RE: fyi: Fingerprinting risk from Rob van Eijk on 2017-05-06 (public-tracking@w3.org from May 2017)

From: Rob van Eijk <rob@blaeu.com>
Date: Sat, 6 May 2017 07:10:46 +0000
To: Mike O'Neill <michael.oneill@baycloud.com>, singer@apple.com <singer@apple.com>
Cc: 'Matthias Schunter (Intel Corporation)' <mts-std@schunter.org>, public-tracking@w3.org <public-tracking@w3.org>
Message-ID: <0102015bdc98b3bd-c5397977-88bd-443d-aa97-328cc29e20b1-000000@eu-west-1.amazonse>
Google positions itself as a data processor for its analytics product. However, this does not come by default. The controller responsible for the cookie and the third-party tracking has the option to sign a processor agreement with Google in the GA-interface. To meet the status of processor, DPA's require controllers to take additional privacy friendly measures. For instance, the controller can restrict the use of analytics data for his own purposes and tell Google not to use the data for its own purposes. There are a few more actions a controller can take to minimize the impact on the privacy of the user, such as, making sure the script includes "ga('set', 'forceSSL', true);" and "ga('set', 'anonymizeIp', true);". Some DPA's have provided guidance, e.g., the writeup (in Dutch) here: https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/handleiding_privacyvriendelijk_instellen_google_analytics_0.pdf

I believe, when the controller has met the privacy friendly conditions that Google is offering today, www.google-analytics.com SHOULD go under SameParty. If the conditions have not been met, www.google-analytics.com MAY be listed under OtherParties or else it SHOULD be blocked by the browser.

Rob



-----Original message-----
From: Mike O'Neill
Sent: Saturday, May 6 2017, 8:27 am
To: singer@apple.com; Rob van Eijk
Cc: 'Matthias Schunter (Intel Corporation)'; public-tracking@w3.org
Subject: RE: fyi: Fingerprinting risk


Script can always be loaded into a browsing context from another origin, as can an image or other resource (not html though). Once it is loaded it can execute any API, and so it can call the Exception API.

But the document origin and the script origin will be the origin of the browsing context it is running in, not the origin it was loaded from.  It does not matter at all to the operation of the script which domain the it was loaded from.

This obvious example is Google Analytics. A top-level context example.com includes a script tag with a src attribute "//www.google-analytics.com/analytics.js <http://www.google-analytics.com/analytics.js> ". The script analytics.js is executed in the example.com origin.

The script dynamically creates an image whose src attribute also points to google-analytics.com (with a complicated path component that incorporates the UID from a cookie stored in example.com), which results in an embedded tracking request to be set to the www.google-analytics.com <http://www.google-analytics.com>  domain. 

The controller responsible for the cookie and the third-party tracking is the one for example.com. They might be unaware of what is going on, but their action of loading the script resource initiated it.




-----Original Message-----
From: singer@apple.com <mailto:singer@apple.com>  [mailto:singer@apple.com <mailto:singer@apple.com> ] 
Sent: 05 May 2017 22:29
To: Rob van Eijk <rob@blaeu.com <mailto:rob@blaeu.com> >
Cc: Matthias Schunter (Intel Corporation) <mts-std@schunter.org <mailto:mts-std@schunter.org> >; public-tracking@w3.org <mailto:public-tracking@w3.org>  (public-tracking@w3.org <mailto:public-tracking@w3.org> ) <public-tracking@w3.org <mailto:public-tracking@w3.org> >
Subject: Re: fyi: Fingerprinting risk


> On May 5, 2017, at 10:41 , Rob van Eijk <rob@blaeu.com <mailto:rob@blaeu.com> > wrote:
> 
> 
> I understand that when a user is visiting a site, site-wide consent (initiated by the publisher) is Exceptions are all-or-nothing, based on the current TPE text (i.e., site-wide exception).. 
> 
> Two questions come to my mind when I turn the perspective to the 3rd parties. 
> - If there any third parties left not listed in OtherParties of SameParty that do not have OOBC consent and are not being blocked by the browser? 
> - If so, these 3rd parties could ask a user-granted exception through the API and he exception would only apply to that specific 3rd party, right? (i.e., site-specific user granted exception)

I think any site from which scripts are pulled can then ask for exception; it doesn’t have to be top-level. So if the top-level pulls in scripts etc. from site B, site B can run a script that asks for an exception for it.

I don’t think DNT has opened the can of worms of blocking, and I’m not sure I am ready to deal with all those worms just yet

> 
> Rob 
> 
> -----Original message-----
> From: David Singer
> Sent: Friday, May 5 2017, 7:17 pm
> To: Matthias Schunter (Intel Corporation)
> Cc: public-tracking@w3.org <mailto:public-tracking@w3.org>  (public-tracking@w3.org <mailto:public-tracking@w3.org> )
> Subject: Re: fyi: Fingerprinting risk
> 
> 
> > On May 5, 2017, at 0:43 , Matthias Schunter (Intel Corporation) <mts-std@schunter.org <mailto:mts-std@schunter.org> > wrote:
> > 
> > Hi Folks,
> > 
> > I would like to elaborate why I changed my mind and why I now believe
> > that the fingerprinting risk has been mitigated ;-)
> > 
> > MY PAST MISUNDERSTANDING
> > - I assumed that users can do fine-grained choosing what subset of an
> > exception to accept and what to block
> > - The subset of blacklisted domains could be fairly individual
> > - Reporting back the list of blocked domains (the intersection between
> > the used third parties and the blacklist of a user) would be very
> > individual too
> > - As a consequence, reporting back this list would identify individual users
> > 
> > MY CURRENT THINKING
> > - Exceptions are all-or-nothing and sites may publish a list of known
> >  third parties
> > - None of the domains listed shall be blocked
> 
> The DNT spec. is silent about blocking. What it talks about is what headers you send and what they mean, and indeed exceptions are granted or denied as units. 
> 
> > - All the domains not listed shall be blocked and returned
> > - The list of domains that are blocked almost only depend on the
> >  site (i.e. what stuff it is including) and not on user specifics.
> > - As a consequence, the list of blocked sites should not allow
> >  identifying users.
> > 
> > [The only exception could be cases where the unknown sites loaded depend
> > on the user; e.g. an ad auction that pulls in unknown sites based on

> > user cookies. I hope that those are rare corner cases.]
> > 
> > Regards,
> > matthias
> > 
> > 
> > 
> 
> Dave Singer
> 
> singer@mac.com <mailto:singer@mac.com> 
> 
> 

David Singer
Manager, Software Standards, Apple Inc.
Received on Saturday, 6 May 2017 07:11:25 UTC