widl-TrackingResourceDescriptor-policy>;
>> 
>>    attribute DOMString? control
>> <#widl-TrackingResourceDescriptor-control>;
>> 
>> };
>> 
>> Even if we did not have a tracking resource, or we did not want to 
>> mess with the one we had, it could be done client-side (say on
>> yahoo.com) with script like this:
>> 
>> <script type="text/JavaScript">
>> 
>> var tdr = new *TrackingResourceDescriptor();*
>> 
>> *tdr.same-party =
>> [“yahoo.co.uk”,”yahoo-inc.com”,”completely.different.domain.com”,...]
>> ;
>> *
>> 
>> *setUGE( [“tp1.com”,”tp2.net”], tdr);*
>> 
>> </script>
>> 
>> i.e. the UGE gets set for yahoo.com, yahoo.co.uk, yahoo-inc.com etc.
>> by setting up the other domain names in a same-party array then 
>> passing it in using a new optional parameter to the API.
>> 
>> Mike
>> 
>> *From:*Shane Wiley [mailto:wileys@yahoo-inc.com]
>> *Sent:* 28 November 2012 22:20
>> *To:* Mike O'Neill
>> *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>; 
>> Nicholas Doty
>> *Subject:* RE: action-334, issue-112, a summary on sub-domains for 
>> exceptions
>> 
>> Mike,
>> 
>> I believe going this route still requires an over abundance of work 
>> on the Server side - all in the attempt to stop bad actors who would 
>> not likely submit a traceable exception for domains they don’t own 
>> (already a violation of the draft standard to do this as they are not 
>> “affiliated”).  So would again ask for making this easier for those 
>> that want to implement the standard and not create arbitrary walls or 
>> huddles in the failed attempt to thwart bad actors.
>> 
>> - Shane
>> 
>> *From:*Mike O'Neill [mailto:michael.oneill@baycloud.com]
>> *Sent:* Wednesday, November 28, 2012 2:13 PM
>> *To:* Shane Wiley
>> *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>; 
>> Nicholas Doty
>> *Subject:* RE: action-334, issue-112, a summary on sub-domains for 
>> exceptions
>> 
>> Hi Shane,
>> 
>> Allowing wildcards in the TLD suffix is not a good idea. There are 
>> many domains where sites run by completely different entities only 
>> differ by the TLD. Only subdomains can be guaranteed to be operated 
>> by entities who are the main domain owner,  or have a contractual 
>> relationship with them.
>> 
>> A list of domains in the tracking resource, like same-party (or 
>> another name if we don’t want to overload the meaning),  could handle 
>> this use case, and could apply to any domain (like yahoo-inc.com). It 
>> could also work for web-wide exceptions.
>> 
>> If we wanted to handle cases where there was no tracking resource 
>> URI, or where the same-party list needed to be dynamically 
>> calculated, we could have a new optional parameter to the API that 
>> references an object with  attributes mirroring the relevant elements 
>> in the tracking resource.
>> 
>> Mike
>> 
> 
> --
> Joseph Lorenzo Hall
> Senior Staff Technologist
> Center for Democracy & Technology
> 1634 I ST NW STE 1100
> Washington DC 20006-4011
> (p) 202-407-8825
> (f) 202-637-0968
> joe@cdt.org
> 
>
Received on Friday, 30 November 2012 21:14:17 UTC