Re: action-231, issue-153 requirements on other software that sets DNT headers from Justin Brookman on 2012-08-23 (public-tracking@w3.org from August 2012)

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 22 Aug 2012 23:09:48 -0400
To: public-tracking@w3.org
Message-ID: <acde2e1d-c8bb-4a9e-a277-0f3004bb724d@blur>

It is simply not true that IE10's header has no meaning.  At the end of the  
day, for implementers of this specification, IE10's DNT:1 header meaning is  
whatever this spec says it is.  The problem comes if the spec says that any  
party gets to subjectively decide what IE10's header means.

To forestall having the same exact argument with you for the nth time, I  
will reiterate my concession that it may be OK for parties to have different  
rules for responding to different UAs (including refusing to provide  
content).  I'm just not sure a response header to the UA that "I refuse to  
honor this header" without requiring more is sufficiently transparent from  
the user's persepctive.

Sent via mobile, please excuse curtness and typos

-----Original message-----
From: "Roy T. Fielding" <fielding@gbiv.com>
To: Justin Brookman <jbrookman@cdt.org>
Cc: public-tracking@w3.org
Sent: Thu, Aug 23, 2012 02:47:38 GMT+00:00
Subject: Re: action-231, issue-153 requirements on other software that sets   
DNT  headers

On Aug 22, 2012, at 5:57 PM, Justin Brookman wrote:

> As Shane has said, the key is transparency: you can't just receive a DNT:1  
signal and go about your tracking business.

That simply isn't true. DNT sent from MSIE 10.0 has no meaning.
It is equivalent to not sending DNT, as far as "tracking business"
is concerned, whatever we might mean by tracking.

>   You have to get permission to track,

Only in certain jurisdictions.

> or tell the user you refuse to deliver them content while DNT:1 is on,

That's certainly an option.

> or refuse to provide service to the user agent at all.

No, the user agent sent a request.  The site will respond as requested
and do whatever applicable regional laws allow with the data collected.

>   I saw a news story recently that Wired is already doing this for just  
IE10 users --- grant permission to track, or we'll just serve you snippets.   
They don't claim that IE10 isn't compliant---rather they presume the  
validity of the signal---they just say "here are your choices."  Of course,  
this may not be compliant with European law, but I believe the group had  
decided that sites could degrade users' experiences who don't grant  
exceptions.

Removing the DNT signal does not, in any way, impact compliance
with EU laws.

> I had been uncomfortable with sites or third parties saying "come back  
with a different browser" due to allegations of noncompliance, but it helps  
to consider that they could do it anyway---as long as it's transpa

Received on Thursday, 23 August 2012 03:10:03 UTC