Re: tracking-ISSUE-266: automatic expiration of a tracking preference exception via API parameter [TPE Last Call] from David Singer on 2014-10-14 (public-tracking@w3.org from October 2014)

From: David Singer <singer@apple.com>
Date: Tue, 14 Oct 2014 10:57:45 -0700
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Nicholas Doty <npdoty@w3.org>, Tracking Protection Working Group <public-tracking@w3.org>
Message-Id: <2B37CE17-45C8-4951-8688-3656D34A6D02@apple.com>

On Oct 11, 2014, at 5:46 , Mike O'Neill <michael.oneill@baycloud.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>> True, but the question of “how do I expire a UGE?” came up, and *one* way to
>> do it is to use a cookie.  I think it may work acceptably well for some or many.
> 
> Hardly anyone will do that, it is too complicated.
> 
>> 
>> Somehow we’ve got from “can I use a cookie as the timer to help me expire a
>> UGE?” to “can I rely on a cookie to record a UGE?”. The answer to the first is
>> yes, if you like.  But it doesn’t give you the right to ignore the DNT header and
>> treat the cookie as definitive.
>> 
>> If the DNT header comes as zero, and the cookie doesn’t arrive, then you
>> eyebrows go up and you probably re-confirm the exception and re-set the
>> cookie.
> 
> You cannot re-confirm unless the resource returns  html, and sometimes not even then.

But Mike, think of the two cases.

1) Site-wide.  The first party that requested it *is* the site the user visited.  No problem here.

2) Web-wide.  True, if all you load is a tracking pixel or other non-scripted resource, you cannot confirm the exception. But if the user never visits your main site, *should* you be maintaining or reconfirming the exception?

> In my use case re-conformation is impossible. DNT will always be zero (because it will not be cancelled) , and the cookie is not there either a) it has expired or b) it was purged or c) it was never placed (the DNT:0 signalled a general preference).

OK, so it’s true that if you use cookies to expire, and a DNT:0 is received without the cookie, you cannot tell if that’s because the cookie has expired (so DNT:0 is now questionable) or because the user has set a DNT:0 general preference.  And setting another cookie that has a different expiry doesn’t solve it, either, because if the user deletes cookies, you’ll lose that as well.

This *is* a problem.

> This is why it is hard to get software that relies on non-atomic states to work, and hardly anybody will try.

So the question is whether the exception-expiry is a necessary part of the API.  I guess we need WG consensus.

David Singer
Manager, Software Standards, Apple Inc.

Received on Tuesday, 14 October 2014 17:58:21 UTC