RE: fyi: Fingerprinting risk from Rob van Eijk on 2017-05-05 (public-tracking@w3.org from May 2017)

From: Rob van Eijk <rob@blaeu.com>
Date: Fri, 5 May 2017 17:41:01 +0000
To: David Singer <singer@mac.com>, Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Cc: public-tracking@w3.org (public-tracking@w3.org) <public-tracking@w3.org>
Message-ID: <0102015bd9b358ea-a197d775-00b4-4b10-b1a6-eed9b25003ba-000000@eu-west-1.amazonse>

I understand that when a user is visiting a site, site-wide consent (initiated by the publisher) is Exceptions are all-or-nothing, based on the current TPE text (i.e., site-wide exception).. 

Two questions come to my mind when I turn the perspective to the 3rd parties. 
- If there any third parties left not listed in OtherParties of SameParty that do not have OOBC consent and are not being blocked by the browser? 
- If so, these 3rd parties could ask a user-granted exception through the API and he exception would only apply to that specific 3rd party, right? (i.e., site-specific user granted exception)

Rob 

-----Original message-----
From: David Singer
Sent: Friday, May 5 2017, 7:17 pm
To: Matthias Schunter (Intel Corporation)
Cc: public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: fyi: Fingerprinting risk



> On May 5, 2017, at 0:43 , Matthias Schunter (Intel Corporation) <mts-std@schunter.org <mailto:mts-std@schunter.org> > wrote:
> 
> Hi Folks,
> 
> I would like to elaborate why I changed my mind and why I now believe
> that the fingerprinting risk has been mitigated ;-)
> 
> MY PAST MISUNDERSTANDING
> - I assumed that users can do fine-grained choosing what subset of an
> exception to accept and what to block
> - The subset of blacklisted domains could be fairly individual
> - Reporting back the list of blocked domains (the intersection between

> the used third parties and the blacklist of a user) would be very
> individual too
> - As a consequence, reporting back this list would identify individual users
> 
> MY CURRENT THINKING
> - Exceptions are all-or-nothing and sites may publish a list of known
>  third parties
> - None of the domains listed shall be blocked

The DNT spec. is silent about blocking. What it talks about is what headers you send and what they mean, and indeed exceptions are granted or denied as units. 

> - All the domains not listed shall be blocked and returned
> - The list of domains that are blocked almost only depend on the
>  site (i.e. what stuff it is including) and not on user specifics.
> - As a consequence, the list of blocked sites should not allow
>  identifying users.
> 
> [The only exception could be cases where the unknown sites loaded depend
> on the user; e.g. an ad auction that pulls in unknown sites based on
> user cookies. I hope that those are rare corner cases.]
> 
> Regards,
> matthias
> 
> 
> 

Dave Singer

singer@mac.com <mailto:singer@mac.com>

Received on Friday, 5 May 2017 17:41:37 UTC