W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Today's call: summary on user agent compliance

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 11 Jun 2012 09:32 +0200
To: Tamir Israel <tisrael@cippic.ca>
Cc: ifette@google.com, Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>, Ninja Marnau <nmarnau@datenschutzzentrum.de>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <3671006.PBzHqxvi6Z@hegel.sophia.w3.org>
Tamir, 

we have some logic breaks in the below and that leads to the 
Canadien issue, which is IMHO just an instance of a larger problem.

On Friday 08 June 2012 22:56:20 Tamir Israel wrote:
> The similarities in regime break down, however, where a server
> rejects a  DNT-1 (because it was set by default), and there is no
> alternate mechanism left for the user to opt-out. As the server
> can no longer rely on implicit/opt-out consent in this case,
> presumably they can no longer track.

Again, a protocol can't mean that a service MUST respect the things 
in the compliance specification without having committed to it by 
sending ACK. To get to a situation you describe above in the 
Canadian system, a law would have to oblige services to respect 
DNT:1 and apply the rules of the compliance specification for all 
and every request they get with a DNT:1 header. I can't read that 
into the Canadian law.

One can only come to this conclusion if DNT:1 is only applied to 
online behavioral advertisement by third parties. Roy has urged us 
many times to define tracking in this way and the WG consistently 
refused. 

One consequence of this refusal is that a DNT:1 header can be sent 
to almost anything. This would turn off single-sign-on and other 
personalized services. So a service must be able to deny DNT:1 if 
the service would not make sense in the DNT:1 - mode. 

Additionally, the right to opt-out does not create a right to 
receive the content. So in a Canadian context, if a service does not 
offer an opt-out, it can still deny content delivery. What a service 
wouldn't be able to do is to just continue tracking as if nothing 
happened. 

Now if a user has sent DNT:1 and the service responds with NACK and 
the user continues to use that service, the service can reasonably 
assume that the user has implicitly agreed not to opt out. If the 
user still sends DNT:1 headers, the OPC has to decide whether it 
wants the service to trigger an exception in the face of the user to 
stop the non-interaction of two blind-deaf DNT implementations. 

Which brings me to the point (which ISSUE should I attach it to?) 
that a compliant user agent SHOULD NOT resend a request with DNT:1 
to a URI after having received an NACK. (Some may want to prompt the 
user, others will find better solutions)

Best, 

Rigo
Received on Monday, 11 June 2012 07:32:42 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC