Re: The Rubber meets the Road - DNT compliance code from Peter Cranstone on 2012-06-13 (public-tracking@w3.org from June 2012)

From: Peter Cranstone <peter.cranstone@gmail.com>
Date: Wed, 13 Jun 2012 17:04:16 -0600
To: <ifette@google.com>
CC: Kevin Smith <kevsmith@adobe.com>, W3 Tracking <public-tracking@w3.org>
Message-ID: <CBFE775F.32EE%peter.cranstone@gmail.com>
Ian,

If you don't want to answer the questions then ignore the thread.

We all don't have Google's resources – for some people who already have
loaded servers your spec adds more cost, load and complexity. And you still
haven't factored in the response. It seems like when anyone calls you out on
something you don't agree with you then it must be there fault.

And as for not understanding how the Web works – well I do. And Google and
the whole Web uses stuff my partner and I invented so we know a thing or two
about Web servers and what it takes to improve the performance of a Web
site.

The spec is brain dead simple – it's either 1 or 0. Case closed on the
browser side.

All your issues remain on the server and you're not even close to shipping
something that can be called compliant. Heck there's not even a browser out
there today that can send a DNT:0 header. So how about you start shipping
something that works vs. calling me out.



Peter
___________________________________
Peter J. Cranstone
720.663.1752


From:  "Ian Fette   (イアンフェッティ)" <ifette@google.com>
Reply-To:  <ifette@google.com>
Date:  Wednesday, June 13, 2012 4:56 PM
To:  Peter Cranstone <peter.cranstone@gmail.com>
Cc:  Kevin Smith <kevsmith@adobe.com>, W3 Tracking <public-tracking@w3.org>
Subject:  Re: The Rubber meets the Road - DNT compliance code

