What are the Response Header and Well-Known Resource for? from David Singer on 2012-07-31 (public-tracking@w3.org from July 2012)

From: David Singer <singer@apple.com>
Date: Tue, 31 Jul 2012 15:49:56 -0700
To: "public-tracking@w3.org WG" <public-tracking@w3.org>
Message-id: <3CCB63DC-468F-4303-A02C-5561B2E06503@apple.com>

Friends

I would like ti suggest we include an informative section in the specification of questions that a user/user-agent might have about 'what's going on with my DNT requests', and how the response header and/or well-known resource (or some other mechanism) provide answers. This is kinda like a FAQ that UAs might have for sites.

Here is a start on the list of *questions* (I do not yet have proposed answer text).

For each of these questions, we can decide to use the header, the WKR, or some other mechanism, or a combination of tools. I think that the static ones naturally lend themselves to the WKR, and we tentatively said that if your status (1st/3rd) changes, a header will alert you.

I am sure I missed a few questions, these are off the top of my head. Can I suggest we assemble this list, and then we can decide on the best proposed answers to the questions, and make the set of questions+answers into an informative section?

I have divided my questions into categories (static, personal interaction, and dynamic).

(Note that enquiries to the WKR are required to be un-tracked under all circumstances.)

static questions

1. Does this site implement or recognize DNT at all?
2. If so, does it claim compliance?
3. Is this site part of a larger 'party' of affiliated sites that share information? Who is the main party and/or master site?
4. Does this party ever claim 'permissions'? Particularly, is it claiming the 'agent of 1st party' permission?
5. Does it always operate as a 3rd party, or does it sometimes become 1st (e.g. an ad that gets interacted with, vs. an analytics site).
6. If the site has trusted important partners, for whom it might ask an exception, who are they?
7. Where do I find a readable privacy policy?
8. Is there a place where I can express my preferences, grant exceptions, etc.?

personal interaction questions (that might vary from place to place, or individual to individual, but typically not transaction to transaction)

10. What header did the site receive from me? (Did my header make it through?)
11. Does the site claim an in-band (well, I'd know if it says it saw DNT:0) or out-of-band exception from me?
12. Is the site going to decide not to honor my DNT:1 request for some other reason (e.g. my choice of UA, as recently discussed :-(, a court order, etc.)?

truly dynamic questions (that might vary from request to request)

20. Is the site operating as a 1st or 3rd party in this interaction? (This makes a big difference to how much tracking can happen).

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Tuesday, 31 July 2012 22:50:38 UTC