Copyright © 2011-2012 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
This specification defines the technical mechanisms for expressing a
tracking preference via the DNT request header field in
HTTP, via an HTML DOM property readable by embedded scripts, and via
properties accessible to various user agent plug-in or extension APIs.
It also defines mechanisms for sites to signal whether and how they
honor this preference, both in the form of a machine-readable tracking
status resource at a well-known location and via a Tk
response header field, and a mechanism for allowing the user to approve
site-specific exceptions to DNT as desired.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
This document is a snapshot of live discussions within the Tracking Protection Working Group. It does not yet capture all of our work. For example, we have issues that are [PENDING REVIEW] with complete text proposals that did not make it into this draft. Text in white is typically [CLOSED]: we have reached a consensus decision. Text in blue boxes presents multiple options the group is considering. In some cases we are close to agreement, and in others we have more to discuss. An issue tracking system is available for recording raised, open, pending review, closed, and postponed issues regarding this document. This draft, published 13 March 2012, is substantially different from and more complete than the First Public Working Draft.
We have not yet reviewed comments from the Community Group associated with this work. We thank them for their time and detailed feedback, and will address their comments in the near future.
This document was published by the Tracking Protection Working Group as a Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to public-tracking@w3.org (subscribe, archives). All feedback is welcome.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
The World Wide Web (WWW, or Web) consists of millions of sites interconnected through the use of hypertext. Hypertext provides a simple, page-oriented view of a wide variety of information that can be traversed by selecting links, manipulating controls, and supplying data via forms and search dialogs. A Web page is usually composed of many different information sources beyond the initial resource request, including embedded references to stylesheets, inline images, javascript, and other elements that might be automatically requested as part of the rendering or behavioral processing defined for that page.
Each of the hypertext actions and each of the embedded resource references might refer to any site on the Web, leading to a seamless interaction with the user even though the pages might be composed of information requested from many different and possibly independent Web sites. From the user's perspective, they are simply visiting and interacting with a single brand — the first-party Web property — and all of the technical details and protocol mechanisms that are used to compose a page representing that brand are hidden behind the scenes.
It has become common for Web site owners to collect data regarding the usage of their sites for a variety of purposes, including what led the user to visit their site (referrals), how effective the user experience is within the site (web analytics), and the nature of who is using their site (audience segmentation). In some cases, the data collected is used to dynamically adapt the content (personalization) or the advertising presented to the user (targeted advertising). Data collection can occur both at the first-party site and via third-party providers through the insertion of tracking elements on each page. A survey of these techniques and their privacy implications can be found in [KnowPrivacy].
People have the right to know how data about them will be collected and how it will be used. Empowered with that knowledge, individuals can decide whether to allow their online activities to be tracked and data about them to be collected. Many Internet companies use data gathered about people's online activities to personalize content and target advertising based on their perceived interests. While some people appreciate this personalization of content and ads in certain contexts, others are troubled by what they perceive as an invasion of their privacy. For them, the benefit of personalization is not worth their concerns about allowing entities with whom they have no direct relationship to amass detailed profiles about their activities.
Therefore, users need a mechanism to express their own preference regarding tracking that is both simple to configure and efficient when implemented. In turn, Web sites that are unwilling or unable to offer content without such targeted advertising or data collection need a mechanism to indicate those requirements to the user and allow them (or their user agent) to make an individual choice regarding exceptions.
This specification defines the HTTP request header field DNT for expressing a tracking preference on the Web, a well-known location (URI) for providing a machine-readable tracking status resource that describes a service's DNT compliance, the HTTP response header field Tk for resources to communicate their compliance or non-compliance with the user's expressed preference, and JavaScript APIs for determining DNT status and requesting a site-specific exception.
A companion document, [TRACKING-COMPLIANCE], more precisely defines the terminology of tracking preferences, the scope of its applicability, and the requirements on compliant first-party and third-party participants when an indication of tracking preference is received.
ISSUE-117: Terms: tracking v. cross-site tracking
The WG has not come to consensus regarding the definition of tracking
and whether the scope of DNT includes all forms of user-identifying
data collection or just cross-site data collection/use. This issue
will be resolved in the TCS document, though its resolution is a
necessary prerequisite to understanding and correctly implementing
the protocol defined by this document.
The key words must, must not, required, should, should not, recommended, may, and optional in this specification are to be interpreted as described in [RFC2119].
This specification uses Augmented Backus-Naur Form [ABNF] to define network protocol syntax and WebIDL [WEBIDL] for defining scripting APIs.
