Re: The Rubber meets the Road - DNT compliance code from Peter Cranstone on 2012-06-13 (public-tracking@w3.org from June 2012)

From: Peter Cranstone <peter.cranstone@gmail.com>
Date: Wed, 13 Jun 2012 15:59:17 -0600
To: Kevin Smith <kevsmith@adobe.com>, "ifette@google.com" <ifette@google.com>
CC: W3 Tracking <public-tracking@w3.org>
Message-ID: <CBFE68A0.32AB%peter.cranstone@gmail.com>
Then you're not complying with the spec to honor a DNT header if your server
supports it.

The spec does NOT distinguish between a default setting made by the OEM and
a setting made by the user. Ergo you cannot distinguish either case on the
server. There should be no case where a browser that supports DNT is ever
rejected because you accused the OEM of making a setting vs. the user.

It will be a PR nightmare. Can you imagine the user saying – heck the Web
site rejected me because I was asking for privacy and it doesn't like the
browser I'm using. Yep, I can just see all the Tier 1 Web sites adopting
that approach.


Peter
___________________________________
Peter J. Cranstone
720.663.1752


From:  Kevin Smith <kevsmith@adobe.com>
Date:  Wednesday, June 13, 2012 3:55 PM
To:  Peter Cranstone <peter.cranstone@gmail.com>, "ifette@google.com"
<ifette@google.com>
Cc:  W3 Tracking <public-tracking@w3.org>
Subject:  RE: The Rubber meets the Road - DNT compliance code

