W3C home > Mailing lists > Public > public-tracking@w3.org > August 2017

Proposed Resolution / Consensus for Monday's call.

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Fri, 25 Aug 2017 16:30:35 +0200
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <434f25fb-029a-694c-643a-71a70b9086f4@schunter.org>
Dear TPWG,


I had a quick chat with Mike. Our proposal is to:
 (a) rollback the editors draft to our original consensus
 (b) suggest to add an implementation recommendation that helps
mitigating the fingerprinting risk: By limiting the number of
site-specific UGE that a domain can store, we also limit the capability
to fingerprint.

Below are more detailed notes.

Any comments and feedback are welcome!

Note that we are aware that anyone (including sub-resources) can store
web-wide exceptions. I suggest to see how the adoption evolves and then
browsers can determine whether additional checks and balances may be needed.


Regards,
matthias


------------------8<---

Original (still valid) consensus:
- 1st party and third parties
	- can ask for web-wide and site-specific UGE
	- both for the script origin only

Current editors draft:
- 1st party
	- can ask for web-wide and targeted UGE
	- both for the script origin only
- third parties
	- can ask (only) for site-specific UGE
	- web-wide is not allowed

Shortcomings of the current draft:
- site-specific UGE poses fingerprinting risk (Mike)
- web-wide for sub-element are needed for
  consent portal (Shane)

Proposed modifications of the editors draft:
- Back to original consensus (to address Shane's usage)
	- 1st party and third parties
		- can ask for web-wide and site-specific UGE
		- both for the script origin only
- Mitigate fingerprinting risk by NOTE that suggests
     that browsers may limit the number of stored site-specific
     exceptions per top-level domain.

Assessment of proposed consensus:
+ A compliance portal (e.g. google) can now register web-wide UGE for
same party domains (e.g. youtube).
+ The limited number of site-specific user-granted exceptions can
minimize fingerprinting risk
- If web-wide user-granted exceptions are mis-used, additional checks
and balances may be needed in the future.
Received on Friday, 25 August 2017 14:31:04 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:39 UTC