This specification uses the term user agent to refer to any of the various client programs capable of initiating HTTP requests, including, but not limited to, browsers, spiders (web-based robots), command-line tools, native applications, and mobile apps [HTTP11].
The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application that they communicate with via HTTP, thereby allowing each service to either adjust their behavior to meet the user's expectations or reach a separate agreement with the user to satisfy all parties.
Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control. Although some controlled network environments, such as public access terminals or managed corporate intranets, might impose restrictions on the use or configuration of installed user agents, such that a user might only have access to user agents with a predetermined preference enabled, the user is at least able to choose whether to make use of those user agents. In contrast, if a user brings their own Web-enabled device to a library or cafe with wireless Internet access, the expectation will be that their chosen user agent and personal preferences regarding Web site behavior will not be altered by the network environment, aside from blanket limitations on what sites can or cannot be accessed through that network.
The remainder of this specification defines the protocol in terms of whether a tracking preference is enabled or not enabled. We do not specify how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled.
For example, a user might select a check-box in their user agent's
configuration, install a plug-in or extension that is specifically
designed to add a tracking preference expression,
or make a choice for privacy that then implicitly includes a
tracking preference (e.g., Privacy settings: high
). Likewise,
a user might install or configure a proxy to add the expression
to their own outgoing requests.
For each of these cases, we say that a tracking preference
is enabled.
When a user has enabled a tracking preference, that preference needs to be expressed to all mechanisms that might perform or initiate tracking by third parties, including sites that the user agent communicates with via HTTP, scripts that can extend behavior on pages, and plug-ins or extensions that might be installed and activated for various media types.
When enabled, a tracking preference is expressed as either:
DNT | meaning | |
---|---|---|
1 | This user prefers not to be tracked on the target site. | |
0 | This user prefers to allow tracking on the target site. |
If a tracking preference is not enabled, then no preference is expressed by this protocol. This means that no expression is sent for each of the following cases:
ISSUE-111: Different DNT value to signify existence of site-specific exception (also linked to 4.1 and 6 below)
The DNT header field is hereby defined as the means for expressing a user's tracking preference via HTTP [HTTP11].
DNT-field-name = "DNT" ; case-insensitive DNT-field-value = ( "0" / "1" ) *DNT-extension ; case-sensitive DNT-extension = %x21 / %x23-2B / %x2D-5B / %x5D-7E ; excludes CTL, SP, DQUOTE, comma, backslash
A user agent must send the DNT header field on all HTTP requests if (and only if) a tracking preference is enabled. A user agent must not send the DNT header field if a tracking preference is not enabled.
The DNT field-value sent by a user agent must begin with the numeric character "1" (%x31) if a tracking preference is enabled, the preference is for no tracking, and there is not a site-specific exception for the origin server targeted by this request.
The DNT field-value sent by a user agent must begin with the numeric character "0" (%x30) if a tracking preference is enabled and the preference is to allow tracking in general or by specific exception for the origin server targeted by this request.GET /something/here HTTP/1.1 Host: example.com DNT: 1
An HTTP intermediary must not add, delete, or modify the DNT header
field in requests forwarded through that intermediary unless that
intermediary has been specifically installed or configured to do so
by the user making the requests. For example, an Internet Service
Provider must not inject DNT: 1
on behalf of all of their
users who have not selected a choice.
The remainder of the DNT field-value after the initial character is reserved for future extensions. User agents that do not implement such extensions must not send DNT-extension characters in the DNT field-value. Servers that do not implement such extensions should ignore anything beyond the first character.
DNT extensions are to be interpreted as modifiers to the
main preference expressed by the first digit, such that the main
preference will be obeyed if the recipient does not understand the
extension. Hence, a DNT-field-value of "1xyz" can be thought of
as do not track, but if you understand the
refinements defined by x, y, or z, then adjust my preferences
according to those refinements.
DNT extensions can only be transmitted when a tracking
preference is enabled.
The extension syntax is restricted to visible ASCII characters that can be parsed as a single word in HTTP and safely embedded in a JSON string without further encoding (section 5.1.2 Tracking Status Representation). Since the DNT header field is intended to be sent on every request, when enabled, designers of future extensions ought to use as few extension characters as possible.
ISSUE-111: Different DNT value to signify existence of site-specific exceptions
Should the user agent send a different DNT value to a first party
site if there exist site-specific exceptions for that first party?
(e.g. DNT:2 implies I have Do Not Track enabled but grant
permissions to some third parties while browsing this domain
)
[OPEN]
The NavigatorDoNotTrack
interface provides a means for
the user's tracking preference to be expressed to
web applications running within a page rendered by the user agent.
null
.
