- From: Edward O'Connor <eoconnor@apple.com>
- Date: Tue, 09 Jul 2013 10:52:53 -0700
- To: public-tracking@w3.org
- Cc:
Hi, Alan wrote: >> Proposed language: >> "A user agent MUST NOT track information related to the network >> interaction outside of the [Permitted Uses] and any explicitly-granted >> exceptions without consent." This language doesn't work as proposed. The User Agent is a piece of software acting on behalf of the user—hence the term. And as David said, one cannot track onself. Users reasonably worry that information about them is being collected and retained by websites they don't have a direct relationship with. This is the concern that we are trying to address within the context of this Working Group, and this is the problem that we are chartered to solve. Now, it's entirely sensible for users to *also* worry about the information their User Agent is storing about them—most browsers have a special mode (Private Browsing, "Incognito," etc.) within which they retain less information about the user. It might be worthwhile to pursue standardization of this feature at the W3C—in a Working Group chartered to do so. But this WG is not so chartered. >> Rationale: >> In reviewing the June draft with colleagues, it occurred to me that >> some User Agents – technically speaking – could engage in tracking. The basic architecture of all user agents includes all manner of features that retain data across network transactions. Off the top of my head, here are some of them. This list is by no means exhaustive. * Browsing history (the cache used by the back button, etc.) * Form data (for form autofill features) * Cookies, local storage, etc. (for session state) * The page cache I'm sure you didn't mean to affect features like these with your proposed text. Instead, you provided Amazon's Silk browser as an example. David replied: > OK, this one is more interesting. To what extent is the Silk browser > effectively a 'distributed user agent'? I agree with others that > trying to restrict what my local software can remember locally on my > behalf is not needed (it's part of me, the presumably second party), I think it's dangerous to rely on a distinction between 'local' and 'distributed' here. Consider the syncing features offered by Google Chrome[1], Firefox[2], Safari[3], Internet Explorer[4], and Opera[5]. Such syncing does not alter the relationship between user and User Agent—in all these cases, User Agents act on behalf of their users, and do not fall under either the first- or third-party definitions. David went on to say: > but I agree with you that the browser *vendor* or other 'parties' are > third parties by definition. […] > But yes, we need to be clear that all other parties (including the > user-agent vendor) are third parties and subject to these controls. Yes, I think it's worth distinguishing between, say, "Google in the context of Chrome's sync and other browser features" and "Google in the context of AdSense." The latter certainly falls under our work in this WG—$CORP doesn't get a pass simply because $CORP also happens to manufature the User Agent being used. I support adding text that makes this clear, but Alan's proposed text doesn't accomplish this. Ted 1. https://support.google.com/chrome/answer/165139 2. http://www.mozilla.org/en-US/mobile/sync/ 3. http://www.apple.com/safari/#icloud 4. http://windows.microsoft.com/en-us/windows-8/sync-settings-pcs 5. http://www.opera.com/link
Received on Tuesday, 9 July 2013 17:53:17 UTC