- From: David Singer <singer@apple.com>
- Date: Fri, 05 May 2017 14:28:36 -0700
- To: Rob van Eijk <rob@blaeu.com>
- Cc: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
> On May 5, 2017, at 10:41 , Rob van Eijk <rob@blaeu.com> wrote: > > > I understand that when a user is visiting a site, site-wide consent (initiated by the publisher) is Exceptions are all-or-nothing, based on the current TPE text (i.e., site-wide exception).. > > Two questions come to my mind when I turn the perspective to the 3rd parties. > - If there any third parties left not listed in OtherParties of SameParty that do not have OOBC consent and are not being blocked by the browser? > - If so, these 3rd parties could ask a user-granted exception through the API and he exception would only apply to that specific 3rd party, right? (i.e., site-specific user granted exception) I think any site from which scripts are pulled can then ask for exception; it doesn’t have to be top-level. So if the top-level pulls in scripts etc. from site B, site B can run a script that asks for an exception for it. I don’t think DNT has opened the can of worms of blocking, and I’m not sure I am ready to deal with all those worms just yet > > Rob > > -----Original message----- > From: David Singer > Sent: Friday, May 5 2017, 7:17 pm > To: Matthias Schunter (Intel Corporation) > Cc: public-tracking@w3.org (public-tracking@w3.org) > Subject: Re: fyi: Fingerprinting risk > > > > On May 5, 2017, at 0:43 , Matthias Schunter (Intel Corporation) <mts-std@schunter.org> wrote: > > > > Hi Folks, > > > > I would like to elaborate why I changed my mind and why I now believe > > that the fingerprinting risk has been mitigated ;-) > > > > MY PAST MISUNDERSTANDING > > - I assumed that users can do fine-grained choosing what subset of an > > exception to accept and what to block > > - The subset of blacklisted domains could be fairly individual > > - Reporting back the list of blocked domains (the intersection between > > the used third parties and the blacklist of a user) would be very > > individual too > > - As a consequence, reporting back this list would identify individual users > > > > MY CURRENT THINKING > > - Exceptions are all-or-nothing and sites may publish a list of known > > third parties > > - None of the domains listed shall be blocked > > The DNT spec. is silent about blocking. What it talks about is what headers you send and what they mean, and indeed exceptions are granted or denied as units. > > > - All the domains not listed shall be blocked and returned > > - The list of domains that are blocked almost only depend on the > > site (i.e. what stuff it is including) and not on user specifics. > > - As a consequence, the list of blocked sites should not allow > > identifying users. > > > > [The only exception could be cases where the unknown sites loaded depend > > on the user; e.g. an ad auction that pulls in unknown sites based on > > user cookies. I hope that those are rare corner cases.] > > > > Regards, > > matthias > > > > > > > > Dave Singer > > singer@mac.com > > David Singer Manager, Software Standards, Apple Inc.
Received on Friday, 5 May 2017 21:29:10 UTC