- From: (unknown charset) Matthias Schunter <mts@zurich.ibm.com>
- Date: Thu, 09 Feb 2012 16:09:54 +0100
- To: (unknown charset) public-tracking@w3.org
Hi Sean, On 2/9/2012 3:28 PM, Sean Harvey wrote: > How is the third party going to know from the DNT:0 that they may only > collect site specific information? What if the user visits two sites > consecutively, both of which have site specific exceptions? Might not > the third party server unknowingly (re)place a cookie on the browser > when they see DNT:0 and then check that cookie on both site 1 and site > 2 because they both have DNT-off values? this indeed seems to be a challenge: In the extreme, every request header transmits its own (and maybe different) DNT value (a user agent may choose to send different DNTs based on sub-site, subdomains or whatever other criteria). This is hard to track/emulate with cookies. Setting opt-out cookies too broadly is no problem from a privacy perspective (except that it may break things) Strictly speaking, you can only clear your cookies for the given URL. If this affects other URLs, it is at your own risk. However, there is light at the end of the tunnel: - I believe while it is hard to 100% emulate DNT with cookies, the current proposal of the DNT responses allow you to say 'I believe that I have your opt-in'. If the browser then disagrees, it can alert the user or take some other action. Do I understand correctly that the scenario in your mind is that a gateway interprets DNT and then sets/removes cookies while all back-end systems will continue to rely on these cookies? While ultimately cookie-based DNT should be replaced by DNT;;-) I see the benefit of cookie-based emulations to allow for quick and cost-efficient adoption. If this is the scenario you have in mind, I'd like to raise a separate issue to discuss this. If not, please clarify. Regards, matthias
Received on Thursday, 9 February 2012 15:10:38 UTC