FW: tracking-ISSUE-167 (mikeo): Multiple site exceptions [Tracking Preference Expression (DNT)]

 

Hi Nick,

 

I missed your comment about the general preference request trigger. That was referring to the point I made on 13th Sept about taking that decision away from the browser and letting sites handle it. If you visit a EU site they may want to get your agreement to 3rd party tracking (when DNT is unset) and this would be a way to do it. Browser companies could put the request in their default home page if they wanted, and leave DNT unset in the default case.

 

Mike

 

From: Nicholas Doty [mailto:npdoty@w3.org] 
Sent: 25 September 2012 01:57
To: Mike O'Neill
Cc: 'Tracking Protection Working Group'
Subject: Re: tracking-ISSUE-167 (mikeo): Multiple site exceptions [Tracking Preference Expression (DNT)]

 

Hi Mike,

 

There is a lot here, so I'll try to reply to points inline. Two key points that might apply overall: 1) I believe the group is working under the premise that exception requests would be initiated by the first-party web page that the user is visiting; that party has a relationship with the user already and can give context for why they're asking for a request and so in the natural flow of the user's visit. 2) Discovery of general privacy practices is not within the scope of this specification, though that doesn't mean that some of this functionality can't already be implemented by user agents and servers (making use of P3P or other standards).

 

Thanks,

Nick

 

On Sep 24, 2012, at 3:55 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote:

 

Here is my suggested API (copied extensively from the existing one). It references a new “well-known” resource that communicates information about the legal entity controlling a site, and can also be a way for 3rd parties to ask for exceptions without JavaScript. It also gives a way for sites to trigger the general preference UI, and offers an option so that DNT: 0 can be indicated differentially on parts of the first party site.

 

Exception Description Resource

An origin server MAY provide an exception description resource at the well-known identifier [ <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#bib-RFC5785> RFC5785]

/.well-known/dnt-exception-request

This can be used by resources designed to be accessed as 3rd party elements which are incapable of executing JavaScript e.g. they do not return HTML content with embedded JavaScript, in order to allow them to ask the user-agent to trigger an exception request UI. The user-agent should not initiate the UI if the user has already refused a request to this domain origin, and enforce a reasonable period before showing the UI again for the same domain origin, so as not to bombard the user with exception requests.

A valid retrieval request (e.g., a GET in HTTP) on the well-known URI MAY result in either a successful response containing a machine-readable representation of the exception description resource, as defined below, or a sequence of redirects that leads to such a representation. The representation MUST be cached, as described in <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#status-caching> section 5.5.5 Caching.

Exception Description Representation

The representation of an exception description resource SHALL be provided in the "application/json" format [ <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#bib-RFC4627> RFC4627] and MUST conform to the ABNF for an exception-description-object (except that the members within each member-list MAY be provided in any order).

The following example tracking status representation illustrates all of the fields defined by this specification.

EXAMPLE

{

    "siteName": "Example Site -  <http://example.com> example.com",

    "organisationName": "Example Company Inc.",

    "policyURI": " <http://example.com/tracking-policy.htm> http://example.com/tracking-policy.htm",

     "targets": [

        "/ <http://example-analytics.com> example-analytics.com",

        "/ <http://example-social.com> example-social.com"

        ],

     "pages": [

        "/purchase.htm",

        " <https://example.com/checkout.htm> https://example.com/checkout.htm"

        ],

     "explanationString": " <http://example.com> example.com wishes to remember your purchases on this site",

     "detailURI":  <http://example.com/exception-explanation.htm> http://example.com/exception-explanation.htm,

     "web_wide": false

An exception description representation consists of a single exception-description-object containing members that help the user-agent determine if the DNT: 0 indication is sent in HTTP requests to top-level pages and the 3rdparty resources embedded within them. 

exception-description-object = begin-object member-list end-object

 

member-list   = [ sitename ns sitename-v]

                    [ vs organisationname ns organisationname-v]              

                    [ vs policyuri ns policyuri-v]

