Re: [privacydir] Fwd: I-D ACTION:draft-mayer-do-not-track-00.txt

Ted Hardie <ted.ietf@gmail.com> Thu, 10 March 2011 22:08 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: privacydir@core3.amsl.com
Delivered-To: privacydir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 614E23A6A79; Thu, 10 Mar 2011 14:08:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.536
X-Spam-Level:
X-Spam-Status: No, score=-3.536 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tiidJXvIr7I5; Thu, 10 Mar 2011 14:08:32 -0800 (PST)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id B24843A6AD4; Thu, 10 Mar 2011 14:08:31 -0800 (PST)
Received: by qyk7 with SMTP id 7so1823836qyk.10 for <multiple recipients>; Thu, 10 Mar 2011 14:09:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=CUythx61ogtIBXaK3oCCksyGug7vkXONBZCBPwEvv6M=; b=xTNkfB8ouKt1sWkjpox9IIQ0mvfYWn79hfciWkJkm0b4wH5gy5fKecPRyCsLpuUKzS jQlDeQgLCSnVqXEyxBnuQxF+mLaoqFLZjP6I9uGIpGpelbe7ILYwqgfq42e5LiAPtyn5 ChTTW0tpsG39bdKDbsGrf6LoCgeZFmhZgdiDU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=sZ0V8zq9mjsStAtJueLXTIucAJDQ24ZFZc6yy+yMzOMhkFhWHU4Jaz7XwUhO8jy8Kh l63MSPoIk3go/qr4PD1Zqn+AE8SLEa7/hQOdnVMxwpXTdHejKt/sMrp350NxNXNjI1zB 0aUCOqDtX1wSOL0fh38+RFtSAdjZbdu3qQdcM=
MIME-Version: 1.0
Received: by 10.229.62.198 with SMTP id y6mr6784652qch.290.1299794989613; Thu, 10 Mar 2011 14:09:49 -0800 (PST)
Received: by 10.229.11.74 with HTTP; Thu, 10 Mar 2011 14:09:49 -0800 (PST)
In-Reply-To: <D06B789B-1414-4D5F-B74E-F17EA5DEBC18@cdt.org>
References: <4D759595.60809@ieca.com> <AANLkTinv7bmd98pbfhEjzkKURyW7vpRPx+EDjfTW6BB_@mail.gmail.com> <D06B789B-1414-4D5F-B74E-F17EA5DEBC18@cdt.org>
Date: Thu, 10 Mar 2011 14:09:49 -0800
Message-ID: <AANLkTikcS+r=dWq7cpUqkWEvptO5mh9BDUnS-nui7dTa@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Alissa Cooper <acooper@cdt.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: privacydir@ietf.org, ietf-privacy@ietf.org
Subject: Re: [privacydir] Fwd: I-D ACTION:draft-mayer-do-not-track-00.txt
X-BeenThere: privacydir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Privacy Directorate to develop the concept of privacy considerations for IETF specifications and to review internet-drafts for privacy considerations." <privacydir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/privacydir>, <mailto:privacydir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/privacydir>
List-Post: <mailto:privacydir@ietf.org>
List-Help: <mailto:privacydir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacydir>, <mailto:privacydir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 22:08:33 -0000

Hi Alissa,

Dropping privacydir, as requested.  Some further discussion in-line.

On Thu, Mar 10, 2011 at 12:55 PM, Alissa Cooper <acooper@cdt.org> wrote:
> (Moving this to ietf-privacy@ietf.org. I suggest future responses drop
> privacydir@ietf.org.)
>
> Hi Ted, couple responses inline --
>
> On Mar 7, 2011, at 11:14 PM, Ted Hardie wrote:
>
>> I've read this draft, and I think it warrants discussion.
>>
>> The most basic question for me is whether a single bit of information
>> about user preferences is sufficient in this case.  Having additional
>> bits which describe user preferences around tracking by first parties
>> seems to me necessary.
>
> I would suggest that the proposal in this draft be viewed as an attempt at
> incremental change. We start with one bit, which has the potential to be an
> improvement over the status quo. It doesn't foreclose having additional bits
> in the future. But even standardizing the one bit and getting people to
> honor it would be a significant improvement IMO.
>
First, web headers tend to be chatty ascii things, and using an opaque
single bit rather than a semantically useful statement seems to me a
poor optimization choice.  Second, if you are expecting extensibility,
you need to be really sure that the initial choices don't seem to
exclude it; these, at least to me, do.