Navigator implements NavigatorDoNotTrack
;
Navigator
interface
[NAVIGATOR] (e.g., the window.navigator
object)
must also implement the NavigatorDoNotTrack
interface.
An instance of NavigatorDoNotTrack
is obtained
by using binding-specific casting methods on an instance of
Navigator
.
ISSUE-84: Make DNT status available to JavaScript
[OPEN]
The API above has been deemed inadequate due to origin restrictions
on embedded javascript by reference. We are awaiting new
text to resolve this issue.
ISSUE-116: How can we build a JS DOM property which doesn't allow inline JS to receive mixed signals?
ISSUE-125: Way to test if a given user agent supports DNT
User agents often include user-installable component parts, commonly known as plug-ins or browser extensions, that are capable of making their own network requests. From the user's perspective, these components are considered part of the user agent and thus ought to respect the user's configuration of a tracking preference. However, plug-ins do not normally have read access to the browser configuration.
It is unclear whether we need to standardize the plug-in APIs or if we should rely on it being defined per user agent based on general advice here. No plug-in APIs have been proposed yet.
A user's tracking preference is intended to apply in general, regardless of the protocols being used for Internet communication. The protocol expressed here is specific to HTTP communication; however, the semantics are not restricted to use in HTTP; the same semantics may be carried by other protocols, either in future revisions of this specification, or in other specifications.
When it is known that the user's preference is for no tracking, compliant services are still required to honor that preference, even if other protocols are used. For example, re-directing to another protocol in order to avoid receipt of the header is not compliant.
ISSUE-108: Should/could the tracking preference expression be extended to other protocols beyond HTTP?
[PENDING REVIEW] Text in this section; but the last paragraph
may be more appropriate in the compliance document, as it discusses
compliance.
The next two sections detail two proposals how to communicate tracking status:
This is work in progress. The WG has not yet decided which of these options (or both) to choose. The WG is currently working on a resolution but nevertheless appreciates input on this open issue. We are currently working on a proposal which combines the Tk response header and Tracking Status Resource. It would make the TSR compulsory and the Tk header optional. However, it would be required to use the Tk header to notify the user when something in the TSR has changed in real time.
An origin server must provide a tracking status resource at the well-known identifier [RFC5785]
/.well-known/dnt
(relative to the URI of that origin server) for obtaining information about the potential tracking behavior of services provided by that origin server. A tracking status resource may be used for verification of DNT support, as described in section 5.1.3 Using the Tracking Status.
A valid retrieval request (e.g., a GET
in [HTTP11])
on the well-known URI must result in either a successful response
containing a machine-readable representation of the site-wide
tracking status, as defined below, or a sequence of redirects that
leads to such a representation.
A user agent may consider failure to provide access to such a
representation equivalent to the origin server not implementing
this protocol. The representation might be cached, as described
in section 5.1.4 Tracking Status Caching.
If an origin server contains multiple services that are controlled by distinct parties or that might have differing behavior or policies regarding tracking, then it may also provide a space of well-known resources for obtaining information about the potential tracking behavior of each specific service. This parallel tree of resources is called the tracking status resource space.
The tracking status resource space is defined by the following URI Template [URI-TEMPLATE]:
/.well-known/dnt{+pathinfo}
where the value of pathinfo
is equal to the
path component [RFC3986] of a given reference to that
origin server, excluding those references already within the above
resource space. For example, a reference to
http://example.com/over/here?q=hello#top
may have a corresponding tracking status resource identified by
http://example.com/.well-known/dnt/over/here
Resources within the tracking status resource space are represented using the same format as a site-wide tracking status resource.
All requests for well-known URIs defined here must not be tracked, irrespective of the presence, value, or absence of a DNT header, cookies, or any other information in the request. In addition, all responses to requests on a tracking status resource, including redirected requests, must not include Set-Cookie or Set-Cookie2 header fields [COOKIES] and must not include content that would have the effect of initiating tracking beyond what is already present for the request. A user agent should ignore or treat as an error any Set-Cookie or Set-Cookie2 header field received in such a response.
The representation of a tracking status resource shall be provided in the "application/json" format [RFC4627] and must conform to the ABNF in section 5.1.5 Tracking Status ABNF. The following is an example tracking status representation that illustrates all of the fields defined by this specification, most of which are optional.
