W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

RE: ACTION-114 ISSUE-107 : Revised response header.

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Thu, 9 Feb 2012 07:54:49 -0800
To: Matthias Schunter <mts@zurich.ibm.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8023D0C8ACC66@SP2-EX07VS02.ds.corp.yahoo.com>
"While ultimately cookie-based DNT should be replaced by DNT;;-) I see the benefit of cookie-based emulations to allow for quick and cost-efficient adoption."

The majority of online users will be using browsers that do not support the DNT standard for some time (if you look to IE6 as an example, we'll have non-compliant browsers for 5+ years post standard publication).  With this in mind, most organizations will need to develop and support a hybrid system that supports both DNT signals and opt-out cookies for the foreseeable future.

- Shane

-----Original Message-----
From: Matthias Schunter [mailto:mts@zurich.ibm.com] 
Sent: Thursday, February 09, 2012 7:10 AM
To: public-tracking@w3.org
Subject: Re: ACTION-114 ISSUE-107 : Revised response header.

Hi Sean,


On 2/9/2012 3:28 PM, Sean Harvey wrote:
> How is the third party going to know from the DNT:0 that they may only
> collect site specific information? What if the user visits two sites
> consecutively, both of which have site specific exceptions? Might not
> the third party server unknowingly (re)place a cookie on the browser
> when they see DNT:0 and then check that cookie on both site 1 and site
> 2 because they both have DNT-off values? 

this indeed seems to be a challenge: In the extreme, every request
header transmits its own (and maybe different) DNT value (a user agent
may choose to send different DNTs based on sub-site, subdomains or
whatever other criteria).

This is hard to track/emulate with cookies.

Setting opt-out cookies too broadly is no problem from a privacy
perspective (except that it may break things)

Strictly speaking, you can only clear your cookies for the given URL.
If this affects other URLs, it is at your own risk.

However, there is light at the end of the tunnel:
- I believe while it is hard to 100% emulate DNT with cookies, the
current
  proposal of the DNT responses allow you to say
  'I believe that I have your opt-in'. If the browser then disagrees,
  it can alert the user or take some other action.

Do I understand correctly that the scenario in your  mind is that a
gateway interprets DNT and then sets/removes cookies while all
back-end systems will continue to rely on these cookies?

While ultimately cookie-based DNT should be replaced by DNT;;-) I see
the benefit of cookie-based emulations to allow for quick and
cost-efficient adoption.

If this is the scenario you have in mind, I'd like to raise a separate
issue to discuss this. If not, please clarify.


Regards,
matthias
Received on Thursday, 9 February 2012 15:55:41 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:45 UTC