W3C home > Mailing lists > Public > public-tracking@w3.org > January 2013

Re: TPWG agenda for Wednesday, January 16

From: David Singer <singer@apple.com>
Date: Tue, 29 Jan 2013 17:03:22 +0100
Message-id: <54D42716-EE21-4ED8-B4C0-CBCACA55F778@apple.com>
To: "public-tracking@w3.org WG" <public-tracking@w3.org>
Possible regrets from me, as I am at a 3GPP standards meeting (Europe).  I'll do my best


Anticipating the worst, here is my redux of the open and raised issues I have something to say about, very briefly:

On Jan 29, 2013, at 14:49 , Peter Swire <peter@peterswire.net> wrote:

> ---------------------------
> 6. TPE: Screening of RAISED ISSUES
> --------------------------
> 
> Chair: Matthias Schunter
> 
> Schunter would like to screen the TPE related issues that are raised:
> http://www.w3.org/2011/tracking-protection/track/products/2
> 
> The goal is to:
> - Gather feedback which ISSUES to tackle next
> - Gather feedback whether some ISSUES can be closed / have been obsoleted
> - Assign initial actions to the ISSUEs that we want to open

ISSUE-112: How are sub-domains handled for site-specific exceptions?
  My suggestion is linked to the issue, in <http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0071.html>.  Briefly, don't bother with a flag for sub-domains, always include them.
ISSUE-167: Multiple site exceptions
  I also cover parties with multiple sites here that the sub-domain handling (issue 112 above) doesn't handle.

Edit ISSUE-164: To what extent should the "same-party" attribute of tracking status resource be required
  I think the problem will accrue to the non-declarer (without same-party they may be mistaken for a rogue first-party, for example), so I don't personally see a need for a 'must'.

ISSUE-176: Requirements on intermediaries/isps and header insertion that might affect tracking
   Two aspects immediately come to mind.  (a) How does the UA/user know what happened (pretty important if the intermediary is changing DNT:1 to DNT:0 or removing it)?  (b) If the intermediary inserts or changes to DNT:1, how are exceptions handled?  On (b): If (i) the UA implements exceptions, the situation is fine for the site.  If (ii) the UA does not, it is as if all exceptions are denied -- the user may be unable to get their desired access to sites. They either need to move their network location, or get a new UA (or both).  On (a) I have long noted this as a problem, but I don't have an answer. It's a potential problem with hypothetical proxies that discard headers they don't understand, for example.

ISSUE-143: Activating a Tracking Preference must require explicit, informed consent from a user
  The body seems to suggest that there should be some way to identify what software set the DNT header. There is a presumption of the user-agent, I assume, in the absence of evidence to the contrary. But if it's a proxy, firewall, or plug-in, can this be identified?  If so, how?

ISSUE-151: User Agent Requirement: Be able to handle an exception request
   I don't see any practical difference between a UA that handles exceptions and the user has set to 'always reject', and a UA that doesn't have the call, so I don't see a need for 'must'. I do see why exceptions are needed by both ends and so I am quite happy with a 'should'.

ISSUE-152: User Agent Compliance: feedback for out-of-band consent
   We don't have any requirements on the UA to check anything; we make it possible, and leave how much is checked or presented, up to the UA. I think a number of organizations are looking into 'debugging tools' for both sides of DNT, and I suggest we leave this up to them for the moment. Yes, UAs could flag sites claiming consent out-of-band (without an exception) and maybe they will, but I don't think it needs to be required.

ISSUE-159: How do we allow sites that mash-in ad-supported content to maintain their own 'trusted third parties'?
   I wanted this on the record as an edge-case problem, but please let's leave it over the edge for the first version (last call candidate CR).

ISSUE-161: Do we need a tracking status value for partial compliance or rejecting DNT?
   I proposed qualifiers and documentation for both of these in my end-of-year redux mail: 
    http://lists.w3.org/Archives/Public/public-tracking/2012Dec/0119.html
	!	Construction in process; response headers, the well-known-resource, and compliance may be correct, or may not be; compliance is not (yet)
		claimed for this site
	n	Not Listening; for some reason, this site is not listening to some or all users' expressed preferences. The explanation can be found by
		loading the page referenced by the notlistening part of the well-known resource, which must exist. 
		The compliance of responses with this qualifier is unknown.

ISSUE-162: If we have a mechanism for indicating partial compliance, how do we convey to the user why, and what is not being complied with, in a machine-readable manner?
   I assume this is about 'under construction', and if it is, see above.

ISSUE-168: What is the correct way for sub-services to signal that they are taking advantage of a transferred exception?
   I previously suggested that the third party say qualifier 's' (I am providing service to another) as a qualifier. If we go with the 'data controller' link in the WKR, then instead the party would signal 'I have consent' in its response, and a check of the WKR would reveal a pointer to the party it's providing data to, and we can check whether it is a first party or has consent.

ISSUE-182: protocol for user agents to indicate whether a request with DNT set is 1st party or 3rd party
   The write-up here appears to conflate 'Is 1st or 3rd party' with 'Is or is not the top-level origin' -- they are not a perfect match. I don't think the UA knows reliably who is first or 3rd (certainly not on joint ownership or known mashed sites) so it's possible for it to say "and I think you are a 3rd party" in the outbound header with any precision.

ISSUE-183: Additional Tk header status value for EU
   I don't follow why it's confusing for 'simple resources' of the 1st party to conform to 3rd party rules.  Indeed, I would expect that the vast majority of resources served will be cachable, CDN-able, and so on, and be effectively non-tracking resources. A resource 'designed for use in a 3rd party context' means it can also be used in a 1st party context.  Perhaps all we need is that as a note, or to say 'is designed for use in any context including 3rd party'?

ISSUE-185: There should not be an API for web-wide exceptions
    Unlike site exceptions, where the 1st party asks for a different DNT header to be sent to its third parties, web-wide exceptions ask for a different DNT status to be sent to the requesting party only. A cookie, or other memory by the party, serves as well. The DNT exception has the only advantage that it might (?) not be cleared when cookies are cleared, and that the exception is evident to the UA and hence possibly the user, whereas an out-of-band exception (even if recorded in a cookie) is not.
    Whether the user is warned when exceptions are requested or set, and how, is not certain; some UAs may well set some indicator that this site has 'special tracking status' (exceptions that apply), for example. 


My action-357 is still pending, and I am listening to Roy's conversation on the subject.


David Singer
Multimedia and Software Standards, Apple Inc.
Received on Tuesday, 29 January 2013 16:04:16 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:02 UTC