- From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
- Date: Fri, 12 May 2017 08:49:07 +0200
- To: public-tracking@w3.org
Hi David, thanks a lot for your input. I agree that the API would not be needed in the current spec since it only reports behavior that should not exist (i.e. the returned set should always be empty). I also agree that a user would not pick and choose individual cookies/domains to block. However, I would not be surprised if certain tools will automate this on behalf of the users: E.g. McAfee has a safe browsing pluging that blocks certain domains that are deemed untrustworthy (distributors of malware; malicious ads, ...). Similarly, users may choose to install privacy tools that help mitigating certain perceived privacy risks (like Privacy Badger). Similarly, users may allow/disallow trackers based on categories (see email from Rob). I would expect that this behavior will not be discontinued once TPE is moving to REC. I see two viable ways forward: - We formally soften the all-or-nothing approach (in reality I expect that not all TPs get DNT;0 anyway)? XOR - We abandon the definition of this new API (since it always returns the empty set in our current model). Any comments/feedback are welcome! Regards, matthias On 12.05.2017 00:26, David Singer wrote: > >> On May 11, 2017, at 9:39 , Mike O'Neill <michael.oneill@baycloud.com> wrote: >> >> Matthias, >> >> The user can already "choose to constrain an exception to a subset of third parties" if the server allows him to. That is what the arrayOfDomainStrings parameter is for. >> >> At the moment, because the TPE must enforce "one out, all out", the user agent in its own UI can only allow the user to change what has been established during their interaction with the server by revoking all of them at once. It cannot allow the user to selectively change the set of third-parties once they are granted. > > Agreed. I also think that the likelihood that a UA will want to offer a finer-grained UI is very small. Let’s look at cookies: Firefox allows you to delete individual cookies, but Safari only offers ‘all for a site’ and as far as I can tell, Chrome only offers ‘all cookies and other state from all sites for the past N hours’. > > I also have trouble imagining how a site would ‘feel’ if it says “look, for you to get free access I need tracking for <these advertisers> and <these audit companies>”, and you say ‘ok’ but then send DNT:0 only to the audit companies. > > So, I am having a hard time with finer-grained exception handling on both ends — unlikely to be used at the UA, and unlikely to make sense for sites. Why do we keep exploring it? > > > Dave Singer > > singer@mac.com > >
Received on Friday, 12 May 2017 06:49:41 UTC