                    [ vs targets ns targets-v ]

                [ vs pages ns pages-v ]

                [ vs explanation ns explanation-v ]

                    [ vs detailuri ns detailuri-v ]

                    [ vs web-wide ns web-wide-v ]

                *( vs extension )

         

An optional member named  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-third-party> siteName MAY be provided with a string value containing a human readable description for the site.

sitename   = %x22 "siteName" %x22

sitename-v = string

 

An optional member named  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-third-party> organisationName MAY be provided with a string value containing the human readable name of the legal entity responsible for the site.

organisation   = %x22 "organisationName" %x22

organisation-v = string

 

An optional member named  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-third-party> policyURI MAY be provided with a string value containing the URI-reference of the document describing the human readable tracking policy (same as the tracking status resource policy member if that exists).

policyuri   = %x22 "policyURI" %x22

policyuri-v = string    ;  URI-Reference

 

An optional member named  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-third-party> targets MAY be provided with an array value containing a list of domain names for third-party resources embedded in the HTML pages identified by the  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-same-party> pages member.  Subsequent HTTP requests for resources on these domain-names will contain the DNT: 0 header. If the  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-third-party> targets member is not present, or is empty, this exception is for a site-wide exception for the pages identified by the  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-same-party> pages member in the implicit top-level domain.

targets   = %x22 "targets" %x22

targets-v = array-of-strings

 

         

An OPTIONAL member named  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-same-party> pages MAY be provided with an array value containing a list of URI-references that identify pages on the site where this exception should apply. Each URI-reference should be either relative to the implicit top-level domain origin or include the domain-origin as the host component, and the user-agent MUSTreject the exception request if not. Subsequent HTTP request to those pages and to the embedded 3rd party resources within them identified by the  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-same-party> targets member will contain the DNT: 0 header. If the  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-same-party> pages member is not present, or is empty, this exception should apply to HTTP requests to any resource on the site, other than the tracking status resource.

pages    = %x22 "pages" %x22

pages-v = array-of-strings

 

         

An optional member named  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-third-party> explanation MAY be provided with a string value containing a short explanation of the exception request.

explanation   = %x22 " explanation" %x22

explanation-v = string

 

         

An optional member named  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-third-party> detailURI MAY be provided with a string value containing the URI-Reference of the location at which further information about this exception request can be found.

detailuri   = %x22 "detailURI" %x22

detailuri-v = string      ;  URI-Reference

         

 

An optional member named  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-third-party> web_wide MAY be provided with a boolean value which, if set to true, indicates that this request is for a web_wide exception.

web-wide   = %x22 "web_wide" %x22

web-wide-v = boolean

 

I believe the group discussed a proposal of this type under issue-138 (as you note). That proposal didn't seem to receive a lot of support from the group, perhaps in part because of the two general points I made above. I'm not sure first-party publishers would want these requests initiated to their users outside of their control. We might instead say that this isn't an exception request (it wouldn't be active in any case), but in that case, browsers already have the capability of looking up privacy practices of a site (P3P policies, maybe a TRUSTe seal, or through some other trust mechanism) and helping the user to make a decision to express a customized tracking preference to that domain.

 

Alternative API to request exceptions

[NoInterfaceObject]

interface NavigatorDoNotTrack {

    void  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#widl-NavigatorDoNotTrack-requestSiteSpecificTrackingException-void-TrackingResponseCallback-callback-sequence-DOMString--arrayOfDomainStrings-optional-siteName-optional-explanationString-optional-detailURI> requestTrackingException ( <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#idl-def-TrackingResponseCallback> TrackingResponseCallback callback, optional ExceptionDescriptorexceptionDescriptor, optional boolean promptForGeneralPreference, optional DOMStringtrackingExceptionID, optional DOMString originalDomainOrigin);

};

requestTrackingException

 

Called by a page to request or confirm a user-granted tracking exception.


