RE: tracking-ISSUE-260: method for validating DNT signal from user [TPE Last Call] from Mike O'Neill on 2014-09-23 (public-tracking@w3.org from September 2014)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Tue, 23 Sep 2014 20:40:18 +0100
To: "'David $Standards$ Singer'" <singer@apple.com>
Cc: "'Roy T. Fielding'" <fielding@gbiv.com>, "'Tracking Protection Working Group'" <public-tracking@w3.org>
Message-ID: <18ef01cfd766$3597a380$a0c6ea80$@baycloud.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David,

I just meant if an intermediary (e.g. a browser extension or a router) can insert DNT:1 in the request headers it can also edit the cookie: header. UA state in mostly conveyed in the cookies, so it is possible to amend state, and so stop the vast majority of tracking. If it is possible to do that there is no point in worrying about someone illicitly inserting DNT:1. If it was to stop tracking it could just do that anyway.

Mike

> -----Original Message-----
> From: David (Standards) Singer [mailto:singer@apple.com]
> Sent: 23 September 2014 19:52
> To: Mike O'Neill
> Cc: Roy T. Fielding; Tracking Protection Working Group
> Subject: Re: tracking-ISSUE-260: method for validating DNT signal from user
> [TPE Last Call]
> 
> 
> On Sep 23, 2014, at 10:11 , Mike O'Neill <michael.oneill@baycloud.com> wrote:
> 
> > 3) It could have been inserted by an intermediary.
> >
> > Nothing can be done about that, other than requiring DNT to reflect the user's
> preference.
> >
> > If an intermediary can edit the outgoing packets it can change any header,
> including the cookies. It would be just as easy to insert properly formatted opt-
> out cookies to be sent to all servers, so NAI/IAB self-regulation has the same
> problem. In fact most tracking could be stopped just by an intermediary
> selectively removing cookies.
> 
> Actually, intermediaries cannot easily affect the Javascript property (or more
> precisely, change what enquiries of the JS property appear to return), so it’s
> fairly easy to check the header if you are suspicious.
> 
> 
> David Singer
> Manager, Software Standards, Apple Inc.
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJUIcyhAAoJEHMxUy4uXm2J+2IH/iRkUWyjHzL1xXCJpW6rImAQ
G/5I0m/Im12aBHL7aVxp09eDbWdd2vzaQmG2JSy98CUKm7nBBPQpuK5BOWXlvGtG
8YYC5ynT2/brYhcJqOdLf3STUwulIDKsQFLG4yMpWeBGjjG5KdoV3MuPlNGEBgBC
SW8oxMOwZP2bJvBzJMqXoETjNPTgRCGEgsbCjlbm2Tq7hDbqPbBaohy5qg8D5NJB
+PW4Ro7FfgiwQTtSzudNvTxVfk2lyhircVgOd6FSQFEf9K5ZXxxv1BBg4QR3rJhf
eR14XvxHAAJzGbPH3O/u0LZKzYicHKn130TvQfgvjLG2ILogU1NWQT/+ej9IaEY=
=lWZM
-----END PGP SIGNATURE-----

Received on Tuesday, 23 September 2014 19:42:02 UTC