{ "path": "/", "tracking": true, "received": "1", "response": "t1", "same-site": [ "example.com", "example_vids.net", "example_stats.com" ], "partners": [ "api.example-third-party.com" ], "policy": "/tracking.html", "edit": "http://example-third-party.com/your/data", "options": "http://example-third-party.com/your/consent" }
A tracking status representation consists of a single status-object containing members that describe the tracking status applicable to this user agent's request.
If the status-object has an optional path
member, then this object describes the tracking status for the
entire space of resources that share the same path prefix as
the value of path
.
The user agent must interpret the path
value
relative to the originally referenced resource, not the resource
where it obtained the tracking status representation.
For the site-wide tracking status resource, the presence of a
path
member with a value of "/" indicates
that this status-object applies for the entire origin
server of the originally referenced resource.
If the originally referenced resource's path component does not
share the same prefix as the value of path
, or
if the path
member is absent, then the
tracking status for the referenced resource may be obtained via a
request on the corresponding tracking status resource space.
A status-object must have a member named
tracking
with a boolean value.
A value of false
indicates that the
corresponding resources do not perform tracking as it is
defined by [TRACKING-COMPLIANCE].
A value of true
indicates that the
corresponding resource performs tracking and claims to conform to
all tracking compliance requirements applicable to this site.
For example, the following demonstrates a minimal tracking status representation that is applicable to any resource that does not perform tracking.
{"tracking": false}
The following status-object would indicate that the entire site does not perform tracking.
{"path": "/", "tracking": false}
If tracking
is true
,
the status-object must include two additional members, named
received
and response
,
and may include other members as described below.
The received
member must have either a
string value equal to the DNT-field-value received in that
request or the value null
if no
DNT-field-value was received. Any invalid characters
received in the DNT-field-value must be elided from the
string value to ensure that invalid data is not injected into
the JSON result.
The response
member must have a string value
that indicates the status of tracking applicable specifically to
this user in light of the received DNT-field-value.
The string value begins with "t" (tracking) or "n" (not tracking)
and may be followed by alphanumeric characters that indicate
reasons for that status, as described in the following table.
reasons | meaning | |
---|---|---|
1 | Designed for use as a first-party only | |
3 | Designed for use as a third-party | |
a | Limited to advertising audits | |
c | Prior consent received from this user agent | |
f | Limited to fraud prevention | |
g | For compliance with regional/geographic constraints | |
q | Limited to advertising frequency capping | |
r | Limited to referral information |
An optional member named same-site
may be
provided with an array value containing a list of domain names
that the origin server claims are the same site, to the extent
they are referenced on this site, since all data collected via
those references share the same data controller.
An optional member named partners
may be
provided with an array value containing a list of
domain names for third-party services that might track the user
as a result of using this site and which do not have the same
data controller as this site.
An optional member named policy
may be
provided with a string value containing a URI-reference to a
human-readable document that describes the tracking policy for
this site. The content of such a policy document is beyond the
scope of this protocol and only supplemental to what is described
by this machine-readable tracking status representation.
An optional member named edit
may be
provided with a string value containing a URI-reference to a
resource intended to allow a tracked user agent to review or
delete data collected by this site, if any such data
remains associated with this user agent. The design of such
a resource and the extent to which it can provide access to
that data is beyond the scope of this protocol.
An optional member named options
may be
provided with a string value containing a URI-reference to a
resource intended to allow a user agent to opt-in
,
opt-out
, or otherwise modify their consent status
regarding data collection by this site. The design of such
a resource and how it might implement an out-of-band consent
mechanism is beyond the scope of this protocol.
Additional extension
members may be provided
in the status-object to support future enhancements to
this protocol. A user agent should ignore extension members
that it does not recognize.
Note that the tracking status resource space applies equally to both first-party and third-party services. An example of a third-party tracking status is
{ "tracking": true, "received": "1", "response": "n", "policy": "/privacy.html", "edit": "/your/data", "options": "/your/consent" }
ISSUE-47: Should the response from the server indicate a policy that describes the DNT practices of the server?
[PENDING REVIEW] The tracking status resource is a
machine-readable policy and provides a mechanism for supplying a
link to a human-readable policy.
ISSUE-61: A site could publish a list of the other domains that are associated with them
[PENDING REVIEW] The same-site and partners members provide
a means to list first-party and third-party domains, respectively.
ISSUE-124: Alternative DNT implementations that replace HTTP headers with something else
[PENDING REVIEW] The tracking status resource minimizes
bandwidth usage because only a small proportion of user agents
are expected to perform active verification, status would only be
requested once per site per day, and the response can be
extensively cached.