Parameter

Type

Nullable

Optional

Description


callback

 <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#idl-def-TrackingResponseCallback> TrackingResponseCallback

✘

✘

A method that will be called when the request is complete.


exceptionDescriptor

DOMString orExceptionDescriptor

✘

✔

Either a DOMStringcontaining a URI-Reference to an exception description resource, or an instance of an ExceptionDescriptor object representing the content an exception description resource. If null or not present this request is for a site-wide exception for the top-level domain. If this is a URI-Reference then it can be extensively cached. If it is an object then the user-agent may not retain the representation beyond the current session.


promptForGeneralPreference

Optional boolean

✘

✔

If set to true indicates to theuser-agent a request that if the general preference DNT is currently unset the general preference determination UI be initiated. If as a result the user sets the general preference then this exception is requested.


trackingExceptionID

Optional DOMString

✘

✔

A string returned in thehandleEvent callback from a previous call to <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#widl-NavigatorDoNotTrack-requestSiteSpecificTrackingException-void-TrackingResponseCallback-callback-sequence-DOMString--arrayOfDomainStrings-optional-siteName-optional-explanationString-optional-detailURI> requestTrackingException


originalDomainOrigin

Optional DOMString

✘

✔

A DOMString containing the domain origin of the exception request that returned the trackingExceptionID above.

Return type: void

interface ExceptionDescriptor {

    attribute DOMString siteName;

    attribute DOMString organizationName;

    attribute DOMString policyURI;

    attribute sequence<DOMString> targets;

attribute sequence<DOMString> pages;

 

As I understand it, `pages` is a parameter to provide additional granularity within a single first-party site, of the form "those third parties you work with can have an exception to track me, but only on this set of paths on your site". I'm not sure this level of granularity is generally needed.

 

attribute DOMString explanationString;

attribute DOMString detailURI;

attribute DOMString trackingExceptionID;

 

};

ExceptionDescriptor

 

This object can be used to indicate information about the site requesting the exception if an exception request resource is not available. There is a direct relationship between the attributes of this interface and members of the exception description resource defined above.


Parameter

Type

Nullable

Optional

Description


siteName

DOMString

✔

✔

A human readable description for the site using the implicit top-level domain name.


organisationName

DOMString

✔

✔

A human readable name of the primary legal entity responsible for the site.


policyURI

DOMString

✔

✔

A URI of the document describing the human readable tracking policy (same as the tracking status resource policymember if that exists).


targets

sequence<DOMString>

✔

✔

A JavaScript array of strings identifying 0 or more targets, the domain names of embedded 3rdparty content URIs to which this tracking exception is to be applied. If this attribute is null or the array has a length of 0 then this request is for a site-wide exception.


pages

sequence<DOMString>

✔

✔

A JavaScript array of strings containing 0 or more URIs relative to the top-level domain identifying the pages on this site where this tracking exception is to be applied. If this attribute is null or the array has a length of 0the exception is requested to be applied to all pages on the site, i.e. any HTTP request with a URI containing a host fragment equal to the top-level domain.


explanationString

DOMString

✔

✔

A short explanation of the exception request.


detailURI

DOMString

✔

✔

A location at which further information about this exception request can be found.


web_wide

boolean

✔

✔

A boolean value which, if set to true, indicates that this request is for a web_wide exception.

 

 

 [Callback, NoInterfaceObject]

interface TrackingResponseCallback {

    void  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#widl-TrackingResponseCallback-handleEvent-void-integer-granted> handleEvent (integer granted, optional DOMString trackingExceptionID);

};

handleEvent

 

The callback is called by the user agent to indicate the user's response.


