Issues for Monday Call / Attempt at summarizing our discussion from Matthias Schunter (Intel Corporation) on 2017-05-04 (public-tracking@w3.org from May 2017)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Thu, 4 May 2017 08:57:59 +0200
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <ac6b7222-e80e-ed04-9941-67438d2a5ca0@schunter.org>

Hi Folks,


fyi: The list of issues for this release
https://github.com/w3c/dnt/issues?q=is%3Aopen+is%3Aissue+milestone%3ATPE-CR-April-2017

The following issues are still under discussion: 13, 22, 9

For 13, Mike will propose text.
- We need to discuss the life-time of a DNT;0 (see Davids email)

For 09, Walter will provide example usecases that currently cannot be
resolved with our spec.

For 22, the discussion seems converging. Let me summarize what I learned
from reading the emails ;-)

What I learned:
1. Exceptions are all or nothing (thanks to David!)
2. One usecase is that iff other-parties are listed, then all third
   parties that are not in otherparties should be blocked (to ensure
   that only compliant partners participate).
3. This is independent of user-granted exceptions.
4. Users should always be able to withdraw consent for an exception
 by e.g. deleting it (but again in an all-or-nothing way)

What I think I understand:
- usecase 2 ensures non-tracking by (untrusted) non-partners
  (:=url not listed in TSR) and is independent of exceptions.
  I.e. blocking non-partners may be
  useful  even if you do not have an exception (i.e. partners
  will receive DNT;1 while non-partners will be blocked)
- Exceptions should ensure (a) that DNT;0 is sent and
  (b) that the third party is loaded.
- For usecase 2, the publisher wants to obtain a list of
  non-partners appearing on their site (for debugging)
  [Mike proposed an API]
- For usecase 2, the presence of OtherParties signals that everything
  else should be blocked (i.e. this is the one and only purpose of this
  field).

I feel we can reach consensus along those lines:
- We introduce otherParties that will trigger blocking of unknown third
  parties.
- We introduce JS that allows a publisher to retrieve the sites that
  were blocked. (I finally realized that there is no fingerprinting
  risk since the list of blocked sites should not depend on the UA
  at all ...)

What we could discuss is the interplay between blocking/otherParties and
my suggestion that exceptions "force" loading of a third party.
The question is whether a specific exception allows a third party to
load even if it is not in otherParties? Examples:
A - In the scenario above, should a non-partner be loaded if it has a
  web-wide exception (i.e. does the desire of publisher not to allow
  unknown third parties or the desire of mywidget to be useful web-wide
  prevail? (I would assume the latter)
B - If a publisher lists a third party in a site-specific exception
  but not in the (otherParties) should it be loaded?


Any other input/feedback is welcome!


Regards,
matthias

Received on Thursday, 4 May 2017 06:58:32 UTC