- From: CVS User rfieldin <cvsmail@w3.org>
- Date: Fri, 05 Dec 2014 19:18:49 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv22768
Modified Files:
tracking-dnt.html
Log Message:
tracking-ISSUE-262: clarify the requirements on a gateway (instead of the origin server) and be consistent when referring to DNT:1
--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html 2014/12/05 00:53:00 1.274
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html 2014/12/05 19:18:49 1.275
@@ -319,7 +319,7 @@
preference expression in a request forwarded through that intermediary
unless the intermediary has been specifically installed or configured
to do so by the user making the request. For example, an Internet
- Service Provider MUST NOT inject <code>DNT:1</code> on behalf of all
+ Service Provider MUST NOT inject <code><a>DNT:1</a></code> on behalf of all
users who have not expressed a preference.
</p>
<p>
@@ -437,14 +437,14 @@
A user agent MUST generate a <a>DNT</a> header field with a
field-value that begins with the numeric character "1" if the
user's tracking preference is <a>enabled</a>, their preference is
- for <code>DNT:1</code>, and no exception has been granted for the
+ for <code><a>DNT:1</a></code>, and no exception has been granted for the
request target (see <a href="#exceptions" class="sectionRef"></a>).
</p>
<p>
A user agent MUST generate a <a>DNT</a> header field with a
field-value that begins with the numeric character "0" if the
user's tracking preference is <a>enabled</a> and their preference is
- for <code>DNT:0</code>, or if an exception has been granted for the
+ for <code><a>DNT:0</a></code>, or if an exception has been granted for the
request target.
</p>
<p>
@@ -624,7 +624,8 @@
is acting as a gateway to an exchange involving multiple parties.
This might occur if a response to the <a>designated resource</a>
involves an automated selection process, such as dynamic bidding,
- that determines which party is able to collect tracking data.
+ where the party that is selected determines how the request data
+ will be treated with respect to an expressed tracking preference.
Similar to the <code>?</code> value, the <code>G</code> TSV
indicates that the actual tracking status is dynamic and will be
provided in the response message's <a>Tk</a> header field,
@@ -635,32 +636,43 @@
An origin server MUST NOT send <code>G</code> as the
tracking status value in a <a>Tk</a> header field or within the
representation of a request-specific tracking status resource.
- An origin server MUST NOT send <code>G</code> as the tracking
+ </p>
+ <p>
+ A gateway MUST NOT send <code>G</code> as the tracking
status value if it knows in advance that all of the potential
recipients have agreed on a single tracking status value of
- <code>N</code> (not tracking); in this case, the origin server
+ <code>N</code> (not tracking); in this case, the gateway
MUST respond with <code>N</code> instead of <code>G</code>.
</p>
<p>
+ A gateway MUST NOT send <code>G</code> as the tracking
+ status value unless it has reason to believe that recipients
+ other than the selected party will not retain tracking data after
+ the selection has been made when the expressed tracking preference
+ is <code><a>DNT:1</a></code>; if non-selected recipients retain
+ tracking data under <code><a>DNT:1</a></code>, the gateway
+ MUST respond with <code>T</code> instead of <code>G</code>.
+ </p>
+ <p>
If <code>G</code> is present in the site-wide tracking status:
<ul>
- <li>the origin server MUST meet the requirements of a
+ <li>the gateway MUST meet the requirements of a
service provider for each of the parties to which it
provides request data;</li>
- <li>the origin server MUST send a link within its site-wide
+ <li>the gateway MUST send a link within its site-wide
tracking status representation to a privacy policy that
- explains what limitations (if any) are placed on parties that
+ explains what limitations are placed on parties that
might receive data via that gateway;</li>
- <li>the origin server MUST forward any expressed tracking
+ <li>the gateway MUST forward any expressed tracking
preference in the request to each party that receives data
- from that request;</li>
- <li>the origin server MUST send a <a>Tk</a> header field in
+ from that request; and,</li>
+ <li>the gateway MUST send a <a>Tk</a> header field in
responses to requests on the designated resource and include
within that field's value a <code><a>status-id</a></code>
specific to the selected party, such that information about
the selected party can be obtained via the request-specific
tracking status resource (see
- <a href="#request-specific-status-resource" class="sectionRef"></a>).</li>
+ <a href="#request-specific-status-resource" class="sectionRef"></a>).
