Re: tracking-ISSUE-260: method for validating DNT signal from user [TPE Last Call] from David (Standards) Singer on 2014-09-23 (public-tracking@w3.org from September 2014)

From: David (Standards) Singer <singer@apple.com>
Date: Tue, 23 Sep 2014 12:44:05 -0700
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Tracking Protection Working Group <public-tracking@w3.org>
Message-id: <2726F431-4097-4B40-896E-51545CAFB321@apple.com>

On Sep 23, 2014, at 12:40 , Mike O'Neill <michael.oneill@baycloud.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi David,
> 
> I just meant if an intermediary (e.g. a browser extension or a router) can insert DNT:1 in the request headers it can also edit the cookie: header. UA state in mostly conveyed in the cookies, so it is possible to amend state, and so stop the vast majority of tracking. If it is possible to do that there is no point in worrying about someone illicitly inserting DNT:1. If it was to stop tracking it could just do that anyway.

Yes.  An end-system can remember what DNT it saw last time (e.g. in a cookie) and if it changes it can see whether the new state matches the JS property.  If it doesn’t, it looks like the user may be behind a problem intermediary.  Problems intermediaries won’t know what cookies to edit or how, and they surely cannot edit javascript.

> 
> Mike
> 
>> -----Original Message-----
>> From: David (Standards) Singer [mailto:singer@apple.com]
>> Sent: 23 September 2014 19:52
>> To: Mike O'Neill
>> Cc: Roy T. Fielding; Tracking Protection Working Group
>> Subject: Re: tracking-ISSUE-260: method for validating DNT signal from user
>> [TPE Last Call]
>> 
>> 
>> On Sep 23, 2014, at 10:11 , Mike O'Neill <michael.oneill@baycloud.com> wrote:
>> 
>>> 3) It could have been inserted by an intermediary.
>>> 
>>> Nothing can be done about that, other than requiring DNT to reflect the user's
>> preference.
>>> 
>>> If an intermediary can edit the outgoing packets it can change any header,
>> including the cookies. It would be just as easy to insert properly formatted opt-
>> out cookies to be sent to all servers, so NAI/IAB self-regulation has the same
>> problem. In fact most tracking could be stopped just by an intermediary
>> selectively removing cookies.
>> 
>> Actually, intermediaries cannot easily affect the Javascript property (or more
>> precisely, change what enquiries of the JS property appear to return), so it’s
>> fairly easy to check the header if you are suspicious.
>> 
>> 
>> David Singer
>> Manager, Software Standards, Apple Inc.
>> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (MingW32)
> Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
> Charset: utf-8
> 
> iQEcBAEBAgAGBQJUIcyhAAoJEHMxUy4uXm2J+2IH/iRkUWyjHzL1xXCJpW6rImAQ
> G/5I0m/Im12aBHL7aVxp09eDbWdd2vzaQmG2JSy98CUKm7nBBPQpuK5BOWXlvGtG
> 8YYC5ynT2/brYhcJqOdLf3STUwulIDKsQFLG4yMpWeBGjjG5KdoV3MuPlNGEBgBC
> SW8oxMOwZP2bJvBzJMqXoETjNPTgRCGEgsbCjlbm2Tq7hDbqPbBaohy5qg8D5NJB
> +PW4Ro7FfgiwQTtSzudNvTxVfk2lyhircVgOd6FSQFEf9K5ZXxxv1BBg4QR3rJhf
> eR14XvxHAAJzGbPH3O/u0LZKzYicHKn130TvQfgvjLG2ILogU1NWQT/+ej9IaEY=
> =lWZM
> -----END PGP SIGNATURE-----
> 

David Singer
Manager, Software Standards, Apple Inc.

Received on Tuesday, 23 September 2014 19:44:46 UTC