W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance]

From: David Singer <singer@apple.com>
Date: Mon, 04 Jun 2012 15:44:31 -0700
Message-id: <23A47468-A86A-47A1-852C-10E02D8A705D@apple.com>
To: "public-tracking@w3.org protection wg" <public-tracking@w3.org>

On Jun 4, 2012, at 15:34 , Tamir Israel wrote:

> Thanks kindly for this.
> On 6/4/2012 4:43 PM, Roy T. Fielding wrote:
>> Please understand that a server would not be required to ignore
>> an invalid DNT field -- they just have the right to because the
>> protocol exchange is invalid.  Furthermore, the result of ignoring
>> the invalid field is to fall back to the current state of
>> "no preference" being expressed.  Hence, there would be no impact
>> on Canadian or EU laws, nor would it change a server's obligation
>> to comply with those laws in the absence of DNT.
>> ....Roy
> I really do not wish to interfere with agreements of the working group that have already been made, and I appreciate the merits of the 'no default under any circumstances' compromise described here.
> I'm just trying to understand: A server indicating they respect and have enabled the DNT spec (to Canadian or other users) would have the right to ignore DNT-1 if deemed to have been set by UA default.

I really would not be happy writing this into the spec.  Anyone implementing a spec. of course can make judgment calls, but I think the spec. should describe what is conformant, and leave it at that. 

> I see this having different impact between Canada and the EU as 'unset' triggers a different response in each. In EU law, it requires a positive election prior to tracking by servers. whereas Canadian law does not currently appear to require any positive election as a pre-requisite. If this is how it is, it seems a recipe for potential confusion, as CDN users seeing DNT set to 1 in their browser settings will believe they are are DNT-1 enabled though they are not.

We are very strong on both (a) intermediaries must not change and (b) (partly because old intermediaries sometimes delete headers they don't understand) the ability at the UA to detect what the server thinks it saw, so as to close the loop, so I hope we have enough in place to avert this particular disaster.

> (others have raised more general concerns for dealing with privacy-friendly UAs, such as: how would a server determine which UA's should be specified as 'rogue' due to a DNT-1 default election; how would a server distinguish between DNT-1 by UA default & DNT-1 by user election on a 'rogue' UA; how will it be explained to users they must to disregard the DNT-1 by UA default setting on specific UAs, etc.).

I would say that any server that chooses to ignore a DNT signal is on 'thin ice' and might have 'fun' explaining how they didn't throw out the baby (users who really  intended and wanted the DNT signal) with the bathwater (users who got the DNT signal without realizing it). Personally, I would complain about the UA but respect its signals until it got fixed, but the choice in the face of non-conforming software is always a judgment call -- which is why I would not wish to describe what to do in the spec.

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Monday, 4 June 2012 22:45:01 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:50 UTC