A key advantage of providing the tracking status at a resource separate from the site's normal services is that the status can be accessed and reviewed prior to making use of those services and prior to making requests on third-party resources referenced by those services. In addition, the presence (or absence) of a site-wide tracking status representation is a means for testing deployment of this standard and verifying that a site's claims regarding tracking are consistent with the site's observed behavior over time.
A user agent may check the tracking status for a given resource
URI by making a retrieval request for the well-known address
/.well-known/dnt
relative to that URI.
If the response is an error, then the service does not implement this standard. If the response is a redirect, then follow the redirect to obtain the tracking status (up to some reasonable maximum of redirects to avoid misconfigured infinite request loops). If the response is successful, obtain the tracking status representation from the message payload, if possible, or consider it an error.
Once the tracking status representation is obtained, parse the representation as JSON to extract the Javascript status-object. If parsing results in a syntax error, the user agent should consider the site to be non-conformant with this protocol.
If the status-object does not have a member named
path
or if the value of
path
is not "/" and not a prefix of the
path component for the URI being checked, then find the
service-specific tracking status resource by taking the template
and replacing
/.well-known/dnt{+pathinfo}
with the path component of the
URI being checked. Perform a retrieval request on the
service-specific tracking status resource and process the result
as described above to obtain the specific tracking status.
{+pathinfo}
The status-object is supposed to have a member named
tracking
with a boolean value. If the value
is false
, then no tracking is performed for the URI being
checked. If the value is true
, then examine the member
named received
to verify that the DNT header
field sent by the user agent has been correctly received by the
server. If the received
value is incorrect,
there may be an intermediary interfering with transmission of the
DNT request header field.
If the received
value is correct, then examine
the member named response
to see what the
origin server has claimed regarding the tracking status for this
user agent in light of the received DNT-field-value.
If the first character of the response
value
is "n", then the origin server claims that it will not track the
user agent for requests on the URI being checked, and for any URIs
with a path prefix matching the path
member's
value, for at least the next 24 hours or until the Cache-Control
information indicates that this response expires, as described
below.
If the first character of the response
value
is "t", then the origin server claims that it might track the
user agent for requests on the URI being checked, and for any URIs
with a path prefix matching the path
member's
value, for at least the next 24 hours or until the Cache-Control
information indicates that this response expires.
The remaining characters of the response
value
might indicate reasons for the above choices or limitations that
the origin server will place on its tracking.
The others members of the status-object may be used to help the user agent differentiate between a site's first-party and third-party services, to provide links to additional human-readable information related to the tracking policy, and to provide links for control over past data collected or over some consent mechanism outside the scope of this protocol.
If the tracking status is applicable to all users, regardless of the received DNT-field-value or other data received via the request, then the response should be marked as cacheable and assigned a time-to-live (expiration or max-use) that is sufficient to enable shared caching but not greater than the earliest point at which the service's tracking behavior might increase. For example, if the tracking status response is set to expire in seven days, then the earliest point in time that the service's tracking behavior can be increased is seven days after the policy has been updated to reflect the new behavior, since old copies might persist in caches until the expiration is triggered. A service's tracking behavior can be reduced at any time, with or without a corresponding change to the tracking status resource.
If the tracking status is only applicable to all users that have
the same DNT-field-value
, then either the response must
include a Cache-Control header field with one of the directives
"no-cache", "no-store", "must-revalidate", or "max-age=0", or
the response must include a Vary header field that includes "DNT"
in its field-value.
If the tracking status is only applicable to the specific user that requested it, then the response must include a Cache-Control header field with one of the directives "no-cache", "no-store", "must-revalidate", or "max-age=0".
Regardless of the cache-control settings, it is expected that user agents will check the tracking status of a service only once per session (at most). A public Internet site that intends to change its tracking status to increase tracking behavior must update the tracking status resource in accordance with that planned behavior at least twenty-four hours prior to activating that new behavior on the service.
The representation of a site's machine-readable tracking status must conform to the following ABNF for status-object, except that the members within each member-list may be provided in any order.
