W3C home > Mailing lists > Public > public-tracking@w3.org > July 2013

Re: Issue for discussion on Wed - User Agent Compliance

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 10 Jul 2013 11:05:55 -0400
Cc: Sid Stamm <sid@mozilla.com>, <public-tracking@w3.org>
Message-Id: <5B17D438-76A4-4701-8704-19BCDFD42615@cdt.org>
To: Alan Chapell <achapell@chapellassociates.com>
I don't think this fixes my problem.  Amazon's Kindle Fire MITMs all network requests in the cloud in order to more efficiently render them on the relatively unsophisticated client.  So it's going to collect all the user's urls on Amazon servers.  A prohibition on sharing that data wouldn't stop Amazon from retaining the logs forever and using for OBA or anything else.

As I said, I think defining the company that provides a browser as a third party would fix the problem, but it may introduce others that Sid alludes to.  We might need to put in language that completing a user-initiated network transaction is not affected, or is a permitted use, or perhaps it's already OK as it's being done with consent.

On Jul 10, 2013, at 10:59 AM, Alan Chapell <achapell@chapellassociates.com> wrote:

> Thanks Sid / Justin - I'm wondering if this addresses things better.
> 
> 
> Proposed language:
> "A user agent MUST NOT share information related to the network
> interaction with parties outside such interaction without consent."
> 
> 
> Does that address your concern?
> 
> -a
> 
> 
> 
> 
> On 7/10/13 10:39 AM, "Sid Stamm" <sid@mozilla.com> wrote:
> 
>> Alan,
>> 
>> I think I get where you're going, but I'm not sure this language is clear.
>> 
>> On 7/10/13 7:10 AM, Alan Chapell wrote:
>>> Proposed language:
>>> "A user agent MUST NOT share information related to the network
>>> interaction
>>> without consent."
>> 
>> This suggests to me that the user agent must not share information about
>> one network interaction (A) with another network interaction (B)....
>> which in turn makes me wonder about multi-interaction sites (those with
>> first party A and third party B).
>> 
>> Do UAs stop sending referrers?  That is a direct share of URL from A
>> with entity in B.  I don't think we want to go down this path.
>> 
>>> Rationale: 
>>> In reviewing the June draft with colleagues, it occurred to me that some
>>> User Agents  technically speaking  could engage in tracking. My sense
>>> is
>>> that it is implicit that User agents would fall under the definition of
>>> third party under this spec and therefore would be subject to certain
>>> requirements. My goal was to make that more explicit.
>> 
>> I agree with Ted here: user agents are employed by their users and
>> self-collection (tracking ones self) isn't a first or third party
>> activity the way we've been discussing them.
>> 
>> My feel is that we don't need this language at all since "UA company as
>> a web property" would already have reason to comply, and no new language
>> is required to trigger it.
>> 
>> But consider the hypothetical situation where the user agent
>> automatically transmits my browsing history to some data-collection
>> service.  Shouldn't the DNT header be sent along with that transmission,
>> requesting that the service respects it?  My concern is that as soon as
>> we start requiring the UA to block transmissions of anything, we risk
>> creeping into the realm of content blocking instead of signal-sending
>> (which I don't think we want to do in this WG).
>> 
>> -Sid
>> 
>> 
> 
> 
Received on Wednesday, 10 July 2013 15:06:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:39:52 UTC