Re: Issue for discussion on Wed - User Agent Compliance

Sid, 

I think what they want to say is that the browser shouldn't phone home 
and reveal information collected client side. To put that in words is 
non trivial. I agree that the current wording covers too much of the 
actual network interaction between browser and server that is not meant. 

One way of addressing that is to treat extensions and widgets like web 
pages and either treat them as first or third parties. Another 
possibility is to say that the browser should not share historical 
information or actual browsing information outside of the browsing 
context it was collected for. 

But we need more ideas on wording here..

 --Rigo

On Wednesday 10 July 2013 07:39:41 Sid Stamm wrote:
> Alan,
> 
> I think I get where you're going, but I'm not sure this language is
> clear.
> On 7/10/13 7:10 AM, Alan Chapell wrote:
> > Proposed language:
> > "A user agent MUST NOT share information related to the network
> > interaction without consent."
> 
> This suggests to me that the user agent must not share information
> about one network interaction (A) with another network interaction
> (B).... which in turn makes me wonder about multi-interaction sites
> (those with first party A and third party B).
> 
> Do UAs stop sending referrers?  That is a direct share of URL from A
> with entity in B.  I don't think we want to go down this path.
> 
> > Rationale:
> > In reviewing the June draft with colleagues, it occurred to me that
> > some User Agents ­ technically speaking ­ could engage in tracking.
> > My sense is that it is implicit that User agents would fall under
> > the definition of third party under this spec and therefore would
> > be subject to certain requirements. My goal was to make that more
> > explicit.
> 
> I agree with Ted here: user agents are employed by their users and
> self-collection (tracking ones self) isn't a first or third party
> activity the way we've been discussing them.
> 
> My feel is that we don't need this language at all since "UA company
> as a web property" would already have reason to comply, and no new
> language is required to trigger it.
> 
> But consider the hypothetical situation where the user agent
> automatically transmits my browsing history to some data-collection
> service.  Shouldn't the DNT header be sent along with that
> transmission, requesting that the service respects it?  My concern is
> that as soon as we start requiring the UA to block transmissions of
> anything, we risk creeping into the realm of content blocking instead
> of signal-sending (which I don't think we want to do in this WG).
> 
> -Sid

Received on Wednesday, 10 July 2013 17:40:22 UTC