status-object = begin-object member-list end-object member-list = [ path ns path-v vs ] tracking ns tracking-v [ vs received ns received-v ] [ vs response ns response-v ] [ vs same-site ns same-site-v ] [ vs partners ns partners-v ] [ vs policy ns policy-v ] [ vs edit ns edit-v ] [ vs options ns options-v ] *( vs extension ) path = %x22 "path" %x22 path-v = string ; URI absolute-path tracking = %x22 "tracking" %x22 tracking-v = true / false received = %x22 "received" %x22 received-v = null / string response = %x22 "response" %x22 response-v = %x22 r-codes %x22 r-codes = ("t" / "n") *reasons reasons = "1" ; first-party / "3" ; third-party / "a" ; advertising audits / "c" ; prior consent / "f" ; fraud prevention / "g" ; geographic/regional compliance / "q" ; frequency capping / "r" ; referrals / ALPHA / DIGIT ; TBD same-site = %x22 "same-site" %x22 same-site-v = array-of-strings partners = %x22 "partners" %x22 partners-v = array-of-strings policy = %x22 "policy" %x22 policy-v = string ; URI-reference edit = %x22 "edit" %x22 edit-v = string ; URI-reference options = %x22 "options" %x22 options-v = string ; URI-reference extension = object array-of-strings = begin-array [ string *( vs string ) ] end-array ns = <name-separator (:), as defined in [RFC4627]> vs = <value-separator (,), as defined in [RFC4627]> begin-array = <begin-array ([), as defined in [RFC4627]> end-array = <end-array (]), as defined in [RFC4627]> begin-object = <begin-object ({), as defined in [RFC4627]> end-object = <end-object (}), as defined in [RFC4627]> object = <object, as defined in [RFC4627]> string = <string, as defined in [RFC4627]> true = <true, as defined in [RFC4627]> false = <false, as defined in [RFC4627]> null = <null, as defined in [RFC4627]>
This specification defines an HTTP response header, in order to meet the following needs:
An origin server may indicate the tracking status for a particular request by including a Tk header field in the corresponding response. If a request contains a DNT-field-value starting with "1", an origin server should send a Tk header field in the corresponding response.
If an origin server chooses not to send a Tk header field, then the user agent will not know if the tracking preference has been received or if it will be honored. This may have negative consequences for the site, such as triggering preventive measures on the user agent or being flagged as non-compliant by tools that look for response header fields.
ISSUE-107: Exact format of the response header?
[PENDING REVIEW] See the proposal in this section.
ISSUE-120: Should the response header be mandatory (must) or recommended (should)
[PENDING REVIEW] Text in above paragraphs.
The Tk header field is defined as follows:
Tk-Response = "Tk:" [CFWS] Tk-Status [CFWS] [ opt-in-flag ] [CFWS] [ reason-code ] Tk-Status = no-dnt / not-tracking / first-party / service-provider no-dnt = "0" not-tracking = "1" first-party = %x66 ; lowercase f service-provider = %x73 ; lowercase s opt-in-flag = "1" reason-code = ALPHA
Tk: 0 (no-dnt) indicates that this party does not comply with [TRACKING-COMPLIANCE].
Tk: 1 (not-tracking) indicates that:
Tk: f (first-party) indicates that:
Tk: s (service-provider) indicates that:
The opt-in-flag indicates that the server believes that the user has affirmatively consented to allow this party additional permission to track them. Unless the opt-in-flag is included, the server asserts that will act in responding to this request as if the user has not affirmatively consented to allow this party additional permission to track them.
The reason-code can be used when requesting more information (see below).
If a reason code is specified in the response, the well-known resource defined here must exist; if an opt-in-flag is included, the wel--known resource defined here should exist; otherwise it may exist.
The user can understand and manage their opt-in by visiting the well-known URI
/.well-known/dnt?status={Tk-status}&opt-in={opt-in-flag}&r={reason-code}relative to the request-target.
The information at this URI provides additional information about this party's privacy practices and practices, particularly concerning the opt-in-flag.
The above well-known URI has not yet been reconciled with the similar but distinct definition for the tracking status resource. We anticipate that one or the other will be adopted, or the two proposals will be merged.
Implementers should use caution when allowing caching of resources on which an opt-in flag is included. If caching is not carefully managed, there is a risk of sending a response intended for opted-in users to users who haven't opted in.
Implementers should carefully choose the cache properties of the items at the well-known URI. The content at these locations must be correct for the entire cache duration, otherwise users who load stale cached copies of these resources may be misled.
Any party can use the not-tracking response: this response just indicates a behavior. If a first party complies with the third-party definition, they are free to send this response. However, the first-party and service provider responses indicate both a behavior and an intention about that party's status. It would be deceptive to send the first-party header on a resource which is only ever embedded as a third party.
The no-dnt response should not be used on requests which are processed in accordance with [TRACKING-COMPLIANCE]. An entity which implements DNT should not use this response.
