- From: Walter van Holst <walter.van.holst@xs4all.nl>
- Date: Mon, 16 Dec 2013 20:25:15 +0100
- To: public-tracking@w3.org
On 16/12/2013 19:52, Shane M Wiley wrote: > Walter, > > I'm in agreement with MAY and would like to discuss moving to MUST as > that may be supportable as well for the reasons you've laid out. > Would there be legitimate scenarios where a Server would not be able > to reliably put forth a compliance regime pointer? Other than the > typical "mid-implementation" scenarios, the only other one I can > think of immediately is for markets where there isn't a local > compliance option and existing ones may not translate well to that > market due to local laws. For example, for some APAC markets that > have local Privacy Laws but no real self-regulatory compliance > mechanism, I'm assuming no response here would be acceptable as long > as the Server is operating within the bounds of local law. Fair? If I understand your scenarios correctly we're talking about: a) mid-implementation, which means that the Server probably doesn't even fully know itself how compliant it is at the time of the network interaction; b) jurisdictions that do not allow for self-regulation but do not have a governmental compliance spec available either; In scenario a) the logical thing would be to either point to a compliance spec that explains that this is mid-implementation and that the user cannot expect a different result than with sending DNT:0. In scenario b) for some reason the Server has reason to believe it cannot be fully compliant to local law (which may not even apply to the Server, but that is a different matter) and such a scenario should be covered in either the compliance spec the URI is pointing to or the Server should use a different compliance spec for requests from that jurisdiction which again explains that there is no full compliance to local laws and why there isn't. I think no response should be sufficient in this regard as well, because then the user should be aware that DNT is treated in a way that he or she should not have much expectations of. The beauty of Roy's proposal is that it allows for extreme flexibility both in the applicable specs, the way Servers treat different network interactions and during roll-out of the implementation. At some point you can replace the text where the URI is pointing to with a different text (I would recommend putting in a timestamp) and with a flip of the switch you can go from not really honouring DNT to honouring DNT according to a spec you wish to comply to. The only downside to this scenario that I can see is that there may arise disputes to what compliance spec applied to which network interaction, so it probably would be better to include non-normative text explaining that it would be recommended to use a URI which is descriptive in itself and/or points to a trusted third party that performs the role of compliance spec server. And even then we may be overengineering things already. Regards, Walter
Received on Monday, 16 December 2013 19:25:44 UTC