Re: Proposed Resolution / Consensus for Monday's call.

Thank you so much!  If it helps with the "misuse concern" on sub-resource
web-wide exceptions we can also store the top origin domain with the
web-wide domain call.  This would provide regulators and publishers a trail
to follow back to the location of where the web-wide exception had been
registered.

- Shane

On Fri, Aug 25, 2017 at 7:30 AM, Matthias Schunter (Intel Corporation) <
mts-std@schunter.org> wrote:

> Dear TPWG,
>
>
> I had a quick chat with Mike. Our proposal is to:
>  (a) rollback the editors draft to our original consensus
>  (b) suggest to add an implementation recommendation that helps
> mitigating the fingerprinting risk: By limiting the number of
> site-specific UGE that a domain can store, we also limit the capability
> to fingerprint.
>
> Below are more detailed notes.
>
> Any comments and feedback are welcome!
>
> Note that we are aware that anyone (including sub-resources) can store
> web-wide exceptions. I suggest to see how the adoption evolves and then
> browsers can determine whether additional checks and balances may be
> needed.
>
>
> Regards,
> matthias
>
>
> ------------------8<---
>
> Original (still valid) consensus:
> - 1st party and third parties
>         - can ask for web-wide and site-specific UGE
>         - both for the script origin only
>
> Current editors draft:
> - 1st party
>         - can ask for web-wide and targeted UGE
>         - both for the script origin only
> - third parties
>         - can ask (only) for site-specific UGE
>         - web-wide is not allowed
>
> Shortcomings of the current draft:
> - site-specific UGE poses fingerprinting risk (Mike)
> - web-wide for sub-element are needed for
>   consent portal (Shane)
>
> Proposed modifications of the editors draft:
> - Back to original consensus (to address Shane's usage)
>         - 1st party and third parties
>                 - can ask for web-wide and site-specific UGE
>                 - both for the script origin only
> - Mitigate fingerprinting risk by NOTE that suggests
>      that browsers may limit the number of stored site-specific
>      exceptions per top-level domain.
>
> Assessment of proposed consensus:
> + A compliance portal (e.g. google) can now register web-wide UGE for
> same party domains (e.g. youtube).
> + The limited number of site-specific user-granted exceptions can
> minimize fingerprinting risk
> - If web-wide user-granted exceptions are mis-used, additional checks
> and balances may be needed in the future.
>
>


-- 
- Shane

Shane Wiley
VP, Privacy
Oath: A Verizon Company

Received on Friday, 25 August 2017 15:50:14 UTC