Re: Signals for internal / external usage of site elements (the signals formerly called "1" and "3") from Matthias Schunter (Intel Corporation) on 2014-01-07 (public-tracking@w3.org from January 2014)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Tue, 07 Jan 2014 10:06:26 +0100
To: "Dobbs, Brooks" <Brooks.Dobbs@kbmg.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <52CBC392.1090706@schunter.org>
Hi Brooks,

thanks for the input.

Your scenarios looks correct:
- In the first case, Google may accidentally collect tracking data (by 
being embedded into the Matthias site).
   And - as you observed in the second case - there is nothing (at least 
not straightforward) that Google can do to prevent this
   since the request looks like a normal request. As a consequence, they 
may run their "normal" analytics on this data
   and may - as a consequence - collect tracking data about the Matthias 
site (I agree - without sharing this data).

   By marking their elements with "1" it is clear that it was not their 
fault.
- The second case illustrates the benefit from a browser perspective:
   - All elements come from Matthias and are, e.g., marked "1+N" for not 
tracking
   - There is one element coming from Google marked "1" coming from 
another site (Google)
   - This may raise suspicion by a user agent (why does this site uses 
ab "1" element from another site?)

Note: The goal of my mail was to discuss whether we want to retain this 
feature or drop it. It is certainly an edge case and I would like to 
assess the benefits of keeping it versus gaining simplicity by dropping 
it (and maybe re-introducing it later within the scope of the compliance 
spec).


Regards,
matthias


Am 06.01.2014 22:29, schrieb Dobbs, Brooks:
> Matthias,
>
> You lost me…
> In the scenario you give Matthias' site would not be tracking; rather 
> it would arguably be putting Google in a position where it 
> unintentionally became a tracker.  I would assume that if Matthias' 
> home page took the Google logo and, without Google's permission placed 
> its fully qualified URL on his site, that Google would not likely 
> respond by sharing the data thereby collected in its unintentional 3rd 
> party context with Matthias.
>
> If Matthias' site reuses a Google element by embedding img 
> src=http://www.google.com/images/logo.gif on Matthias.com, how does 
> Matthias.com respond with anything to this request?  It never goes to 
> Matthias.com?
>
> -Brooks
>
> -- 
>
> *Brooks Dobbs, CIPP *| Chief Privacy Officer |*KBM Group* | Part of 
> the Wunderman Network
> (Tel) 678 580 2683 | (Mob) 678 492 1662 | *kbmg.com*
> _brooks.dobbs@kbmg.com
>
>
> _
> This email – including attachments – may contain confidential 
> information. If you are not the intended recipient,
>  do not copy, distribute or act on it. Instead, notify the sender 
> immediately and delete the message.
>
> From: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org 
> <mailto:mts-std@schunter.org>>
> Date: Monday, January 6, 2014 3:23 PM
> To: "public-tracking@w3.org <mailto:public-tracking@w3.org> 
> (public-tracking@w3.org <mailto:public-tracking@w3.org>)" 
> <public-tracking@w3.org <mailto:public-tracking@w3.org>>
> Subject: Signals for internal / external usage of site elements (the 
> signals formerly called "1" and "3")
> Resent-From: <public-tracking@w3.org <mailto:public-tracking@w3.org>>
> Resent-Date: Monday, January 6, 2014 3:23 PM
>
> Hi Team,
>
>
> as part of removing dependencies in the compliance spec, Roy removed 
> the "1" and "3" signals.
> I would like to make a case for keeping these two signals in a revised 
> form.
>
> SCENARIO TO PREVENT
>
> The reason these signals were included is to detect/prevent the 
> following scenario:
> 1. - A party designs an element to be used _only_ within its own 
> web-site (e.g., the google logo).
> 2. - The party uses this element for some kind of tracking
> 3. - Another site (say Matthias's homepage) re-uses the element and, 
> e.g., claims "not to do tracking"
> 4. - However, in fact, the other site does tracking (by accidentially 
> embedding the tracking element)
>
>
> OLD TEXT
> This is the text, I copied from an older version of the DNT spec.
>
> **
> 3  *Third party*: The designated resource is designed for use within a 
> third-party context and conforms to the requirements on a third party.
> 1
>  *First party*: The designated resource is designed for use within a 
> first-party context and conforms to the requirements on a first party. 
> If the designated resource is operated by an outsourced service 
> provider, the service provider claims that it conforms to the 
> requirements on a third party acting as a first party.
>
>
> Roy had to remove the text since it references "requirements on a 
> first party" (that is undefined in the TPE and will be defined in the 
> compliance regime)
>
> PROPOSED NEW TEXT
> I think that the signaling of "elements for site-internal use" and 
> "elements re-usable by other sites" remains useful.
>
> **
> 3  *Third party*: The designated resource is designed for re-use by 
> other parties.
> 1
>  *First party*: The designated resource is designed for use within the 
> serving party.
>
>
> In the scenario above,  this would work as follows:
> 1. - A party designs an element to be used _only_ within its own 
> web-site (e.g., the google logo) ("1")
> 2. - The party uses this element for some kind of tracking ("T")
> 3. - Another site (say Matthias's homepage) re-uses the element and, 
> e.g., claims "not to do tracking" ("N")
> 4. - However, in fact, the other site does tracking (by accidentially 
> embedding the tracking element)
> The result (detectable by a browser or by the site owner) is that a 
> "1+T" element from another site would
> show up on the page that claims "N".  This may indicate a potential 
> problem.
>
> Any opinions/feedback/improvements?
>
>
> Regards,
> matthais
Received on Tuesday, 7 January 2014 09:06:53 UTC