Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance] from Tamir Israel on 2012-06-05 (public-tracking@w3.org from June 2012)

From: Tamir Israel <tisrael@cippic.ca>
Date: Tue, 05 Jun 2012 12:47:09 -0400
To: David Singer <singer@apple.com>
CC: "public-tracking@w3.org protection wg" <public-tracking@w3.org>
Message-ID: <4FCE380D.805@cippic.ca>

Thanks for this.

I think I may still be confused here, and I apologize if I am rehashing 
things that have already been addressed.

My confusion stems from two elements of the spec: how are non-compliant 
signals dealt with, and is there a difference betwen 'non-complaint' and 
'altogether outside the scope of the spec'.

Specifically: What is the process for scenarios where a server deems a 
DNT-1 signal to be non-compliant with the spec where it is deemed to be 
injected by an intermediary? Does this apply equally to DNT-1 signals 
deemed outside the scope of the spec (since they are sent by UA 
default)? Is there a mechanism for UAs and servers to discuss the 
legitimacy of a DNT-1 signal? Is there a UA obligation to notify the 
user that


On 6/4/2012 6:44 PM, David Singer wrote:
>> I'm just trying to understand: A server indicating they respect and have enabled the DNT spec (to Canadian or other users) would have the right to ignore DNT-1 if deemed to have been set by UA default.
> I really would not be happy writing this into the spec.  Anyone implementing a spec. of course can make judgment calls, but I think the spec. should describe what is conformant, and leave it at that.
>
>> >  I see this having different impact between Canada and the EU as 'unset' triggers a different response in each. In EU law, it requires a positive election prior to tracking by servers. whereas Canadian law does not currently appear to require any positive election as a pre-requisite. If this is how it is, it seems a recipe for potential confusion, as CDN users seeing DNT set to 1 in their browser settings will believe they are are DNT-1 enabled though they are not.
> We are very strong on both (a) intermediaries must not change and (b) (partly because old intermediaries sometimes delete headers they don't understand) the ability at the UA to detect what the server thinks it saw, so as to close the loop, so I hope we have enough in place to avert this particular disaster.
>
>> >  
>> >  (others have raised more general concerns for dealing with privacy-friendly UAs, such as: how would a server determine which UA's should be specified as 'rogue' due to a DNT-1 default election; how would a server distinguish between DNT-1 by UA default&  DNT-1 by user election on a 'rogue' UA; how will it be explained to users they must to disregard the DNT-1 by UA default setting on specific UAs, etc.).
> I would say that any server that chooses to ignore a DNT signal is on 'thin ice' and might have 'fun' explaining how they didn't throw out the baby (users who really  intended and wanted the DNT signal) with the bathwater (users who got the DNT signal without realizing it). Personally, I would complain about the UA but respect its signals until it got fixed, but the choice in the face of non-conforming software is always a judgment call -- which is why I would not wish to describe what to do in the spec.

Received on Tuesday, 5 June 2012 16:50:13 UTC