> No, you alert the user that you do not support the DNT setting from their
> browser and recommend that they change browsers if they would like to view
> your site in a DNT supported fashion.  I still get ‘supported browser’
> messages all the time.  It’s a concept nearly as old as the web.
>  
> 
> Kevin Smith  |  Engineering Manager  |  Adobe  |  385.221.1288 |
> kevsmith@adobe.com
>  
> 
> From: Peter Cranstone [mailto:peter.cranstone@gmail.com]
> Sent: Wednesday, June 13, 2012 9:35 AM
> To: ifette@google.com
> Cc: W3 Tracking
> Subject: Re: The Rubber meets the Road - DNT compliance code
>  
> 
> Ian,
> 
>  
> 
> It's the why that's important.
> 
>  
> 
> So riddle me this. You're a DNT compliant server. If you see the DNT flag set
> to 1 on the inbound request you honor it. However if all of a sudden you see
> MSIE 10 UA's what do you do? Reject it because you don't like the fact that
> MSIE set is as the default?
> 
>  
> 
> You see – Microsoft has won the war. If you say you honor it, then you MUST
> accept their header. And if you don't honor DNT then it doesn't matter. The
> spec just got played.
> 
>  
> 
> 
> Peter
> ___________________________________
> Peter J. Cranstone
> 720.663.1752
> 
>  
> 
> From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
> Reply-To: <ifette@google.com>
> Date: Wednesday, June 13, 2012 9:30 AM
> To: Peter Cranstone <peter.cranstone@gmail.com>
> Cc: W3 Tracking <public-tracking@w3.org>
> Subject: Re: The Rubber meets the Road - DNT compliance code
> 
>  
>> Peter, all of DNT requires resources.
>> 
>>  
>> 
>> I don't get where you say there are legal consequences. If you tell the user
>> "I'm not honoring your DNT request because <X>" and you're clear about your
>> practices then you're not breaking any promises.
>> 
>> On Wed, Jun 13, 2012 at 8:28 AM, Peter Cranstone <peter.cranstone@gmail.com>
>> wrote:
>> 
>> Ian,
>> 
>>  
>> 
>> This is a case of win the battle on the forum but lose the war in the real
>> world. It doesn't matter if it's neither hard or complex. The point is that
>> it has to be done, tested and then updated and maintained. That requires
>> resources – not something that everyone can afford to do.
>> 
>>  
>> 
>> Secondly, lets flog the dead horse one more time on "who set the DNT flag".
>> If I have to write code that cannot guarantee 100% accuracy when it comes to
>> this privacy setting AND there are legal consequences of me getting said code
>> wrong (i.e. fines or pissed off customers) then I'm not going to do it.
>> 
>>  
>> 
>> We all know that per the spec that MSIE is not compliant because it sets the
>> flag by default. But what admin in his right mind is going to reject it? If
>> the server is DNT compliant then there is NO downside to MSIE setting the
>> default.
>> 
>>  
>> 
>> We're back to stupid browser wars again and pissing off the customer. Not a
>> good thing.
>> 
>>  
>> 
>>  
>> 
>> 
>> Peter
>> ___________________________________
>> Peter J. Cranstone
>> 720.663.1752 <tel:720.663.1752>
>> 
>>  
>> 
>> From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
>> Reply-To: <ifette@google.com>
>> Date: Wednesday, June 13, 2012 9:22 AM
>> To: Peter Cranstone <peter.cranstone@gmail.com>
>> Cc: W3 Tracking <public-tracking@w3.org>
>> Subject: Re: The Rubber meets the Road - DNT compliance code
>> 
>>  
>>> Many websites already do this -- "serve this JS to this user agent". It is
>>> neither complex nor hard.
>>> 
>>> On Wed, Jun 13, 2012 at 7:44 AM, Peter Cranstone <peter.cranstone@gmail.com>
>>> wrote:
>>> 
>>> All,
>>> 
>>>  
>>> 
>>> There's a lot of questions around a non-compliant UA sending a DNT header.
>>> There's still no definition on the forum or the spec on what constitutes a
>>> non compliant UA, or even who is going to maintain a "blacklist" of those
>>> non-compliant UA's. Finally there's no description of a message that should
>>> be sent back to the consumer indicating that he's using a non-compliant UA.
>>> 
>>>  
>>> 
>>> So I'm posting a link today of what something might look like running on a
>>> server. The reason this is in PHP is because there are lot of servers (in
>>> the 10's of millions) that cannot suddenly start adding server side modules
>>> that do the detection. So it will all have to be done via a script.
>>> 
>>>  
>>> 
>>> Think about this for a moment. In the real world server side admins are
>>> going to have to add code to EVERY CGI script to do this. The performance
>>> hit is going to be HUGE.
>>> 
>>>  
>>> 
>>> Here's the link: http://www.5o9mm.com/mod_dnt_test_1.php
>>> 
>>>  
>>> 
>>> We've blacklisted the following browsers:
>>> 
>>>  
>>> 
>>> HTTP_DNT_BLACKLISTED_USER_AGENT_1 = Mozilla/4.0 (compatible; MSIE 7.0;
>>> Windows NT 6.1; Trident/5.0)
>>> 
>>> HTTP_DNT_BLACKLISTED_USER_AGENT_2 = Mozilla/5.0 (compatible; MSIE 9.0;
>>> Windows NT 6.1; Trident/5.0)
>>> 
>>> HTTP_DNT_BLACKLISTED_USER_AGENT_3 = Mozilla/4.0 (compatible; MSIE 7.0;
>>> Windows NT 6.0; Trident/5.0)
>>> 
>>> HTTP_DNT_BLACKLISTED_USER_AGENT_4 = Mozilla/5.0 (compatible; MSIE 9.0;
>>> Windows NT 6.0; Trident/5.0)
>>> 
>>> HTTP_DNT_BLACKLISTED_USER_AGENT_5 = Mozilla/5.0 (Windows NT 6.0; rv:8.0.1)
>>> Gecko/20100101 Firefox/8.0.1
>>> 
>>>  
>>> 
>>> So every time someone hits the Web site we have to run a check. The request
>>> time for this check on our server is:
>>> 
>>>  
>>> 
>>> REQUEST_TIME = 1339597469
>>> 
>>>  
>>> 
>>> For that single page. Now multiply that by every page on your Web site that
>>> is scripted. Ouch.
>>> 
>>>  
>>> 
>>> Now here's where it gets really interesting. Let's say that I'm on the
>>> blacklist. What does the server do? By rights it should abort the entire
>>> request and send a 400 invalid request response back to the user.
>>> 
>>>  
>>> 
>>> So what the heck does the user do now?
>>> 
>>>  
>>> 
>>> If this spec is going to be Trusted and used it has to work in the real
>>> world which is NOT 100% technical. They turn it on (or have it turned on for
>>> them) and they expect magic. They don't expect to be told that there browser
>>> is non-compliant and they can either go get another one or get tracked.
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> 
>>> Peter
>>> ___________________________________
>>> Peter J. Cranstone
>>> 720.663.1752 <tel:720.663.1752>
>>>  
>>
Received on Wednesday, 13 June 2012 21:59:56 UTC