W3C home > Mailing lists > Public > public-tracking@w3.org > April 2013

Re: Moving "C"onsent from Tracking Status to Permitted Use?

From: Nicholas Doty <npdoty@w3.org>
Date: Thu, 11 Apr 2013 12:34:48 -0700
Cc: "Roy T. Fielding" <fielding@gbiv.com>, "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <613B42B1-A10F-4BAA-8E28-CBC3A1A71285@w3.org>
To: David Singer <singer@apple.com>
From some brief experience implementing tracking status resources for domains, I could see some value in having a "!1" or "!3" signal. 

In that case, I would suggest defining the semantics of "!" to mean "I do not claim compliance and nothing after this character should be interpreted as indicating compliance". It would help in testing because during my testing phase I could have different alleged tracking status values after the "!" so that my team can confirm that my system is returning "1" or "3" under the appropriate conditions. (And once it is, the developer can just remove the "!".)

If "!" is a strict replacement for 1/3/C then I can't deploy code that tests incomplete implementations of dynamically determining 1st or 3rd party status.

Thanks,
Nick

On Apr 3, 2013, at 5:43 PM, David Singer <singer@apple.com> wrote:

> Hi Roy
> 
> I think you are answering a poorly raised I unintended question.  I was not suggesting to change your defined semantics for 1st and 3rd party, merely that whether I have consent or not, or claim conformance yet, or not, are orthogonal to those statuses rather than replacements...
> 
> Apologies
> 
> Sent from my iPad
> 
> On Apr 3, 2013, at 5:23 PM, "Roy T. Fielding" <fielding@gbiv.com> wrote:
> 
>> On Apr 3, 2013, at 2:52 PM, David Singer wrote:
>> 
>>> I have previously preferred distinguishing "who I am" from "how I am operating", and I feel that have C and ! as 'status' indicators rather than qualifiers means that I can no longer tell whether I am interacting with someone who thinks of themselves as a 1st or 3rd party.  So I agree, rather than C or ! as the first character, I think that
>>> 
>>> 1C -- first party with consent
>>> 3C -- third party with consent
>>> 1!  -- first party under construction
>>> 3!  -- third party under construction
>>> 
>>> seem to make more sense, and be more informative.  As it is, if I get "!" in today's spec I am not able to tell whether the site is trying to construct a 3rd or 1st party experience; similarly for "C".
>> 
>> It is impossible for the receiving server to know who is the first
>> or the third party in any given interaction.  That knowledge exists
>> only within the head of the user, and even then only if we assume
>> the user has a deliberate intention and awareness of the interacting
>> parties and not simply clicking on links because the pictures are
>> pretty.
>> 
>> What an origin server can do is indicate what limitations they adhere
>> to during (and promise to adhere to after) a given interaction.
>> 
>> Neither "C" nor "!" are qualifiers -- they are the relevant answer
>> to the tracking status question, in each case.
>> 
>> "C" indicates the server operates with consent and is limited only
>> by the terms of that consent (whatever those terms may be, which
>> could be far outside the scope of DNT or even more limited than a 3).
>> That answer is not in any way orthogonal to 1 and 3.
>> 
>> "!" indicates that the server DOES NOT conform.  Such an answer
>> cannot in any way shape or form be orthogonal to 1 and 3, both
>> of which are explicit statements of conformity to a list of
>> requirements specified in TCS.
>> 
>> There is a reason why I specified it this way.  The answer given
>> is being portrayed as a statement of business practice from the
>> party answering to the consumer (and, yes, I do use that term
>> intentionally here).  As such, it has to be truthful.  And since
>> there is no possible way for an origin server to make a truthful
>> statement about the intentions of the user, I cannot implement
>> a DNT standard that says "I am a first party" without lying to
>> the consumer.  Period.
>> 
>> Nor do I need to -- the privacy benefits of this protocol are
>> already accomplished by the design in the spec right now, which
>> actually can be implemented by origin servers.  If you think not,
>> then please explain why and we can try to fix that.  Otherwise,
>> we are certain to not make any progress if we revert to a protocol
>> that allows trolls to sue a website owner simply by deliberately
>> crafting pages that make subrequests on resources that are only
>> designed for first party interaction.
>> 
>> ....Roy
>> 
> 
Received on Thursday, 11 April 2013 19:35:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:39:29 UTC