When embedding content from other sites, consider how that site expects their content to be used. If you embed/link to an object on another site, it's possible that the resource will send a first-party response even though it is now in a third-party context because the designer of that site never intended that object to be embedded. If a resource always sends a third-party response, there is no risk of this inconsistent response. Only the first-party outsourcer of service-provider objects should ever embed them.
Tk: 1
The site is a third or first party, in compliance with the definitions of a 3rd party that is not tracking.
Tk: 1 1 agreed
The site is a third party, that believes it has an explicit opt-in from the user; more information can be found at:
/.well-known/dnt?status=1&opt-in=1&r=agreed
An HTTP error response status code might be useful for indicating that the site refuses service unless the user either logs into a subscription account or agrees to an exception to DNT for this site and its contracted third-party sites.
ISSUE-118: Should requesting a user-agent-managed site-specific exception be asynchronous?
[PENDING REVIEW] As proposed below.
ISSUE-115: Should sites be able to manage site-specific tracking exceptions outside of the user-agent-managed system?
ISSUE-111: Different DNT values to signify existence of site-specific exception
This section is non-normative.
Exceptions to Do Not Track, including site-specific exceptions, are managed by the user agent. A resource should rely on the DNT header it receives to determine the user's preference for tracking with respect to that particular request. An API is provided so that sites may request and check the status of exceptions for tracking.
We anticipate that many user-agents might provide a prompt to users when this API is used, or to store exceptions. Questions of user interface specifics — for granting, configuring, storing, syncing and revoking exceptions — are explicitly left open to implementers.
This section is non-normative.
The following principles guide the design of the user-agent-managed site-specific exceptions proposal.
This API considers exceptions which are double-keyed to two domains: the site, and the tracker. A user might — for instance — want AnalytiCo to track them on Example News, but not on Example Medical. To simplify language used in this API specification, we define two terms:
For instance, if the document at
http://web.exnews.com/news/story/2098373.html
references the resources
http://exnews.analytico.net/1x1.gif
and
http://widgets.exsocial.org/good-job-button.js
,
this site is web.exnews.com
;
exnews.analytico.net
and
widgets.exsocial.org
are both
trackers.
ISSUE-112:
How are sub-domains handled for site-specific exceptions?
Should a request for a tracking exception apply to all subdomains
of the first party making the request? Or should a first party
explicitly list the subdomains that it's asking for? Similarly,
should third party subdomains be allowed (e.g. *.tracker.com)?
Proposal: Exceptions are requested for fully-qualified
domain names.
If a user wishes to be tracked by a tracker on this site, this should result in two user-agent behaviors:
It is left up to individual user-agent implementations how to determine and how and whether to store users' tracking preferences.
ISSUE-111:
Different DNT values to signify existence of site-specific
exception
Should the user agent send a different DNT value to
a first party site if there exist site-specific exceptions for that
first party? (e.g. DNT:2 implies "I have Do Not Track enabled but
grant permissions to some third parties while browsing this
domain")
Proposal: No, this API provides client-side means
for sites to request that information. Sites may also employ cookies
to recall a user's past response.
Parameter | Type | Nullable | Optional | Description |
---|---|---|---|---|
arrayOfDomainStrings | sequence<DOMString> | ✘ | ✘ | |
callback |
| ✘ | ✘ | |
siteName |
| ✘ | ✔ | |
explanationString |
| ✘ | ✔ | |
detailURI |
| ✘ | ✔ |
void
[Callback, NoInterfaceObject]
interface TrackingResponseCallback {
void handleEvent (boolean granted);
};
The requestSiteSpecificTrackingException
method takes
two mandatory arguments:
arrayOfDomainStrings
, a JavaScript array of strings,
and
callback
, a method that will be called when the
request is complete.
It also takes three optional arguments:
siteName
, a string for the name of this site,
explanationString
, a short explanation of the
request, and
detailURI
, a location at which further information
about this request can be found.
Each string in arrayOfDomainStrings
specifies a
tracker. The special string “*”
signifies all trackers. When called,
requestSiteSpecificTrackingException
must return
immediately, then asynchronously determine whether the user wants
the requested exceptions.
The granted
parameter passed to the callback is the
user’s response; true
indicates the user wants an
exception on this site for all of the
trackers specified in
arrayOfDomainStrings
. The response false
indicates that the user does not want an exception on this
site for at least one of the trackers
specified in arrayOfDomainStrings
.
A particular response to the API — like a DNT response header — is only valid immediately, and users' preferences may change.
A user agent may use an interactive method to ask the user about their preferences, so sites should not assume that the callback function will be called immediately.
ISSUE-109: siteSpecificTrackingExceptions property has fingerprinting risks: is it necessary?
