Re: ISSUE-111 - Exceptions are broken

Good points, Vincent.

On Mar 28, 2012, at 2:17 AM, Vincent Toubiana wrote:

> Shane,
> 
> IMHO it just means "I'm ok being tracked on this site". I believe this is quite different, I trust my bank website but would not be ok to be tracked while I'm browsing it.
> Furthermore, trusting a website is not enough if even the 1st party does not know which third parties will be called on its site (it can not trust them).
> 
> Vincent
> 
> On Mar 28, 2012, at 4:33 AM, Shane Wiley wrote:
> 
>> Correct - in short "I trust this site".
>> 
>> - Shane
>> 
>> -----Original Message-----
>> From: David Singer [mailto:singer@apple.com] 
>> Sent: Tuesday, March 27, 2012 7:48 PM
>> To: Tracking Protection Working Group WG
>> Subject: Re: ISSUE-111 - Exceptions are broken
>> 
>> 
>> On Mar 7, 2012, at 10:02 , Kevin Smith wrote:
>> 
>>> Even with an *, meaning that the exception applies to all 3rd parties on the 1st party site, 
>> 
>> I've been meaning to ask: is that "all the 3rd parties I am using today" or "all the 3rd parties I am using and might use in the future"?  I rather suspect it's the latter, whereupon it's saying "I trust the Bogville Chronicle to use only reputable 3rd parties", right?
>> 
>> On Mar 8, 2012, at 14:17 , Kevin Smith wrote:
>> 
>>>> As I understand it, an exception for "*" on a first-party site would imply that the user agent would send DNT:0 to every domain from which a resource was requested as part of loading the first-party page (including subsequent re-directs, iframes and XHR requests).
>>> 
>>> I am not sure how to do this using current methodologies.  Take a simple example.  Site A has an exception for all 3rd parties and includes 3rd Party B which then includes 3rd Party C.  3rd Party C is requested from 3rd Party B, not Site A.  How does the browser know that 3rd Party C's request originated from Site A?  Certainly 3rd Part C probably knows from customized request parameters, but how does the browser map the request to its list of exceptions to even see the '*' associated with site A?  I think this would be new functionality.
>> 
>> Assuming that the browser has a clear idea of the 1st party (the top-level context) then when requesting resources to build that page, it merely has to ask whether the origin of the resource matches an exception in the list for that 1st party (with * matching everyone), doesn't it?  What am I missing?
>> 
>> User visits Bogville Chronicle.  (bogville.com).  
>> UA finds the 3rd-party exception list for that user on bogville.com
>> As each HTTP request is generated, ask "is the origin in the exception list?" - if so, send DNT:0, else send DNT:1.
>> 
>> If the bogville.com people can't enumerate the closure of the sites that they care about, then use "*".
>> 
>> I think this gets ugly when you consider mash-up sites, however.  That assumption that the UA can always work out what top-level browsing context is the owner for every other fetch may be difficult to get water-tight.
>> 
>> On Mar 8, 2012, at 18:22 , Jonathan Mayer wrote:
>> 
>>> 
>>> If a user has DNT enabled, an ad need not be (and most often won't be) random.  I believe there is a consensus in the group that contextual targeting, demographic targeting, and geographic targeting (possibly with some degree of coarseness) would all be allowed.
>>> 
>> 
>> Yes, I don't think anyone has issues with using real-time data, including data in the transaction itself: time of day, location, kind of site visited, kind of ad requested, and so on. Knowing nothing about me and remembering nothing about me does NOT say you can't look at the clock, where the request came from (IP, Geo), where the ad will be embedded, and all sorts of other non-user-specific information.
>> 
>> 
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
>> 
> 
> 

----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org