RE: Supporting TPE on sites/subdomains where a user does not have control of the server (ISSUE 15, ISSUE 10) from Mike O'Neill on 2017-02-01 (public-tracking@w3.org from February 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 1 Feb 2017 00:51:25 -0000
To: "'Roy T. Fielding'" <fielding@gbiv.com>, <public-tracking@w3.org>
Message-ID: <04d501d27c25$515a1ce0$f40e56a0$@baycloud.com>
Hi Roy,

 

On the hosting issue, it is not trivial on some hosting sites and in any
case it needs to be dynamic. If a site has consent for tracking (presumably
the state is encoded in a cookie) it must respond to that user with Tk: C.
There would have to be an API not just a static config setting, and maybe
this is supported on some hosting sites, but by no means all.

 

I know for a fact that this is difficult for many first-party sites, and not
just Wordpress ones. Major multi-brand companies find this logistically
difficult now, as I have explained many times. As DNT becomes more supported
this will be less so, but for now we have a transition issue.

 

It is also wrong to assume users are only concerned with the “tracking
policies of embedded third-party resources linked to by [first-party]”
sites.

 

Most users do not understand the vagaries of HTTP or HTML embedded
resources, they simply do not want be tracked across the web. We know that
most tracking is enabled by embedded sub-resources but not all. Some
first-party sites share cross-domain identifiers e.g. derived from browser
fingerprinting, mediacapture device ids, first-party cookies with
universally managed UIDs, and a host of other ways.  

 

In any case it is the responsibility of first-party sites in Europe to act
if consent has not been established. It is the first-party sites that insert
the iframes, images and externally supplied javascript. If they cannot rely
on third-parties to respect DNT (which is the case at present) then they
must enforce it for their users with tag management or other procedures, and
if the API is not there they have to use the response header to indicate
OOBC.

 

I agree the response header is the preferred mechanism, but if it not
available to many sites it would be wrong of us to refuse them the
capability to comply with DNT.

 

Mike

 

 

 

 

 

 

 

From: Roy T. Fielding [mailto:fielding@gbiv.com] 
Sent: 31 January 2017 20:17
To: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)
<public-tracking@w3.org>
Subject: Re: Supporting TPE on sites/subdomains where a user does not have
control of the server (ISSUE 15, ISSUE 10)

 

[To avoid repeating the same thing multiple times, I'll just repost this

 as a public response ...]

 

It is trivial for any hosting environment to set a header field.  E.g.,

 

  http://httpd.apache.org/docs/current/mod/mod_headers.html#header

 

Of course, content owners without admin rights are not normally given

direct access to the httpd config. Instead, they are given fixed
configuration

options (a checkbox or few) in some sort of admin panel which is then

translated to some httpd config in the backend.

 

Complexity of Tk is going to be a function of how much variability of

tracking is allowed on the server as a whole.  In any case, it is no more

complex than the existing per-site or per-user configurations supported

by products like CPanel (https://cpanel.com/demo/) or wp-admin:

 

  https://en.support.wordpress.com/settings/privacy-settings/

  https://en.support.wordpress.com/category/embedding-content/

  https://en.support.wordpress.com/google-plus-embeds/

 

Note the last two links above.  The Tk value will only be accurate if

it is set by an administrator fully aware of the entire server's behavior,

which means some sort of programmatic summation of the content owner's

intended content and configuration.

 

Regardless, this entire discussion is misplaced.  Users are NOT interested,

for the most part, in the tracking policies of a first-party (HTML) site.

They are interested in the tracking policies of embedded third-party
resources

linked to by that site.  We need Tk to be present on web beacons and ads,

which means images, javascript, and maybe the occasional css response.

Making Tk available only for HTML files is almost completely irrelevant to
TPE,

particularly after the HTML has been requested.

 

All of this was taken into consideration when the present TPE mechanisms

were defined.  In order to justify a change in TPE, we should expect at
least

some new information to be presented to question a prior consensus.

 

Cheers,

Roy T. Fielding                     <http://roy.gbiv.com/>
Senior Principal Scientist, Adobe   <https://www.adobe.com/>
Received on Wednesday, 1 February 2017 00:52:36 UTC