W3C home > Mailing lists > Public > public-tracking@w3.org > April 2012

Re: Behavior of user agents after granting exceptions

From: Matthias Schunter <mts-std@schunter.org>
Date: Fri, 13 Apr 2012 20:59:21 +0200
Message-ID: <4F887789.3000106@schunter.org>
To: ifette@google.com
CC: Rigo Wenning <rigo@w3.org>, public-tracking@w3.org
Hi Ian/Rigo,


I see that we agree. This is good news ;-)

The requirement that the DNT value should reflect preferences of an
actual user is part of the TPE spec. However, as you indicated, the user
agent may derive this preference from other actions (such as installing
an anti-tracking tool or enabling private browsing mode). Similarily, a
privacy-enabled user agent may do some heuristics like "In general I
send DNT;1 but for sites that are on my whitelist, I send nothing (or
DNT;0)". What should not happen is that user agent sends DNT;0 or DNT;1
without reflecting some desire/input/preference by the user.

What I wanted to clarify (and we seem to agree) is
 a) The return value of the exception API does not guarantee future
behavior (user may change its mind or may use advanced user agent)
 b) We allow for innovation in the API and heuristics used by user
agents (as long as they reflect the preference of a user).


Regards,
matthias


On 13/04/2012 18:08, Ian Fette (イアンフェッティ) wrote:
> I don't want to get too deep into discussions about the browser UI,
> but I think it's fundamentally important to note that the value that
> gets sent to the server needs to be a reflection of the user's express
> intent. That is, if a user has granted an exception, DNT0 should get
> sent; a browser shouldn't just decide "Well, I'm going to send DNT1"
> unless it is clear to the user exactly why their choice is being
> overridden and why and that this override is intended. For instance, I
> think one could argue that when opening a "private browsing mode",
> which many browsers treat conceptually as a separate profile to some
> extent, it could be reasonable not to carry over the granted
> exceptions into that private browsing session. But such cases should
> be very few and far between, and frankly I think it would be worth a
> discussion of that.
>
> In short, I'm not sure your #5 is sufficiently nuanced ("user agents
> using other algorithms to determine whether to send DNT0/1")
>
> -Ian
>
> On Fri, Apr 13, 2012 at 5:13 AM, Rigo Wenning <rigo@w3.org
> <mailto:rigo@w3.org>> wrote:
>
>     We especially allow the user to change her mind and instruct the
>     UA to send
>     DNT=1 after the exception was granted (and we have no notion of
>     time so
>     far). If a service finds that odd, the service can re-request an user
>     granted permission or it can block the UA until such permission is
>     granted.
>
>     Consequently, I agree with Matthias that we should not constrain
>     the browser
>     here and allow all kinds of reactions.
>
>     Rigo
>
>     On Friday 13 April 2012 04:02:11 Matthias Schunter wrote:
>     > 5. We nevertheless permit any other behavior of user agents, e.g.,
>     >     a) User agents ignoring the requests for exceptions (while
>     returning
>     > true or false when the API is called)
>     >     b) User agents returning TRUE for the Javascript call and
>     then later
>     > still sending DNT;1 (somewhere or everywhere)
>     >     c) User agents using other algorithms to determine whether
>     to send
>     > DNT;0 or DNT;1 (and for the return value of the API call).
>
>
Received on Friday, 13 April 2012 19:00:14 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:27 UTC