Re: ACTION-114 ISSUE-107 : Revised response header. from Sean Harvey on 2012-02-09 (public-tracking@w3.org from February 2012)

From: Sean Harvey <sharvey@google.com>
Date: Thu, 9 Feb 2012 14:28:42 +0000
To: Matthias Schunter <mts@zurich.ibm.com>
Cc: Nick Doty <npdoty@w3.org>, Heather West <heatherwest@google.com>, public-tracking@w3.org
Message-ID: <CAFy-vucBv4b9moNVEg6V9kpnGOAHJbbSYTAtkbVex69oiHQ-qQ@mail.gmail.com>
Thanks Matthias, I didn't want to be alarmist but I think this is a real
potential problem -- though I continue to hold out hope that I am simply
misunderstanding something.

Context and a couple of clarifying questions in this respect:

   1. How is the third party going to know from the DNT:0 that they may
   only collect site specific information? What if the user visits two sites
   consecutively, both of which have site specific exceptions? Might not the
   third party server unknowingly (re)place a cookie on the browser when they
   see DNT:0 and then check that cookie on both site 1 and site 2 because they
   both have DNT-off values?

   2. The majority of third parties are probably not going to start by
   supporting site specific exceptions because of the technical complexity
   involved in sometimes-on/sometimes-off states, and the work involved in
   creating site-specific partitions. What they want to know is the user's
   default state so they can opt them out of any cookie-ing and be done with
   it. Will they now be unable to do this based on the current state of the
   dnt header spec?

thanks -- again I may be fundamentally misunderstanding the current state
of conversations, but want to double-check that we haven't steered off down
the wrong road.

sean





On Thu, Feb 9, 2012 at 2:06 PM, Matthias Schunter <mts@zurich.ibm.com>wrote:

> Hi Sean,
>
> Somewhat I do not understand your question.
>
> My point was that the DNT header is the definitive resource for user
> preference info.
> In case of site-specific-exceptions, the header will change to DNT;0,
> i.e., the site can still rely on the header as the sole source of
> preference information.
>
> We discuss whether we provide means for a server to obtain more info
> (what exceptions, am I an exception,  and the like).
>
> The point wrt cookies is that if a site uses other means to 'cache'
> DNT preferences, it does so at its own risk.
>
> While a portal that translates incoming DNT signals to cookies to
> allow back-end systems to use the legacy cookie mechanisms, the site
> needs to ensure that this translation is sound and that DNT;1 is
> always respected (while loosing some DNT'0 preferences should be OK
> by, eg., not being fast enough to destroy an opt-out cookie for your
> site after receiving a DNT;0 signal).
>
> Did this clarify your point?
>
> Regards,
> matthias
>
>
>
>
> On 2/8/2012 11:22 AM, Sean Harvey wrote:
> > Thanks Matthias. just a quick double check without having to waste
> > everyone's time. The point here is that the server should not have to
> > check any cookies including opt out cookies to determine the user's
> > default DNT status. I assume we are not saying that currently there is
> > no clear way for the server to understand the user's default DNT state
> > when a site-specific exception is in place?
> >
> >
> >
> >
> > On Mon, Feb 6, 2012 at 9:28 PM, Matthias Schunter <mts@zurich.ibm.com
> > <mailto:mts@zurich.ibm.com>> wrote:
> >
> >     Hi Sean,
> >
> >
> >     thanks for reviewing the header proposal. I agree with Nick that this
> >     should largely work:
> >
> >     1. The user browses SITE and sends whatever DNT value (or none) that
> >     he prefers
> >     2. The site discovers an opt-out cookie and interprets this as DNT;1
> >     3. The site responds with a response header that signals its intended
> >     usage
> >         (e.g., no tracking / third party)
> >
> >     However, I believe that obtaining headers may be more reliable than
> >     using redundant information from cookies. Consider a case where:
> >      a) The user prefers DNT;1 and sends this header everywhere
> >           and has an opt-out cookie as well.
> >      b) The site only interprets the cookie (ignoring the header)
> >           and assumes DNT;0 if it receives no cookie
> >      c) the user deletes all cookies while continuing to send DNT;1
> >
> >     In this case, the site would assume DNT;0 while the user has sent
> >     DNT;1.
> >
> >     Note that this is not a problem of the response headers. It is rather
> >     an issue how to keep the DNT header info in sync with other opt-out
> >     schemes. The challenge is to ensure that the cookies used by the site
> >     are always in sync with the DNT header sent by the user.
> >
> >
> >     Regards,
> >     matthias
> >
> >
> >
> >
> >     On 2/5/2012 11:15 PM, Sean Harvey wrote:
> >     > The concern is that some systems may wish to respect a DNT header
> >     > being on (in part) by setting an opt-out cookie. This opt-out
> cookie
> >     > would mean that site-specific exemptions will be ignored and the
> >     user
> >     > will be treated as DNT=on in all cases. This is practically
> >     easier in
> >     > some cases, and we would want this to at least be an option for a
> >     > server when faced with an array of DNT states.
> >     >
> >
> >
> >
> >
> >
> > --
> > Sean Harvey
> > Business Product Manager
> > Google, Inc.
> > 212-381-5330
> > sharvey@google.com <mailto:sharvey@google.com>
>
>


-- 
Sean Harvey
Business Product Manager
Google, Inc.
212-381-5330
sharvey@google.com
Received on Thursday, 9 February 2012 14:29:15 UTC