W3C home > Mailing lists > Public > www-tag@w3.org > August 2011

Re: how does host B know that its visitor is the one that visited host A?

From: Jonathan Rees <jar@creativecommons.org>
Date: Sun, 14 Aug 2011 07:36:18 -0400
Message-ID: <CACHXnaotnwAUTpM8taNTwrbKxz7uLMVAg0f72YKCY92znrObVA@mail.gmail.com>
To: Paul Libbrecht <paul@hoplahup.net>
Cc: www-tag@w3.org
On Sun, Aug 14, 2011 at 5:35 AM, Paul Libbrecht <paul@hoplahup.net> wrote:
> Jonathan,
> are you assuming the servers communicate to one another?

They are obviously communicating - otherwise the 2nd server wouldn't
show information only the 1st knows. But they do so via an
hub-and-spokes intermediary, as Alan explained. There is probably no
direct relationship between the two.

I found the behavior disconcerting because I don't expect Expedia (or
Kayak or whoever it was) to be broadcasting my travel planning
behavior. I'm not saying there's a law saying they can't, and I'm not
saying that the recipient has a way to know my personal identity, but
I can imagine scenarios in which this leak could turn out badly for

> One particularly vicious communication would be from such hosts as Google Analytics which sees the URL requests made to a huge amount of servers of the earth (they don't really know the content of the web-page thanks to browser protection but URLs tell a lot). I think Facebook inserts (e.g. badges) are of the same type (because they prevent caching).
> If such a communication happens, you have all the solutions to the below experience: your browser is identified with a cookie and that is submitted to the "common" server (analytics.google or facebook).
> What would be nice is to find tests to discover these and be able to warn or to blame non-respect of the terms of use. Maybe something is doable.
> paul
> PS: Privacy libertarians are aware of these but then... many including the EU even say one should reject cookies except explicitly authorized. This is non-realistic for today's architecture. A more nuanced position is needed.

Yes, that's the challenge.

I wonder if rejecting cookies from transcluded content (i.e. from
"visits" not directly authorized by the user) would do the trick. That
is, user action would constitute authorization (to deposit a cookie),
while others actions wouldn't. It may be possible to keep the overhead
of 'authorization' low enough that the EU approach becomes realistic.

(Related reading: Apple's deployment of the Powerbox idea
http://arstechnica.com/apple/reviews/2011/07/mac-os-x-10-7.ars/9 ;
also Alan Karp's work e.g.
http://www.hpl.hp.com/techreports/2009/HPL-2009-341.html .)


> Le 12 août 2011 à 17:11, Jonathan Rees a écrit :
>> Probably everyone knows this but me...
>> I shop at expedia.com (or somewhere) for a London hotel room. Later I
>> visit guardian.co.uk and see an Expedia ad for London hotel rooms.
>> I visit guardian.co.uk in a different browser (same computer & IP
>> address but Safari instead of Chrome) and instead get an ad for
>> magazine subscriptions. Apparently the Guardian can tell my two
>> browsers apart somehow - it's using more than just my IP address to
>> decide what ads to show me.
>> How does this work? I.e. what are browser instances doing that leaks
>> their identity to servers? Is it just a lucky guess based on
>> User-agent or something?
>> (a propos our privacy & tracking discussions)
>> Thanks
>> Jonathan
Received on Sunday, 14 August 2011 11:36:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:40 UTC