Parameter

Type

Nullable

Optional

Description


granted

integer

✘

✘   

0 indicates that user does not grant the exception on top-level domain for the indicated targets,

1 indicates that the request was for specifictargets and the user grants an exception ontop-level domain for those specific targets, and

2 indicates the user grants a site-wide exception on top-level domain for alltargets; the request may have been for specific targets or for a site-wide exception.


trackingExceptionID

DOMString

✔

✔

An arbitrary value that can be copied to the trackingExceptionID  attribute of theExceptionDescriptor object passed in a future call to  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#widl-NavigatorDoNotTrack-requestSiteSpecificTrackingException-void-TrackingResponseCallback-callback-sequence-DOMString--arrayOfDomainStrings-optional-siteName-optional-explanationString-optional-detailURI> requestTrackingException.The user-agent can return an opaque value, such as a hash of an internally generated random number combined with the organisationName and  policyURI attributes, so it can recognise a future call from the same legal entity that made this request. If the trackingExceptionID cannot be matched to a previous granted exception, or the previously granted exception was for a different organisationName and/or policyURI theuser-agent initiates the exception request UI. Otherwise it can simply confirm the exception request, so the user is not needlessly bombarded with exception request dialogs.

Return type: void

 

The requestTrackingException method takes one mandatory argument:

* callback, a method that will be called when the request is complete.

It also takes four optional arguments:

* exceptionDescriptor, an object describing the entity requesting the exception, and
* promptForGeneralPreference, a boolean indicating that this site is requesting that the general preference request UI is initiated if the general preference DNT is currently unset. If as a result the user sets the general preference then this exception is requested.

I'm not sure I understand the use case here, or why user agents would be likely to implement it. Should a particular site generally be able to force my browser to prompt for browser-wide settings?

 

Again, this is functionality that user agents can implement with the spec as it is: browsers can provide the method even when the general preference is unset and use those responses to collect exceptions and send DNT:0. I'm not sure what asking a user on a particular site to set a general preference would mean

 

 

* trackingExceptionID, a string returned in the handleEvent callback from a previous call to <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#widl-NavigatorDoNotTrack-requestSiteSpecificTrackingException-void-TrackingResponseCallback-callback-sequence-DOMString--arrayOfDomainStrings-optional-siteName-optional-explanationString-optional-detailURI> requestTrackingException. The user-agent can return an opaque value so it can recognise a future call from the same legal entity that made this request. If the trackingExceptionID cannot be matched to a previous granted exceptionwith the specified originalDomainOrigin, or the previously granted exception was for a different organisationName and/or policyURI the User Agent can then display the exception UI. Otherwise it can simply confirm the request, so the user is not needlessly bombarded with exception confirmation dialogs.

I'm not quite sure I understand this. In order to prevent duplicate permission dialogs, a user agent might remember previous requests (currently, the pair of the top-level origin and a */list of tracker origins, and possibly an explanation string) and not always present the request to the user if an answer had been persisted. Can't the user agent accomplish this now without generating and sharing a new unique identifier?

 

* originalDomainOrigin, a DOMString containing the domain origin of the exception request that returned the trackingExceptionID above.

I'm not sure how this parameter would be used (is it not just the top-level domain? if it were something else, what would my JavaScript do differently?), perhaps because I didn't understand the previous parameter.

 

 

If the exceptionDescriptor parameter is null or the ExceptionDescriptor object’s  targets attribute is null, then this request is for a site-wide exception. The user-agent MAY then choose to ask the user to grant a site-wide exception. If it does so, and the user agrees, it MUST indicate this in the response callback. Otherwise each string in the ExceptionDescriptor object’s  targets attribute specifies a target.

When called, requestTrackingException MUST return immediately, and then asynchronously determine whether the user grants the requested exception(s).

The execution of this API and the use of the resulting permission (if granted) use the 'implicit' parameter, when the API is called, the document origin. This forms the first part of the duplet in the logical model, and hence in operation will be compared with the top-level domain.

The granted parameter passed to the callback is the user's response; the response

* 0 indicates that user does not grant the exception on top-level domain for the indicated targets.
* 1 indicates that the request was for specific targets and the user grants an exception on top-level domainfor those specific targets.
* 2 indicates the user grants a site-wide exception on top-level domain for all targets; the request may have been for specific targets or for a site-wide exception.

 

If permission is granted then the duplet:

[document-origin, exception-descriptor]

 

is added to the database of remembered grants.

