Re: Issue for discussion on Wed - User Agent Compliance from David Singer on 2013-07-16 (public-tracking@w3.org from July 2013)

From: David Singer <singer@apple.com>
Date: Tue, 16 Jul 2013 18:06:33 +0200
To: Rigo Wenning <rigo@w3.org>
Cc: Alan Chapell <achapell@chapellassociates.com>, public-tracking@w3.org, Sid Stamm <sid@mozilla.com>, Justin Brookman <jbrookman@cdt.org>
Message-id: <36923D11-C277-4723-B67A-FC4EB6718310@apple.com>

On Jul 15, 2013, at 22:32 , Rigo Wenning <rigo@w3.org> wrote:

> Alan, 
> 
> On Monday 15 July 2013 13:25:26 Alan Chapell wrote:
>> Thanks Rigo. Does this language (borrowed from David Singer) work
>> better?
>> 
>> 
>> "A user agent MUST NOT share information related to the network
>> interaction with any party other than the user without consent."
> 
> This would mean that the user agent can not load a thing without 
> consent. Because the user agent must share IP address and other things 
> with a lot of parties other than the user to obtain the content and just 
> that (not even tracking). 
> 
> I know what you mean, the wording still doesn't do the trick. The 
> problem here is not the consensus, but the wording…

whoops, maybe you are right.  let's keep thinking.

but, let's say I visit a site that needs a plug-in.  somehow I trigger you into loading a page that loads that plug-in.  haven't you just visited that other site?

OK, let's imagine a browser that has a table, "if a page needs X, then load Y form site Z".  Now I visit Q, which needs X loaded (a font, a plug-in, whatever).  The browser detects this and asks "do you want to load Y from Z, it's needed for this page?".  The user says yes;  the browser then visits Z to load Y, but there is no reason for it to mention Q (or for any data to flow between or about Q and Y) is there?

> 
> --Rigo
>> 
>> On 7/10/13 1:39 PM, "Rigo Wenning" <rigo@w3.org> wrote:
>>> Sid, 
>>> 
>>> I think what they want to say is that the browser shouldn't phone
>>> home and reveal information collected client side. To put that in
>>> words is non trivial. I agree that the current wording covers too
>>> much of the actual network interaction between browser and server
>>> that is not meant.
>>> 
>>> One way of addressing that is to treat extensions and widgets like
>>> web pages and either treat them as first or third parties. Another
>>> possibility is to say that the browser should not share historical
>>> information or actual browsing information outside of the browsing
>>> context it was collected for.
>>> 
>>> But we need more ideas on wording here..
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Tuesday, 16 July 2013 16:07:05 UTC