[PENDING REVIEW] It has been removed from the proposal.
This section is non-normative.
User agents are free to implement exception management user interfaces as they see fit. Some agents might provide a prompt to the user at the time of the request. Some agents might allow users to configure this preference in advance. In either case, the user agent responds with the user’s preference.
A user agent that chooses to implement a prompt to present tracking exception requests to the user might provide an interface like the following:
Example News (web.exnews.com
) would like to know whether you permit tracking by the following parties: *exnews.analytico.net
*widgets.exsocial.org
Example News says: “These sites allow Example News to see how we’re doing, and provide useful features of the Example News experience.” [More info] [Allow Tracking] [Deny Tracking Request]
In this example, the domains listed are those specified in
arrayOfDomainStrings
, the phrase “Example
News” is from siteName
, and the
explanationString
is displayed for the user with a
“More info” link pointing to detailURI
.
The user agent might then store that decision, and answer future requests based on this stored preference. User agents might provide users with granular choice over which tracking origins are granted site-specific exceptions and which are not (using checkboxes, for example). User agents might automatically clear site-specific exceptions after a period of time or in response to user activity, like leaving a private browsing mode or using a preference manager to edit their chosen exceptions. If a user agent retains user preferences, it might provide the user with an interface to explicitly add or remove site-specific exceptions.
Users might not configure their agents to have simple values for DNT, but use different browsing modes or other contextual information to decide on a DNT value. What algorithm a user agent employs to determine DNT values (or the lack thereof) is out of the scope of this specification.
In some user-agent implementations, decisions to grant exceptions may have been made in the past (and since forgotten) or may have been made by other users of the device. Thus, exceptions may not always represent the current preferences of the user. Some user agents might choose to provide ambient notice that user-opted tracking is ongoing, or easy access to view and control these preferences. Users may desire options to edit exceptions either at the time of tracking or in a separate user interface. This might allow the user to edit their preferences for a site they do not trust without visiting that site.
ISSUE: Should there be a normative requirement for the existence of a revocation mechanism? (raised by npdoty)
Sites might wish to request exceptions even when a user arrives without a DNT header. Users might wish to grant affirmative permission to tracking on or by certain sites even without expressing general tracking preferences.
User agents may instantiate
NavigatorDoNotTrack.requestSiteSpecificTrackingException
even when navigator.doNotTrack
is null. Sites should
test for the existence of
requestSiteSpecificTrackingException
before calling
the method. If an exception is granted in this context and the
user-agent stores that preference, a user agent may send a DNT:0
header even if a tracking preference isn't expressed for other
requests. Persisted preferences may also affect which header is
transmitted if a user later chooses to express a tracking
preference.
Users might not configure their agents to have simple values for DNT, but use different browsing modes or other contextual information to decide on a DNT value. What algorithm a user agent employs to determine DNT values (or the lack thereof) is out of the scope of this specification.
Users may wish to configure exceptions for a certain trusted tracker across several or all sites. User agent configuration of these preferences is outside the scope of this specification.
ISSUE-113: Should there be a JavaScript API to prompt for a Web-wide exception?
PROPOSAL: User agents can provide configuration options
outside the scope of this specification.
By storing a client-side configurable state and providing functionality to learn about it later, this API might facilitate user fingerprinting and tracking. User agent developers ought to consider the possibility of fingerprinting during implementation and might consider rate-limiting requests or using other heuristics to mitigate fingerprinting risk. User agents should clear stored site-specific exceptions when the user chooses to clear cookies or other client-side state.
ISSUE-114: Guidance or mitigation of fingerprinting risk for user-agent-managed site-specific tracking exceptions
PENDING REVIEW Above text provides guidance for user agent
developers.
This specification consists of input from many discussions within and around the W3C Tracking Protection Working Group, along with written contributions from Nick Doty (W3C/MIT), Roy T. Fielding (Adobe), Tom Lowenthal (Mozilla), Aleecia M. McDonald (Mozilla), Matthias Schunter (IBM), John Simpson (Consumer Watchdog), David Singer (Apple), Shane Wiley (Yahoo!), and Andy Zeigler (Microsoft).
The DNT header field is based on the original Do Not Track
submission by Jonathan Mayer (Stanford), Arvind Narayanan
(Stanford), and Sid Stamm (Mozilla).
The DOM API for NavigatorDoNotTrack
is based on the
Web Tracking Protection submission by Andy Zeigler,
Adrian Bateman, and Eliot Graff (Microsoft).
Many thanks to Robin Berjon for ReSpec.js.