Re: [w3c/manifest] Privacy Review: handle start_url tracking (#399)

> > I agree that there is a possibility for a browser to classify and treat a start_url as a tracker, but I don't feel this raises to the level of a super cookie. So, I'm not saying we shouldn't do anything here - but I don't think it's a dire situation.
> 
> We finished our crawl and I have data, @lknik. We crawled 65k+ URLs and collected 27k+ manifest files. Of those, < 2.5k included a query string in the manifest. I did a manual run-through of that list and to my eyes every instance was tracking the source for analytics purposes (e.g., `utm_source=homescreen` or similar). This is not to say that this isn’t a potential abuse vector (it is every bit as much as bookmarks are), but this does not appear to be an issue currently.

It's consistent with my tests then (only one case had a quasi-ID thing, but not for tracking).



> I’m not sure what the right answer is here, but it seems we do have some time to continue to consider different options.

I agree there's time to work it out.

> 

> Would clearing all temporary and persistent data from _their browser_ when they uninstall/reset an "app" be what users would/should expect? It seems if we go that route, we would need to include some strong language to implementors that they need to make users aware of such implications.

Yes, looks like something that needs to be written down in the spec.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/399#issuecomment-491049607

Received on Thursday, 9 May 2019 20:15:48 UTC