RE: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)]

I agree that it would be optimal to provide implementers with flexibility in the response header. As we have noted, there are other ways for sites/entities to indicate compliance.

Sent from my Windows Phone
________________________________
From: Matthias Schunter
Sent: 1/16/2012 9:01 AM
To: John Simpson
Cc: public-tracking@w3.org
Subject: Re: tracking-ISSUE-105: Response header without request header?    [Tracking Preference Expression (DNT)]

Hi All,


I gave this another thought and I now had the impression that SHOULD
may be sufficient. A wording like:
  If a site receives a  DNT;1 request header,
  then it SHOULD send a DNT response header.
(header details defined elsewhere)

Reasoning:
1. In order to be compliant, a site needs to satisfy the compliance
and DNT specs
2. A  site that is compliant with above wording honors a DNT=1 request
   but may not send a corresponding acknowledgement (for whatever reason)

The result would be that a site sufficiently protects privacy
(according to the compliance spec) while not advertising the fact.
This will make users assume the worst (i.e., that DNT=1 was not honored).

While this is not optimal, it at least ensures that the site provides
more privacy than promised which I believe to be OK from a privacy
perspective.

A benefit of SHOULD is that sites could improve their data
collection/retention/usage first to satisfy the compliance spec and
then later do further upgrades to provide transparency/notice. An
example would be a site that never stores anything while ignoring DNT.
Similar to today's practice that privacy policies usually over-state
the potential uses of the collected data.

What do you think?


Regards,
matthias


On 12/20/2011 9:58 PM, John Simpson wrote:
> Agree that if request header is DNT=1, then a site MUST send a
> response header to be compliant.
>