- From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
- Date: Fri, 5 May 2017 09:43:22 +0200
- To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Hi Folks, I would like to elaborate why I changed my mind and why I now believe that the fingerprinting risk has been mitigated ;-) MY PAST MISUNDERSTANDING - I assumed that users can do fine-grained choosing what subset of an exception to accept and what to block - The subset of blacklisted domains could be fairly individual - Reporting back the list of blocked domains (the intersection between the used third parties and the blacklist of a user) would be very individual too - As a consequence, reporting back this list would identify individual users MY CURRENT THINKING - Exceptions are all-or-nothing and sites may publish a list of known third parties - None of the domains listed shall be blocked - All the domains not listed shall be blocked and returned - The list of domains that are blocked almost only depend on the site (i.e. what stuff it is including) and not on user specifics. - As a consequence, the list of blocked sites should not allow identifying users. [The only exception could be cases where the unknown sites loaded depend on the user; e.g. an ad auction that pulls in unknown sites based on user cookies. I hope that those are rare corner cases.] Regards, matthias
Received on Friday, 5 May 2017 07:43:53 UTC