RE: [w3c/dnt] Add more meta data in the Tracking Status Resource (#22) from Mike O'Neill on 2017-05-12 (public-tracking@w3.org from May 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 12 May 2017 17:34:43 +0100
To: <public-tracking@w3.org>
Message-ID: <0d1b01d2cb3d$a96ef330$fc4cd990$@baycloud.com>

Yes, I think we are all talking past each other.

I think we should break this into 3 issues:

1) The reporting API. Do we need it, when would it apply, what would the WebIDL be?
2) The text for otherParties etc.
3) How do we fix the bug in the sentence about arrayOfDomainStrings

My answer to 3 is to contain the "return value" in an object that the Promise resolves to. If we don't do that then servers do not know if their specific request has been correctly handled - which they need to so they can be honest with their users.

-----Original Message-----
From: singer@apple.com [mailto:singer@apple.com] 
Sent: 12 May 2017 15:52
To: public-tracking@w3.org (public-tracking@w3.org) <public-tracking@w3.org>
Subject: Re: [w3c/dnt] Add more meta data in the Tracking Status Resource (#22)

> On May 11, 2017, at 23:48 , Mike O'Neill <michael.oneill@baycloud.com> wrote:
> 
>>> I also have trouble imagining how a site would ‘feel’ if it says “look, for you to get free access I need tracking for <these advertisers> and <these audit companies>”, and you say ‘ok’ but then send DNT:0 only to the audit companies.
> 
> People change their mind for all sorts of reasons, and it's not up to sites or us to second guess that. The rights to personal autonomy and privacy are fundamental.

Right. You can delete the exceptions that you granted, at any time, in their entirety. I am not arguing that you can’t.

> 
>>> So, I am having a hard time with finer-grained exception handling on both ends — unlikely to be used at the UA, and unlikely to make sense for sites. Why do we keep exploring it?
> 
> User control. 
> The arrayOfDomainStrings parameter has been in the TPE since 2012. It is easy to implement, I did it in Bouncer. The only weakness surrounding it is the allowance the TPE gives implementers not to bother with it, which creates the current conundrum (the bug in the definition of storeSiteSpecificTrackingException)

OK, I am not arguing against arrayOfDOMStrings; in fact, I argued in the past that a general site-wide exception was, for many sites, scarily broad, and would either lead users into denying exceptions because they were too broad (bad for sites) or allowing exceptions that were too broad (bad for users).

I was under the impression that the ‘exceptions are granted or revoked in their entirety’ rule was being questioned, and we were thinking of allowing users to pick and choose which sites in the arrayofDOMStrings would get an exception. If reporting ‘I broadened your request for a specific set of third-parties into all third parties’ is hard to report, I have to believe that reporting ‘I removed some of the requested third parties from the array’ is even worse.

People have already questioned the arrayOfDOMStrings as being too granular; a fiddled-with array is even more granular.

David Singer
Manager, Software Standards, Apple Inc.

Received on Friday, 12 May 2017 16:35:50 UTC