Re: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)] from David Singer on 2012-01-16 (public-tracking@w3.org from January 2012)

From: David Singer <singer@apple.com>
Date: Mon, 16 Jan 2012 09:39:28 -0800
To: Tracking Protection WG <public-tracking@w3.org>
Message-id: <55507381-DFEF-4B8B-8FF1-32110A660158@apple.com>

I think it's ok, but…

* we need to have the discussion on when/how often the response header is sent.  If UAs attach the outbound header to every request (which is likely :-)), then there is an impact on caching and so on, if the sites have to attach it to every response.

* I am thinking of sites in three classes:
  -- those that have not read the spec., yet they do no tracking ('simple' sites), and don't send the response header
  -- those that have read the spec., done the work to get into compliance, and send the response header
  -- a site 'in the middle' that has done the privacy work to be in compliance, but not the http work to send a response header

Seems like the last class could be pretty small.  Do they need to be thought of as 'complying', especially since the UAs will have to assume the worst, as you say?

On Jan 16, 2012, at 9:00 , Matthias Schunter wrote:

> Hi All,
> 
> 
> I gave this another thought and I now had the impression that SHOULD
> may be sufficient. A wording like:
>  If a site receives a  DNT;1 request header,
>  then it SHOULD send a DNT response header.
> (header details defined elsewhere)
> 
> Reasoning:
> 1. In order to be compliant, a site needs to satisfy the compliance
> and DNT specs
> 2. A  site that is compliant with above wording honors a DNT=1 request
>   but may not send a corresponding acknowledgement (for whatever reason)
> 
> The result would be that a site sufficiently protects privacy
> (according to the compliance spec) while not advertising the fact.
> This will make users assume the worst (i.e., that DNT=1 was not honored).
> 
> While this is not optimal, it at least ensures that the site provides
> more privacy than promised which I believe to be OK from a privacy
> perspective.
> 
> A benefit of SHOULD is that sites could improve their data
> collection/retention/usage first to satisfy the compliance spec and
> then later do further upgrades to provide transparency/notice. An
> example would be a site that never stores anything while ignoring DNT.
> Similar to today's practice that privacy policies usually over-state
> the potential uses of the collected data.
> 
> What do you think?
> 
> 
> Regards,
> matthias
> 
> 
> On 12/20/2011 9:58 PM, John Simpson wrote:
>> Agree that if request header is DNT=1, then a site MUST send a
>> response header to be compliant.
>> 
> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Monday, 16 January 2012 17:40:10 UTC