Re: Are we in agreement? from Matthias Schunter (Intel Corporation) on 2017-05-03 (public-tracking@w3.org from May 2017)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Wed, 3 May 2017 19:38:23 +0200
To: David Singer <singer@mac.com>
Cc: public-tracking@w3.org
Message-ID: <df6d169f-f8e3-fee5-0753-27931ba73fe6@schunter.org>

Hi David,


thanks for digging this out - good that you know the spec inside out!

As a consequence, I now realize that we indeed have an agreement (as
documented in the spec). It just was not the agreement I remembered.

At this point of view, I believe we should let this agreement stand
unaltered, i.e., exceptions are all-or-nothing. As David pointed out,
this relates to a closed issue.

Sorry for the confusion that I may have caused.


Regards,
matthias

On 03.05.2017 18:48, David Singer wrote:
> 
>> On May 3, 2017, at 1:34 , Matthias Schunter (Intel Corporation) <mts-std@schunter.org> wrote:
>>
>> Hi David,
>>
>>
>> thanks a lot for your input! This is exactly the discussion I wanted to
>> trigger to ensure that we are all on the same page and potential
>> ambiguities of the spec are minimzed ;-)!
>>
>> I double checked and Section 7 indicates that the user has the final say
>> and can edit/revoke/delete exceptions. My personal interpretation was
>> that this also means that I as a user can decide to partially honor an
>> exception by e.g. blacklisting a site.
> 
> explicitly disallowed in the current spec.:
> 
> "User-agents must handle each API request as a 'unit', granting and maintaining it in its entirety, or not at all. That means that a user agent must not indicate to a site that a request for targets {a, b, c} exists in the database, and later remove only one or two of {a, b, c} from its logical database of remembered grants. This assures sites that the set of sites they need for operational integrity is treated as a unit. Each separate call to an API is a separate unit."
> 
>> You make a valid point for an "all-or-nothing" approach to exceptions
>> which makes sense for publishers and is also easier to handle. Currently
>> IMHO the spec is not clear about this (since the user has the final say).
> 
> I beg to differ (quoting the sentence above).
> 
>>
>> A consequence of this approach (to the other discussion threat) is that
>> there is no sense reporting back detailed subsets of sites that were
>> blocked: Either you complied with the site-wide exception or you did not.
>>
>> IMHO both aspects should be aligned:
>> - If users can only choose all-or-nothing for a site-wide exception
>> - Then publishers should only get all-or-nothing feedback
>>
>>
>> Do others have a opinion to what extent a user is permitted to interfere
>> with exceptions? If it is all-or-nothing:
>> - You usually can no longer blacklist a third party globally
>>  (I never want to be tracked by nasty-tracker.com)
>> - You cannot constrain a web-wide exception (e.g. facebook
>>  is not allowed to track me on medical sites).
>> If you have those desires and exceptions are all-or-nothing, you need to
>> reject most exceptions to be honest to your publisher (even if they are
>> likely to be fine).
> 
> Dave Singer
> 
> singer@mac.com
>

Received on Wednesday, 3 May 2017 17:38:55 UTC