W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

RE: "cross-site"

From: Jules Polonetsky <julespol@futureofprivacy.org>
Date: Wed, 16 Nov 2011 22:24:19 -0500
To: "'Nicholas Doty'" <npdoty@w3.org>, "'Roy T. Fielding'" <fielding@gbiv.com>
Cc: "'John Simpson'" <john@consumerwatchdog.org>, "'Mark Nottingham'" <mnot@mnot.net>, "'Karl Dubost'" <karld@opera.com>, <public-tracking@w3.org>
Message-ID: <000901cca4d8$64e14d80$2ea3e880$@futureofprivacy.org>
I thought there was consensus that requirements on first parties were "may"
and third parties were "must" or "shall".

-----Original Message-----
From: Nicholas Doty [mailto:npdoty@w3.org] 
Sent: Wednesday, November 16, 2011 10:20 PM
To: Roy T. Fielding
Cc: John Simpson; Mark Nottingham; Karl Dubost; public-tracking@w3.org WG
(public-tracking@w3.org)
Subject: Re: "cross-site"

On Nov 16, 2011, at 12:43 AM, Roy T. Fielding wrote:

> On Nov 15, 2011, at 2:59 PM, John Simpson wrote:
> 
>> Perhaps I am missing something, but I don't understand why we need the
reference to "cross-site" nor to "across sites."  As a user I want to send a
clear and unambiguous signal that I do not wish to be tracked.  I may be
persuaded that first party sites and third party sites have different
obligations when my message is received, but I definitely want both first
and third party sites to get my message. Thus, I believe the specification
should simply read:
>> 
>> "This specification defines the technical mechanisms for expressing a
tracking preference via the DNT request header field in HTTP."
> 
> No, we've already had this conversation.
> 
> We chose to make exceptions for analytics and first-party-exclusive
tracking from the preference expression because they are not a privacy
concern, they do match user expectations, and are necessary for DNT
adoption.

As John points out, while we do seem to agree that first and third parties
may have different requirements, I'm not aware of a consensus decision that
first parties are entirely excepted from the standards. In fact, the
compliance document currently contains a "First Party Compliance" section,
ISSUE-17 remains open and first parties could provide meaningful responses
with the proposed response header. 

I also don't remember us choosing to grant an exception for analytics,
besides highlighting that for later discussion. ISSUEs 23 and 24 haven't
been opened yet, though the work on 73 suggests a direction for one type of
analytics.

> The combination of those two choices requires that we place an adjective
before tracking in order to properly define the meaning of the header field.
"cross-site" is good enough for me.  We can replace it if somebody comes up
with a better shorthand term.

I'd be happy with John's suggested text, or with whatever language we land
on in the compliance document (there are open issues there about
"behavioral" as a potential modifier for this purpose).

-Nick
Received on Thursday, 17 November 2011 03:24:49 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC