W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance]

From: Dobbs, Brooks <brooks.dobbs@kbmg.com>
Date: Mon, 04 Jun 2012 10:52:31 -0500
To: Rigo Wenning <rigo@w3.org>, <public-tracking@w3.org>
CC: Justin Brookman <justin@cdt.org>, Shane Wiley <wileys@yahoo-inc.com>
Message-ID: <CBF243EF.15CD%brooks.dobbs@kbmg.com>

Great to be working with you again!  Hope you have been well.

To your points, I agree, but I am lost on your conclusion.

I see where there is a requirement that the intermediaries don't inject
headers, but equally I see a big red capital MUST describing that the
expression reflect the user's preference.  Both injecting/modifying the
header or instantiating it (one way or the other) absent a reflection of the
user's preference seem equally non-compliant.

IMHO it sets a very dangerous precedent (no matter where you side on the
desirability of high adoption of DNT: 1) to say 1) the specification is
founded in reflecting preference and, simultaneously, 2) default settings
can reflect this preference.  Isn't this argued very differently with
respect to default browser settings implying consent for cookies in the EU?


On 6/3/12 9:48 AM, "Rigo Wenning" <rigo@w3.org> wrote:

> Hi Brooks, 
> welcome back in the game. We have already discussed a requirement in the
> Specification that intermediaries shouldn't inject stuff. Issue is that the
> server doesn't see that it is an injection as we do not have hashing or some
> such SSL. So by receiving a DNT;1 header, the server has to assume this
> status and by receiving a DNT;0 can assume an exception. In case of
> injections, injecting DNT;1 is creating trouble for the server and injecting
> DNT;0 is creating trouble for the user. This is just a weak point of the
> protocol because of the lacking end-to-end security. We can surely require
> it, but does it buy us anything? I don't know. I would not object if someone
> would come up with a good wording.
> Rigo
> On Friday 01 June 2012 17:56:21 Dobbs, Brooks wrote:
>> New voice here...  I might as well jump right into the controversy.
>> I am not sure there is full consistency here.  I read the spec as saying
>> łKey to that notion of expression is that it must reflect the user's
>> preference˛.  This seems pretty foundational to me.  Where there is a
>> significant likelihood for the origin server to believe that the
>> expression is not a reflection of the userąs preference (either as a 1 or
>> a 0), wouldnąt such server  be in error to process it accordingly?
>> Conversely to the IE/AVG cases, if hypothetically an ISP were to inject
>> an extension into every DNT header which in the future allowed for an
>> exception, wouldnąt the server be in error for always making room for
>> this exception where they know it to be coming from that ISP?
>> -Brooks


Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
Wunderman Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com

This email ­ including attachments ­ may contain confidential information.
If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender
immediately and delete the message.
Received on Monday, 4 June 2012 17:48:07 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:50 UTC