Re: Issue for discussion on Wed - User Agent Compliance

Thanks Rigo. Does this language (borrowed from David Singer) work better?


"A user agent MUST NOT share information related to the network
interaction with any party other than the user without consent."





On 7/10/13 1:39 PM, "Rigo Wenning" <rigo@w3.org> wrote:

>Sid, 
>
>I think what they want to say is that the browser shouldn't phone home
>and reveal information collected client side. To put that in words is
>non trivial. I agree that the current wording covers too much of the
>actual network interaction between browser and server that is not meant.
>
>One way of addressing that is to treat extensions and widgets like web
>pages and either treat them as first or third parties. Another
>possibility is to say that the browser should not share historical
>information or actual browsing information outside of the browsing
>context it was collected for.
>
>But we need more ideas on wording here..
>
> --Rigo
>
>On Wednesday 10 July 2013 07:39:41 Sid Stamm wrote:
>> Alan,
>> 
>> I think I get where you're going, but I'm not sure this language is
>> clear.
>> On 7/10/13 7:10 AM, Alan Chapell wrote:
>> > Proposed language:
>> > "A user agent MUST NOT share information related to the network
>> > interaction without consent."
>> 
>> This suggests to me that the user agent must not share information
>> about one network interaction (A) with another network interaction
>> (B).... which in turn makes me wonder about multi-interaction sites
>> (those with first party A and third party B).
>> 
>> Do UAs stop sending referrers?  That is a direct share of URL from A
>> with entity in B.  I don't think we want to go down this path.
>> 
>> > Rationale:
>> > In reviewing the June draft with colleagues, it occurred to me that
>> > some User Agents ¡© technically speaking ¡© could engage in tracking.
>> > My sense is that it is implicit that User agents would fall under
>> > the definition of third party under this spec and therefore would
>> > be subject to certain requirements. My goal was to make that more
>> > explicit.
>> 
>> I agree with Ted here: user agents are employed by their users and
>> self-collection (tracking ones self) isn't a first or third party
>> activity the way we've been discussing them.
>> 
>> My feel is that we don't need this language at all since "UA company
>> as a web property" would already have reason to comply, and no new
>> language is required to trigger it.
>> 
>> But consider the hypothetical situation where the user agent
>> automatically transmits my browsing history to some data-collection
>> service.  Shouldn't the DNT header be sent along with that
>> transmission, requesting that the service respects it?  My concern is
>> that as soon as we start requiring the UA to block transmissions of
>> anything, we risk creeping into the realm of content blocking instead
>> of signal-sending (which I don't think we want to do in this WG).
>> 
>> -Sid
>
>

Received on Monday, 15 July 2013 17:53:20 UTC