Re: Issue for discussion on Wed - User Agent Compliance from Alan Chapell on 2013-07-10 (public-tracking@w3.org from July 2013)

From: Alan Chapell <achapell@chapellassociates.com>
Date: Wed, 10 Jul 2013 10:59:04 -0400
To: Sid Stamm <sid@mozilla.com>
CC: Justin Brookman <jbrookman@cdt.org>, <public-tracking@w3.org>
Message-ID: <CE02ED1A.35251%achapell@chapellassociates.com>

Thanks Sid / Justin - I'm wondering if this addresses things better.


Proposed language:
"A user agent MUST NOT share information related to the network
interaction with parties outside such interaction without consent."


Does that address your concern?

-a




On 7/10/13 10:39 AM, "Sid Stamm" <sid@mozilla.com> wrote:

>Alan,
>
>I think I get where you're going, but I'm not sure this language is clear.
>
>On 7/10/13 7:10 AM, Alan Chapell wrote:
>> Proposed language:
>> "A user agent MUST NOT share information related to the network
>>interaction
>> without consent."
>
>This suggests to me that the user agent must not share information about
>one network interaction (A) with another network interaction (B)....
>which in turn makes me wonder about multi-interaction sites (those with
>first party A and third party B).
>
>Do UAs stop sending referrers?  That is a direct share of URL from A
>with entity in B.  I don't think we want to go down this path.
>
>> Rationale: 
>> In reviewing the June draft with colleagues, it occurred to me that some
>> User Agents  technically speaking  could engage in tracking. My sense
>>is
>> that it is implicit that User agents would fall under the definition of
>> third party under this spec and therefore would be subject to certain
>> requirements. My goal was to make that more explicit.
>
>I agree with Ted here: user agents are employed by their users and
>self-collection (tracking ones self) isn't a first or third party
>activity the way we've been discussing them.
>
>My feel is that we don't need this language at all since "UA company as
>a web property" would already have reason to comply, and no new language
>is required to trigger it.
>
>But consider the hypothetical situation where the user agent
>automatically transmits my browsing history to some data-collection
>service.  Shouldn't the DNT header be sent along with that transmission,
>requesting that the service respects it?  My concern is that as soon as
>we start requiring the UA to block transmissions of anything, we risk
>creeping into the realm of content blocking instead of signal-sending
>(which I don't think we want to do in this WG).
>
>-Sid
>
>

Received on Wednesday, 10 July 2013 14:59:39 UTC