- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Thu, 12 Oct 2017 22:18:35 +0100
- To: "'Aleecia M. McDonald'" <aleecia@aleecia.com>, <public-tracking@w3.org>
You are right of course, but once consent is given presumably the site could use a cookie for any purpose it has clearly explained, including communicating all the other purposes in any format. Reading between the lines I think the issue is that in the future cookies may not be available to subresources, unless they use domains that users visit often as first party sites. So the requirement is to have something that escapes that restriction when the user has given consent, not an unreasonable request. We should encourage responsible companies that need or want to get user consent, and who therefore take care to clearly explain purposes, do data minimisation etc. The issue then is bad actors. If Safari (say) had a default where third-party cookie blocking/ITP was lifted when DNT was 0, then anyone could use the API to set DNT 0 (invisibly, not asking for consent), and then make free with the cookies. The Safari engineers might see this as major weakening of the user protection they worked so hard at (and respect to them for that). If instead we use the rest of the DNT header as an identifier, we could restrict the entropy, and insist on a reasonable expiry, making it far more privacy friendly. It would be useless to bad actors because it would not have enough bits to uniquely identify. Mike -----Original Message----- From: Aleecia M. McDonald [mailto:aleecia@aleecia.com] Sent: 12 October 2017 17:12 To: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org) <public-tracking@w3.org> Subject: Re: Next 2 calls canceled (Oct 09 and Oct 16) I think I understand Shane to suggest that these data use purposes all need to be custom per-site because what site foo.com defines as “tracking for targeted ads” may not match what site bar.com defines as tracking for targeted ads. Yes? If this understanding is correct, I don’t see how DNT can support that use case in any way that leaves it at all useful to actual human users. There is no meaningful consent possible when users have to read all of the fine print every time — this becomes a sad farce. I believe the motivation for this new work stems from EU purposes as defined by law (and later case law.) If so, there should not be a tremendous amount of daylight between what site foo.com and site bar.com mean by the same terms, since they are set by law / regulation / case law. Am I missing something? Aleecia
Received on Thursday, 12 October 2017 21:19:04 UTC