- From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
- Date: Sun, 7 May 2017 22:28:27 +0200
- To: David Singer <singer@apple.com>, Rob van Eijk <rob@blaeu.com>
- Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Hi David, I agree that this is a potential can of worms. Background: Shane proposed that a publisher can list all known/expected third parties in an other-party field. He also suggested that the publisher can request that other third parties are blocked. Since this blocking is triggered by the publisher himself, it may be less controversial. The basic idea is that it helps the publisher to ensure that only compliant third parties are loaded. On the downside, it would allow the publisher to constrain the business of third parties that the publisher uses. An alternative could be to indeed only talk about DNT;0/1. In such a version (with no explicit blocking), the outcome would look as follows: 1. other-parties declares a list of third party 2. A site-wide exception triggers sending DNT;0 to those listed third parties (all unlisted third parties continue to receive DNT;1) 3. The publisher can use a JS API to ask "what additional third parties occured on the site". This whole scenario would not use blocking. I guess it is up to shane to decide whether a non-blocking version satisfies his requirements or not. Regards, matthias On 05.05.2017 23:28, David Singer wrote: > >> On May 5, 2017, at 10:41 , Rob van Eijk <rob@blaeu.com> wrote: >> >> >> I understand that when a user is visiting a site, site-wide consent (initiated by the publisher) is Exceptions are all-or-nothing, based on the current TPE text (i.e., site-wide exception).. >> >> Two questions come to my mind when I turn the perspective to the 3rd parties. >> - If there any third parties left not listed in OtherParties of SameParty that do not have OOBC consent and are not being blocked by the browser? >> - If so, these 3rd parties could ask a user-granted exception through the API and he exception would only apply to that specific 3rd party, right? (i.e., site-specific user granted exception) > > I think any site from which scripts are pulled can then ask for exception; it doesn’t have to be top-level. So if the top-level pulls in scripts etc. from site B, site B can run a script that asks for an exception for it. > > I don’t think DNT has opened the can of worms of blocking, and I’m not sure I am ready to deal with all those worms just yet > >> >> Rob >> >> -----Original message----- >> From: David Singer >> Sent: Friday, May 5 2017, 7:17 pm >> To: Matthias Schunter (Intel Corporation) >> Cc: public-tracking@w3.org (public-tracking@w3.org) >> Subject: Re: fyi: Fingerprinting risk >> >> >>> On May 5, 2017, at 0:43 , Matthias Schunter (Intel Corporation) <mts-std@schunter.org> wrote: >>> >>> Hi Folks, >>> >>> I would like to elaborate why I changed my mind and why I now believe >>> that the fingerprinting risk has been mitigated ;-) >>> >>> MY PAST MISUNDERSTANDING >>> - I assumed that users can do fine-grained choosing what subset of an >>> exception to accept and what to block >>> - The subset of blacklisted domains could be fairly individual >>> - Reporting back the list of blocked domains (the intersection between >>> the used third parties and the blacklist of a user) would be very >>> individual too >>> - As a consequence, reporting back this list would identify individual users >>> >>> MY CURRENT THINKING >>> - Exceptions are all-or-nothing and sites may publish a list of known >>> third parties >>> - None of the domains listed shall be blocked >> >> The DNT spec. is silent about blocking. What it talks about is what headers you send and what they mean, and indeed exceptions are granted or denied as units. >> >>> - All the domains not listed shall be blocked and returned >>> - The list of domains that are blocked almost only depend on the >>> site (i.e. what stuff it is including) and not on user specifics. >>> - As a consequence, the list of blocked sites should not allow >>> identifying users. >>> >>> [The only exception could be cases where the unknown sites loaded depend >>> on the user; e.g. an ad auction that pulls in unknown sites based on >>> user cookies. I hope that those are rare corner cases.] >>> >>> Regards, >>> matthias >>> >>> >>> >> >> Dave Singer >> >> singer@mac.com >> >> > > David Singer > Manager, Software Standards, Apple Inc. >
Received on Sunday, 7 May 2017 20:29:46 UTC