- From: Ronan Heffernan <ronansan@gmail.com>
- Date: Fri, 22 Mar 2013 18:17:42 -0400
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Justin Brookman <justin@cdt.org>, public-tracking@w3.org
- Message-ID: <CAHyiW9K5EP3ANS0qEYcZabeob9HaVBUyzTx1Zv+aStECojxpQQ@mail.gmail.com>
Roy, Yes, I think that Alex Deliyannis expressed these same concerns, because of our shared experience implementing large-scale, globally-distributed WWW systems. Perhaps we were negligent in not periodically re-raising our concerns about requiring complex real-time processing in light-weight distributed nodes. Your proposal to include this as part of a "3" response sounds interesting, and I will review that section of the draft. Thanks. --ronan On Fri, Mar 22, 2013 at 5:53 PM, Roy T. Fielding <fielding@gbiv.com> wrote: > On Mar 22, 2013, at 1:39 PM, Justin Brookman wrote: > > On 3/22/2013 3:42 PM, Ronan Heffernan wrote: > >> Responding to a DNT:1 signal with an acknowledgement that a company > follows DNT, and will abide by the restrictions (and permitted uses) > therein, is easy. Responding with real-time lookups of whether OOBC exists > is quite difficult (in many cases impossible), especially for large-scale > systems that use CDNs and other distributed processing, and systems that do > not receive technical information required to perform OOBC lookups until > after some browsing has already happened. > > I just don't understand why these concerns hadn't been raised in the > previous two years of discussions (it is possible they have and I was > paying less attention to TPE, but if they were, they were resolved to the > editors' and chairs' satisfaction). The mandatory response signal has been > in the TPE for some time now. I would like to hear from others if feedback > is effectively impossible for OOB. In which case, that's an argument that > we need should get rid of OOB and require implementation of the exception > mechanism by user agents (something I had previously been reluctant to do). > > I think Alex raised the issue early on and we simply neglected > to design for it. There do exist systems that only *use* collected data > in essentially offline batch processing, so it is reasonable for a site > to say "we are collecting data for all transactions but will only retain > and use data from users identified as having previously given consent". > > I would not suggest using "C" for that. It is a different answer. > > Alternatively, we could just make it part of the "3" definition to > be that DNT:1 data will not be retained (beyond the minimum period > allowed for non-processed raw data) unless agreed to separately by > the user under contract. That would be consistent with prior consent > overriding DNT. > > And, again, whether or not this meets what the user asked by DNT:1 > depends entirely on the definition of Do Not Track. If DNT:1 means > let me browse anonymously, then sites that can't support anonymous > browsing can't comply with DNT. Panel studies should simply > require that members in the panel turn off DNT. > > OTOH, if DNT:1 means do not follow my activity across non-affiliated > sites without my prior consent, then it would be sufficient for > OOB consent sites to implement DNT by stating that the data will be > deleted within X hours if it does not correspond to a user that has > consented. > > ....Roy >
Received on Friday, 22 March 2013 22:18:31 UTC