</ul>
</p>
</section>
@@ -709,9 +721,9 @@
A tracking status value of <dfn>P</dfn> means that the origin
server does not know, in real-time, whether it has received prior
consent for tracking this user, user agent, or device, but
- promises not to use or share any <code>DNT:1</code> data until
+ promises not to use or share any <code><a>DNT:1</a></code> data until
such consent has been determined, and further promises to delete
- or de-identify within forty-eight hours any <code>DNT:1</code>
+ or de-identify within forty-eight hours any <code><a>DNT:1</a></code>
data received for which such consent has not been received.
</p>
<p>
@@ -1328,7 +1340,7 @@
<section id='response-error'>
<h3>Status Code for Tracking Required</h3>
<p>
- If an origin server receives a request with <code>DNT:1</code>,
+ If an origin server receives a request with <code><a>DNT:1</a></code>,
does not have out-of-band consent for tracking this user, and
wishes to deny access to the requested resource until the user
provides some form of user-granted exception or consent for tracking,
@@ -1595,8 +1607,8 @@
<li>While the user is browsing a given site (top-level origin),
and a DNT header is to be sent to a target domain, if the duplet
[top-level origin, target domain] matches any duplet in the
- database, then a DNT:0 header is sent, otherwise the header (if one
- is needed) corresponding to the user’s general preference is sent.</li>
+ database, then a <code><a>DNT:0</a></code> preference is sent,
+ otherwise the user’s general preference is sent (if any).</li>
</ul>
<p>A pair of duplets [A,B] and [X,Y] match if A matches X and B matches Y.
A pair of values A and X match if and only if one of the following
@@ -1965,14 +1977,14 @@
will use some other third parties.</p>
<p>If a user agent sends a tracking exception to a given combination of origin
- server and a named third party, the user agent will send DNT:0 to that named
- third party. By receiving the DNT:0 header, the named third party acquires
+ server and a named third party, the user agent will send <code><a>DNT:0</a></code> to that named
+ third party. By receiving the <code><a>DNT:0</a></code> preference, the named third party acquires
the permission to track the user agent and collect the data and process it
in any way allowed by the legal system it is operating in.</p>
- <p>Furthermore, the named third party receiving the DNT:0 header acquires at
+ <p>Furthermore, the named third party receiving the <code><a>DNT:0</a></code> header acquires at
least the right to collect data and process it for the given interaction and
- any other use unless it receives a DNT:1 header from that particular
+ any other use unless it receives a <code><a>DNT:1</a></code> from that particular
identified user agent.</p>
<p>The named third party is also allowed to transmit the collected data for
@@ -1981,19 +1993,19 @@
The tracking permission request triggered
by the origin server is thus granted to the named third party and its
sub-services. This is even true for sub-services that would normally receive a
- DNT:1 web-wide preference from the user agent if the user agent
+ <code><a>DNT:1</a></code> web-wide preference from the user agent if the user agent
interacted with this service directly.</p>
<p>For advertisement networks this typically would mean that the collection and
auction system chain can use the data for that interaction and combine it
with existing profiles and data. The sub-services to the named third party
do not acquire an independent right to process the data for independent
- secondary uses unless they, themselves, receive a DNT:0
- header from the user agent (as a result of their own request or the request of
+ secondary uses unless they, themselves, receive a <code><a>DNT:0</a></code>
+ preference from the user agent (as a result of their own request or the request of
a first-party). In our example of advertisement networks that
means the sub-services can use existing profiles in combination with the
data received, but they can not store the received information into a
- profile until they have received a DNT:0 of their own. </p>
+ profile until they have received a <code><a>DNT:0</a></code> of their own. </p>
<p>A named third party
acquiring an exception with this mechanism MUST make sure that sub-services
@@ -2104,9 +2116,10 @@
test for the existence of
<code>storeSiteSpecificTrackingException</code> before calling
the method. If an exception is granted and the
- user agent stores that preference, a user agent may send a DNT:0
- header field even if a tracking preference isn't expressed for other
- requests. Persisted preferences MAY also affect which header is
+ user agent stores that preference, a user agent may send the
+ <code><a>DNT:0</a></code> tracking preference even if it has not
+ enabled preferences to be sent for other
+ requests. Persisted preferences MAY affect which preference is
transmitted if a user later chooses to express a tracking
preference.
</p>
Received on Friday, 5 December 2014 19:18:51 UTC