Re: Issue-4 from David Singer on 2011-10-28 (public-tracking@w3.org from October 2011)

From: David Singer <singer@apple.com>
Date: Fri, 28 Oct 2011 09:32:31 -0700
To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-id: <9D2D3ED0-7971-463E-AE4A-4D4C7BCF7B1E@apple.com>

On Oct 28, 2011, at 3:44 , Rigo Wenning wrote:

> David, 
> 
> I think this goes into the net-neutrality debate, an issue we can't tackle 
> here.
> 
> Rigo
> 
> On Thursday 27 October 2011 17:11:58 David Singer wrote:
>> I am, however, not enthused by the idea that intermediates that I did NOT
>> choose and over which I have no control could change my statement.
>> 
>> "By staying in this hotel, you agree to have your outbound HTTP requests
>> modified to state you explicitly permit tracking."

I think you may be right, alas.  But this is a powerful reason to need the response header.  If *I* set my system to send DNT, and the hotel modifies my outbound traffic to turn that request off, without a response header I won't know.  *With* the response header, I'll see the "thank you for telling me I can track you" coming back (unless the hotel is REALLY nefarious and remembers what I asked for and rewrites the response as well).

I think we need a response, and the statement that intermediate nodes MUST NOT fiddle with responses, or cache them.

On Oct 28, 2011, at 4:05 , Rigo Wenning wrote:

> On Thursday 27 October 2011 16:57:16 David Singer wrote:
>> The user or user-agent deserves to know which clause of the privacy policy
>> they currently fall into, and a static document can't tell them that.
> 
> David, it must. Otherwise you're back in P3P. And the contextual complexity 
> (which clause of the privacy policy) will kill deployment.

I have a suspicion I wasn't clear and you are answering a different question.  Let me try again.

If the policy says
"If you visit me, or interact with me [1st party], then I can track you even with DNT turned on. Likewise, if you visit example-ad-site.net and set your preferences there to one of the 'opt-in' choices [opt-in], I can also track you even when DNT is turned on.  I also can track you if the site you visit is under contract with me and I am acting on their behalf [proxy], or if required to do so by law-enforcement.  And I reserve the right to track you when there is a full moon visible over Dar-es-salaam, too."

Then I think I deserve to know, in the response to a DNT request, if the site thinks I fall into one of these exception categories.  (I might disagree).

This is a dynamic question not answerable by the static policy.

> 
> If we scope the meaning of the DNT header meaning for this request you'll get 
> context. If we scope the meaning of DNT saying for this site you don't get 
> context. The meaning of the DNT header is not defined by your privacy policy, 
> but by the Specification. Otherwise, the DNT header would be nearly 
> meaningless. 

Totally agree that what track, and "do not", and so on, mean, must be uniform and defined by the specification.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Friday, 28 October 2011 16:37:34 UTC