- From: Nicholas Doty <npdoty@w3.org>
- Date: Thu, 19 Apr 2012 10:59:08 -0700
- To: Jeremy Malcolm <jeremy@ciroap.org>
- Cc: Lee Tien <tien@eff.org>, public-dntrack-contrib@w3.org
On Apr 18, 2012, at 6:36 AM, Jeremy Malcolm wrote: > 1. If an out-of-band selection is made, does the user agent somehow recognise this and reflect it in its own exception API? For example if I click on "allow" for Google on a Google preferences Web page, then go to my list of exceptions in the browser's preferences window, does Google appear there? Sorry if this is answered somewhere and I missed it. On Apr 19, 2012, at 12:39 AM, Jeremy Malcolm wrote: > If the answer is no, then this seems a problem to me. User agents will doubtless allow syncing of DNT preferences between devices. This will lead to an expectation by users that they only need to express their preference once, to be reflected across all the devices that they use. (For example, Firefox and Chrome do this with other types of preferences.) > > But if a DNT preference is solicited by a website out of band, this user expectation may be broken. The user may have to express their DNT preference on each device, which will be troublesome, and it will be difficult for the user to remember whether he or she has expressed the preference or not (since, moreover, there will be no easy way to check in the browser's settings whether they have). > > Unless out of band is to be disallowed altogether, then the only way to fix this problem that I can think of would be to require that the website communicate the DNT preference back to the browser, so that the browser can cache it and possibly sync it with the other devices. I don't speak for the full Working Group, but I might be able to give some input here. We are working under the assumption that sites can use out-of-band consent (possibly subject to particular requirements) to override a user's expressed DNT preference, even when the user agent isn't managing the exception (by sending DNT:0). User-agent-managed exceptions have the advantage that a user can manage them in a single place, inspect them, clear them all at once, etc. User agents could also handle syncing between devices. Some users also use different browsers at different times in order to have different privacy settings, or different settings on different devices. To the extent that a site can identify a user (via logged-in state, for example) the site might sync DNT overrides across devices (a feature or a bug, depending on the user's expectation). But when sites do use an out-of-band consent mechanism, they would be required to note in the response to the user (either through the header or the well-known URI), so user agents could potentially reveal to the user in real-time when they're being tracked in a way that overrides their DNT preference. A browser could list that with other exceptions in its UI, but clearing that exception would have to be done with the service itself. We have not standardized (or discussed standardizing) a mechanism for sites to inform user agents that a user has granted an exception and so that exception should now be managed by the user agent (and send DNT:0 in future), although I don't think anything in the spec would explicitly prevent user agents from doing something like this if they thought users wanted it. Hope this helps, Nick
Received on Thursday, 19 April 2012 17:59:23 UTC