Re: Issue-65: How does logged in and logged out state work -- Draft Proposal from Aleecia M. McDonald on 2012-02-16 (public-tracking@w3.org from February 2012)

From: Aleecia M. McDonald <aleecia@aleecia.com>
Date: Wed, 15 Feb 2012 22:50:05 -0800
To: "Tracking Protection Working Group WG (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <FDCFDE01-D28A-42D2-A100-06AD8EB5EA55@aleecia.com>
I've re-opened this as pending review, since we never discussed. If there is no additional support for text here, it will be easy to close. But we will talk about it first.

	Aleecia

On Jan 26, 2012, at 4:44 AM, JC Cannon wrote:

> I’m concerned about the draft as written and would like some clarification. Consider two scenarios:
>  
> 1.     The user is a member of a social site and logs into that site and then goes to visit a news site. The user likes seeing which articles her friends like. With DNT:1 the site should not track the user, but should still be able to augment the user’s experience based on her profile.
> 2.    The user logs into Gmail to read her mail. One of the emails has a link to a restricted YouTube video. Upon clicking on the link the user’s expectation is that she can access the content without having to login again.
> JC
> Twitter
>  
> From: Sean Harvey [mailto:sharvey@google.com] 
> Sent: Wednesday, January 25, 2012 11:01 AM
> To: Tom Lowenthal
> Cc: Andy Zeigler; Tracking Protection Working Group WG (public-tracking@w3.org)
> Subject: Re: Issue-65: How does logged in and logged out state work -- Draft Proposal
>  
> In general i'm really excited about the progress on the response header! but given that we've just reviewed it this afternoon i do need to get more feedback both internally and from publishers in order to ensure that this is reasonably implementable. and i believe we need to discuss this as a group before any issues are formally closed. it's worth stepping back for a moment and making sure we all know what we're signing up for, but this is great progress. 
>  
>  
>  
>  
> On Wed, Jan 25, 2012 at 7:51 PM, Tom Lowenthal <tom@mozilla.com> wrote:
> In that case, let's follow the simplicity principle and avoid
> extraneous text. I'm closing ISSUE-65 and ACTION-70.
> 
> On Wed 25 Jan 2012 07:24:49 PM CET, Andy Zeigler wrote:
> > That would be simpler. Either way is fine with me.
> >
> > -----Original Message-----
> > From: Tom Lowenthal [mailto:tom@mozilla.com]
> > Sent: Wednesday, January 25, 2012 7:22 PM
> > To: Andy Zeigler
> > Cc: Tracking Protection Working Group WG (public-tracking@w3.org)
> > Subject: Re: Issue-65: How does logged in and logged out state work -- Draft Proposal
> >
> > ACTION-70 ISSUE-65
> > Fine, I suppose. I'd rather just not have any text on this topic at all, and let the existing rules work it out.
> >
> > On Wed 25 Jan 2012 02:10:04 PM CET, Andy Zeigler wrote:
> >> I apologize - sent before the cut-and-paste.
> >>
> >> Draft text:
> >>
> >>                  If a user is logged into a first-party website and it receives a DNT:1 signal, the website MUST respect DNT:1 signal as a first party and SHOULD handle the user login as it normally would. If a user is logged into a third-party website, and the third party receives a DNT:1 signal, then it MUST respect the DNT:1 signal unless it falls under an exemption described in section 3.4.
> >>
> >> Example use cases:
> >>
> >>  - A user with DNT:1 logs into a search service called "Searchy". Searchy also operates advertisements on other websites. When the user is on a news website,  Searchy receives DNT:1, and it must respect it, as Searchy is operating in a third-party context.
> >>
> >>  - A user with DNT:1 enabled visits a shopping website and logs in. The shopping website continues to provide recommendations, order history, etc. The shopping site includes third-party advertisements. Those third-parties continue to respect DNT:1. When the user purchases the items in their basket, a third-party financial transaction service is used. The user interacts with the third-party service, at which point it becomes first-party and may use previously collected data.
> >>
> >> - A user with DNT:1 visits a website (Website A) that uses a third-party authentication service called "LogMeIn". The user logs into the site with his LogMeIn credentials. The user has interacted with LogMeIn, and now it can act as a first-party. Now the user vists Website B, which also uses the LogMeIn service, but is branded differently than Website A. LogMeIn MUST respect the DNT:1 signal until the user chooses to interact with LogMeIn in order to log into Website B.
> >>
> >> From: Andy Zeigler
> >> Sent: Wednesday, January 25, 2012 2:02 PM
> >> To: Tracking Protection Working Group WG (public-tracking@w3.org)
> >> Subject: Issue-65: How does logged in and logged out state work --
> >> Draft Proposal
> >>
> >>
> >>
> >>
> >>
> >
> 
> 
> 
>  
> -- 
> Sean Harvey
> Business Product Manager
> Google, Inc. 
> 212-381-5330
> sharvey@google.com
Received on Thursday, 16 February 2012 06:50:30 UTC