- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Sun, 30 Oct 2011 02:09:08 -0700
- To: Nicholas Doty <npdoty@w3.org>
- Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
On Oct 28, 2011, at 7:17 PM, Nicholas Doty wrote: > On Oct 28, 2011, at 1:09 PM, Roy T. Fielding wrote: >> The response is only necessary for the very small percentage of DNT enabled >> browsers, which in turn is just a small percentage of overall browsers, that >> also want to see verification of tracking. In other words, the ultra-paranoid >> mode or the regulators checking for deployment/compliance. A user that just >> wants to enable DNT will just send the DNT request header. > > Do we think only "ultra-paranoid" users will have any interest in the response from the server? One of the goals we identified was to add visibility to the case of opting back in. This seems like a potentially very common situation, given the interest we've heard from advertisers and content providers in having a negotiation with users. It isn't ultra-paranoid users -- it is a certain mode of browsing where the user wants to be made aware of things like "this image came from a site that might be tracking you". It is one of those features that sounds okay at first, but ends up being a visual nightmare for anyone other than a privacy researcher. The case of opting-back-in is very different. In that case, the website sees that the user has DNT enabled and deliberately interrupts their normal behavior in order to get consent for tracking (or some other alternative like login). There is no need to change HTTP to accomplish that -- it can be just a redirect, form, and cookie. I suggested a new status code to make it visible to non-human browsers, but I don't know if that is actually needed here. > In fact, if the only effective signal that a user has opted-back-in will be the response header/well-known location, then I would suggest that all implementing user agents ought to check (through whichever mechanism) for every potential tracker. Otherwise it would be very easy for users to believe they've configured their browser to opt out and browse the Web while being regularly tracked. If we want to see the browser config for user awareness, have the browser display its own config. There is no need for the server to do that. We are talking about a preference expression. If any site wants to do bad things, all they have to do is ignore the expression or always respond that it is enabled. Invisible network communication is neither a contract nor a means of enforcement. ....Roy
Received on Sunday, 30 October 2011 09:09:35 UTC