- From: Nicholas Doty <npdoty@w3.org>
- Date: Fri, 20 Jan 2012 18:14:57 -0800
- To: Roy T. Fielding <fielding@gbiv.com>
- Cc: David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
On Jan 13, 2012, at 5:10 PM, Roy T. Fielding wrote: > On Jan 13, 2012, at 2:41 PM, David Singer wrote: > >> In reading a separate thread, I realized that there is a potential issue here over DNT:0. >> >> A little while back we discussed whether the UA should send a DNT header to the first party. A number of us argued that it should, even if the first party is exempt: because the first party may care that its third parties are being asked not to track - it might ask for payment in consequence, for example. >> >> This argument relies on the assumption that DNT is a single 'big switch', either on or off, but the discussion around DNT:0 reveals that people think it may be OK for the UA to send DNT:1 to some sites, and DNT:0 to others. > > Yes, that discussion is why I defined it as a big switch "on" with > configurable exceptions to off. > > In that case, DNT: 0 is only received when the switch is on for > others, which is as much information that the user agent can send > to the first party without compromising its own configuration. > But that only works as notification to first-parties if UAs do not > implement a global switch with which the user can explicitly > turn DNT off for all sites. If a user has Do Not Track enabled with a few exceptions (through the site-specific exceptions proposal, say), I would expect that on initiating a new page load of example.com DNT:1 is sent in the request to example.com, even if the browser has some exceptions for trackers on example.com. -- because the user agent doesn't know which domains resources referred to in the response HTML will be -- because the user wants example.com to follow the limits on 1st parties (probably something like: don't share the information of this visit with arbitrary third parties) -- because the user might want to give a general expression of not wanting to be tracked, which the first party could choose to act on -- because the site might want to know that their third parties may be receiving DNT:1 (though aren't necessarily). > Until Wednesday, nobody had suggested that browsers would implement > an off switch. I'd like to know if WebKit will do that. I can't speak for any browser vendors, but setting all requests to DNT:0 certainly seems like a plausible use case. Maybe I'm a European and I affirmatively want tracking by third parties while browsing so that advertising is likely to be more relevant to me. >> So what, then, does the first party get? DNT:1 if any third party is getting DNT:1, else DNT:0 if all are getting DNT:0? An average of the DNT values :-) DNT:0.7 ??! > > The first party would get DNT 0 if an explicit exception exists. > That does not tell the first party which, if any, of its > subrequest partners might receive DNT 1 instead. It only alerts > them to the potential. I think the first party's receiving DNT:1 can signal to them that other parties may be receiving DNT:1. And the first party's JavaScript can use APIs to determine which third parties are receiving that signal, if that level of detail matters to them. >> Am I, as a UA, allowed to mix non-DNT requests into the mix? > > Not as currently defined. I'm not sure I understand David's original question was here. I would think the spec should allow user agents to determine when to send DNT requests and when not to, which could include mixing DNT:1, DNT:0 and unspecified requests during the course of browsing. I would expect most implementations (at least initially) to send DNT:1 for all requests. —Nick
Received on Saturday, 21 January 2012 02:15:25 UTC