Whenever a user-agent sends a request for a top-level resource it can examine the exception-descriptor for the appropriate document-origin.  If the exception-descriptor does not exist the DNT header indicates the general preference. Otherwise, if the top-level resource matches one of the entries in the pages attribute, or the pagesattribute is null, a DNT: 0 header is included in the top-level resource request.

If the top-level resource returns an HTML document that contains elements, or results in their subsequent creation, that cause requests to be sent to an origin other than the top-level origin then the targets attribute of the exception-descriptor is checked. For each other-origin element, if the targets attribute is null or the origin of the element matches an entry in the targets attribute then a DNT: 0 header is included in the request for that element.

A particular response to the API — like a DNT response header — is only valid immediately, and users' preferences may change.

A user agent MAY use an interactive method to ask the user about their preferences, so sites SHOULD NOTassume that the callback function will be called immediately.

Alternative API to Cancel Exceptions

[NoInterfaceObject]

interface NavigatorDoNotTrack {

    boolean  <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#widl-NavigatorDoNotTrack-removeSiteSpecificTrackingException-boolean> removeTrackingException ();

};

removeTrackingException

 

Ensures that the database of remembered grants no longer contains any duplets for which the first part contains the current document origin; i.e., no duplets [document-origin, exception-descriptor]. There is no callback. After the call has been made, it is assured that there are no site-specific or site-wide exceptions for the given top-level-domain.

Return type: boolean

This returns a boolean indicating, when true, that the call has succeeded, and that the database of grants no longer contains, or very soon will no longer contain, the indicated grant(s); when false, some kind of processing error occurred.

 

 

 

-----Original Message-----
From: Tracking Protection Working Group Issue Tracker [mailto:sysbot+tracker@w3.org] 
Sent: 24 September 2012 11:34
To: public-tracking@w3.org
Subject: tracking-ISSUE-167 (mikeo): Multiple site exceptions [Tracking Preference Expression (DNT)]

 

tracking-ISSUE-167 (mikeo): Multiple site exceptions [Tracking Preference Expression (DNT)]

 

 <http://www.w3.org/2011/tracking-protection/track/issues/167> http://www.w3.org/2011/tracking-protection/track/issues/167

 

Raised by: Mike O'Neill

On product: Tracking Preference Expression (DNT)

 

It is very common that a single legal entity controls very many websites, and wish to apply a single privacy policy and set of standards across all or many of them.

 

For instance some multi-brand international consumer products companies control hundreds of websites and they currently offer a single "cookies policy" across their EU member state facing ones in order to help comply with the Privacy & Electronic Communications directive.

 

The DNT exception API currently would require a new user-agent UI interaction for every site under the same policy. It would be very useful for these companies that they could request one exception for their "tracking policy" so that they need not bombard their site visitors with multiple requests.

 

The current API usefully leverages the same-origin security model to ensure requests can not be forged by malicious parties, but at the moment this results in a the exception being "locked" to a single domain name. The only alternative for these large multi-site organisations, other than repetatively polling their users, is to ask for a web-wide exception, which may not be appropriate for many users and so reduce consumer choice.

 

It might help me to understand the use case if we narrowed this down a little further; I believe this is already documented under issue-112. Are you talking about the case where a large first-party has multiple domains and doesn't want to have to ask the user for an exception for its third-party trackers on each of its properties? I believe Shane has described that case [0], which I think user agents can implement now [1] [2].

 

Or the case where a large third-party has multiple domains and wants to ask for a web-wide exception for all of them at once? I believe Vinay has described that case [3], and I think we could make a small change to the API to allow sub-domains to be included for web-wide exception requests to address it [2].

 

Thanks,

Nick

 

[0] http://lists.w3.org/Archives/Public/public-tracking/2012Jul/0165.html

[1] http://lists.w3.org/Archives/Public/public-tracking/2012Jul/0163.html

[2] http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0191.html

[3] http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0145.html

Received on Tuesday, 25 September 2012 14:34:51 UTC