- From: David Singer <singer@apple.com>
- Date: Fri, 28 Oct 2011 09:55:31 -0700
- To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
On Oct 27, 2011, at 4:49 , Ronan Heffernan wrote: > The well-known URI solution offers superior tracking prevention, as the user agent can decide that the response from the well-known URI is incompatible with the users' preferences, and abort the loading of the rest of the site. Indeed, I was thinking that some user-gents might 'probe' sites they don't know about by fetching 'robots.txt' or some other well-known file, with DNT set, and seeing what the response header says. However, we can make two huge improvements here: having a well-known URL for the policy (e.g. privacy-policy.htm, in top-level), and allowing URIs in the return response. Imagine also that the return URI could be relative, whereupon it's relative to the policy. Now, the UA is loading a page, and sees a 'new' site called in as a third party by that page (say user is visiting example-news.com and the page loads something from example-tracker.net). The UA, being cautious for its user, doesn't immediately load the content requested, but fetches http://example-tracker.net/privacy-policy.htm, with DNT turned on. Lots of very informative outcomes can now occur: * I get a success response with the privacy policy (I hope it's small), and a "I never track anyone" response, or a "I respect your DNT request" response; all is good! * I get a success response with the privacy policy, but no response to the DNT request; I might stop loading that site, or I might suggest to the user that they read the supplied policy and tell me whether to block the site, as it doesn't seem to handle DNT; * I get success on the policy, but the site says in the response "I am still tracking you for reason #express-permission"; I can now say to the user "the site claims to have your permission, and you can read exactly what they claim here [http://example-tracking.com/privacy-policy#express-permission]" * I get a failure on the policy (404), but the DNT is respected; not so great, but we're probably OK; * I get a failure on the policy and silence on the DNT request; we have an old site that pre-dates this work; probably not safe to visit. and so on... David Singer Multimedia and Software Standards, Apple Inc.
Received on Friday, 28 October 2011 16:56:41 UTC