>>
>> In particular, the document appears to assume that 1st party tracking
>> and 3rd party tracking done on behalf of a 1st party (see Exception 2)
>> are permitted even if DNT is set to "do not track".  That is, DNT is
>> really "No third party tracking" and it expects that there is a simple
>> mechanism by which third parties are distinguished from first parties.
>> I personally have my doubts.  If I get content used to construct a
>> web page from source X and source Y are both X and Y first parties?
>> The single-pixel image may look like an obvious 3rd party, but the
>> protocol mechanics by which I distinguish that from and embedded RSS
>> feed are not clearly described in the document.  I can infer that I
>> use the public suffix list and the FQDN of either the link or the
>> browser bar, but this really needs to be spelled out.
>
> I don't think the draft expects that there is a simple line to draw between
> first and third parties. Indeed, section 9.1 reveals some of the complexity
> involved in making this distinction. But just because it's hard doesn't mean
> that it's impossible.
>

But this is absolutely critical.  If someone including a single pixel
image gets to be treated as a first party, *any* mechanism based on
third party tracking is toothless.

> One way that CDT has thought about tackling this one is by branding:
> entities with common branding are considered to be the same party, whereas
> entities with different branding are different parties [1]. This makes the
> distinction subjective and not based on public suffix/FQDN/anything else
> observable by a UA, but it tries to match user expectation.
>

How does the protocol detect the brand?  cnn.caching-cdn.com is
branded in a way to allow it to share cookies with .cnn.com?

>>
>> I also find the exception for data which is "not linkable to a
>> specific user or user agent" somewhat hard to work through.  As the
>> two Narayanan papers cited show, anonymized data has been shown to
>> allow later identification.  How can we be certain that advertising
>> frequency capping or sequencing data has no similar issue without
>> specifying their format? Even if this is not intended as a loophole,
>> it seems likely to be exploited as one.
>
> I would again be thinking about this incrementally -- right now some opting
> out of tracking for some services doesn't even result in any
> de-identification. If this proposal can serve to reduce the identifiability
> of opted out users, even if it does not eliminate all identifiable data
> stored about them, I think that would be a positive step.
>
>>
>> I have the haunting feeling that starting from this position is
>> inherently weak.  If we are truly interested in user control here, the
>> opposite tack, a "Know This" header which explicitly states the
>> information the user is willing to reveal seems to give far more real
>> control.  This seems to ask the browser to  set a "Don't be evil" bit
>> on its requests, but to leave the real control over what that means so
>> underspecified that reasonable people could conclude wildly different
>> things.
>
> I would hope that one of the benefits of standardization here would be to
> build out the specificity of the semantic.

I think this argues for a much richer semantic than a single bit then,
especially when third and first party entities are hard to tease
apart.

It is much easier to know what is desired if you say:

know this: I want a maximally private interaction--don't store, share,
or analyze this interaction except as needed to maintain state

know this:  I'm okay with you doing anything with the data I provide you

know this:  I'm okay with you keeping my data "live" for up to 24
hours so I can pick up where I left off; I'm okay with you sharing
data I gave you with a financial institution I name in purchases; I'm
okay with you sharing my data as part of your analysis of purchase
patterns, provided my name, address, customer number, and financial
identifiers are removed; I'm okay with you sharing my data with other
parties you own, but not with other parties you pay for services.

The effect of a 3rd party "Do not track" clearly isn't the first in
your  draft, but where it falls between the 2nd and the 3rd is not yet
clear, because the server has to infer to much from a single bit.  If
the server's organization as a first party does all the work, they can
do *anything* according to this proposal.  Somehow I doubt that's what
the naive user will think happens when there UI asks them whether to
turn on "Do not Track".

regards,

Ted Hardie
>
> Alissa
>
>>
>> regards,
>>
>> Ted Hardie
>>
>>
>> On Mon, Mar 7, 2011 at 6:33 PM, Sean Turner <turners@ieca.com> wrote:
>>>
>>> FYI
>>>
>>> -------- Original Message --------
>>> Subject: I-D ACTION:draft-mayer-do-not-track-00.txt
>>> Date: Mon, 07 Mar 2011 17:45:01 -0800
>>> From: Internet-Drafts@ietf.org
>>> Reply-To: internet-drafts@ietf.org
>>> To: i-d-announce@ietf.org
>>>
>>> A new Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>>
>>>
>>>   Title         : Do Not Track: A Universal Third-Party Web Tracking Opt
>>> Out
>>>   Author(s)     : J. Mayer, et al
>>>   Filename      : draft-mayer-do-not-track-00.txt
>>>   Pages         : 6
>>>   Date          : 2011-03-07
>>>
>>> This document defines the syntax and semantics of Do Not Track, an
>>>  HTTP header-based mechanism that enables users to express preferences
>>>  about third-party web tracking.  It also provides a standard for how
>>>  web services should comply with such user preferences.
>>>
>>>
>>> A URL for this Internet-Draft is:
>>> http://www.ietf.org/internet-drafts/draft-mayer-do-not-track-00.txt
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> Below is the data which will enable a MIME compliant mail reader
>>> implementation to automatically retrieve the ASCII version of the
>>> Internet-Draft.
>>>
>>>
>>> _______________________________________________
>>> privacydir mailing list
>>> privacydir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/privacydir
>>>
>>>
>> _______________________________________________
>> privacydir mailing list
>> privacydir@ietf.org
>> https://www.ietf.org/mailman/listinfo/privacydir
>>
>
>
>