> Peter, 1ms is nothing. There's 86M milliseconds in a day, not to mention that
> that 1ms you measured is probably less than 1ms but getting counted as 1ms due
> to the resolution of the timers available and the fact that if you're actually
> trying to get accurate time, calling "time" is probably more expensive than
> the operations you're timing here.
> 
> Believe me, Google already does parsing of user agents, it has not taken us
> down. So does virtually every large website out there. You are trying to
> create a problem that doesn't exist. Please stop.
> 
> You are actively detracting from this working group getting anything done. You
> have turned this issue into a giant time sink for a number of people who have
> tried time and time again to explain this issue to you. Please either join the
> working group and read up on the history, or move along.
> 
> -Ian
> 
> On Wed, Jun 13, 2012 at 3:22 PM, Peter Cranstone <peter.cranstone@gmail.com>
> wrote:
>> Well it should be interesting to see what happens.
>> 
>> We've now added a time section to our DNT compliance test:
>> http://www.5o9mm.com/mod_dnt_test_1.php
>> 
>> It's about a millisecond to complete the analysis – so you can do the math on
>> a site that gets millions of hits a day. Plus add in the 400 error you're
>> going to send back to the user if they have a non compliant browser.
>> 
>> If you want to kill ad revenue this sure is the way to go about it. Sorry we
>> see you're using MSIE 10, it's non compliant so go get another browser and
>> please come back when you know how to set up DNT correctly.
>> 
>> Again – you win the battle and lose the war. Plus the Ad guys are really
>> pissed (or should be).
>> 
>> 
>> Peter
>> ___________________________________
>> Peter J. Cranstone
>> 720.663.1752 <tel:720.663.1752>
>> 
>> 
>> From:  Kevin Smith <kevsmith@adobe.com>
>> Date:  Wednesday, June 13, 2012 4:16 PM
>> 
>> To:  Peter Cranstone <peter.cranstone@gmail.com>, "ifette@google.com"
>> <ifette@google.com>
>> Cc:  W3 Tracking <public-tracking@w3.org>
>> Subject:  RE: The Rubber meets the Road - DNT compliance code
>> 
>>> That is exactly the point of this discussion.  You are in compliance with
>>> the spec if the spec dictates that a UA is non-compliant if they set DNT on
>>> by default and that you need not comply with a non-compliant UA.
>>>  
>>> Browser wars are unfortunate, but they have been a reality of the web since
>>> the beginning.  This is why standards exist and the way standards are
>>> effective is that wide scale adoption of a standard applies pressure to
>>> those non-compliant to become compliant – especially in cases where
>>> non-standard behavior is not supported by websites.
>>>  
>>>  
>>> 
>>> Kevin Smith  |  Engineering Manager  |  Adobe  |  385.221.1288
>>> <tel:385.221.1288>  |  kevsmith@adobe.com
>>>  
>>> 
>>> From: Peter Cranstone [mailto:peter.cranstone@gmail.com]
>>> Sent: Wednesday, June 13, 2012 3:59 PM
>>> To: Kevin Smith; ifette@google.com
>>> Cc: W3 Tracking
>>> Subject: Re: The Rubber meets the Road - DNT compliance code
>>>  
>>> 
>>> Then you're not complying with the spec to honor a DNT header if your server
>>> supports it.
>>> 
>>>  
>>> 
>>> The spec does NOT distinguish between a default setting made by the OEM and
>>> a setting made by the user. Ergo you cannot distinguish either case on the
>>> server. There should be no case where a browser that supports DNT is ever
>>> rejected because you accused the OEM of making a setting vs. the user.
>>> 
>>>  
>>> 
>>> It will be a PR nightmare. Can you imagine the user saying – heck the Web
>>> site rejected me because I was asking for privacy and it doesn't like the
>>> browser I'm using. Yep, I can just see all the Tier 1 Web sites adopting
>>> that approach.
>>> 
>>>  
>>> 
>>> 
>>> Peter
>>> ___________________________________
>>> Peter J. Cranstone
>>> 720.663.1752 <tel:720.663.1752>
>>> 
>>>  
>>> 
>>> From: Kevin Smith <kevsmith@adobe.com>
>>> Date: Wednesday, June 13, 2012 3:55 PM
>>> To: Peter Cranstone <peter.cranstone@gmail.com>, "ifette@google.com"
>>> <ifette@google.com>
>>> Cc: W3 Tracking <public-tracking@w3.org>
>>> Subject: RE: The Rubber meets the Road - DNT compliance code
>>> 
>>>  
>>>> 
>>>> No, you alert the user that you do not support the DNT setting from their
>>>> browser and recommend that they change browsers if they would like to view
>>>> your site in a DNT supported fashion.  I still get ‘supported browser’
>>>> messages all the time.  It’s a concept nearly as old as the web.
>>>>  
>>>> 
>>>> Kevin Smith  |  Engineering Manager  |  Adobe  |  385.221.1288
>>>> <tel:385.221.1288>  |  kevsmith@adobe.com
>>>>  
>>>> 
>>>> From: Peter Cranstone [mailto:peter.cranstone@gmail.com]
>>>> Sent: Wednesday, June 13, 2012 9:35 AM
>>>> To: ifette@google.com
>>>> Cc: W3 Tracking
>>>> Subject: Re: The Rubber meets the Road - DNT compliance code
>>>>  
>>>> 
>>>> Ian,
>>>> 
>>>>  
>>>> 
>>>> It's the why that's important.
>>>> 
>>>>  
>>>> 
>>>> So riddle me this. You're a DNT compliant server. If you see the DNT flag
>>>> set to 1 on the inbound request you honor it. However if all of a sudden
>>>> you see MSIE 10 UA's what do you do? Reject it because you don't like the
>>>> fact that MSIE set is as the default?
>>>> 
>>>>  
>>>> 
>>>> You see – Microsoft has won the war. If you say you honor it, then you MUST
>>>> accept their header. And if you don't honor DNT then it doesn't matter. The
>>>> spec just got played.
>>>> 
>>>>  
>>>> 
>>>> 
>>>> Peter
>>>> ___________________________________
>>>> Peter J. Cranstone
>>>> 720.663.1752 <tel:720.663.1752>
>>>> 
>>>>  
>>>> 
>>>> From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
>>>> Reply-To: <ifette@google.com>
>>>> Date: Wednesday, June 13, 2012 9:30 AM
>>>> To: Peter Cranstone <peter.cranstone@gmail.com>
>>>> Cc: W3 Tracking <public-tracking@w3.org>
>>>> Subject: Re: The Rubber meets the Road - DNT compliance code
>>>> 
>>>>  
>>>>> Peter, all of DNT requires resources.
>>>>> 
>>>>>  
>>>>> 
>>>>> I don't get where you say there are legal consequences. If you tell the
>>>>> user "I'm not honoring your DNT request because <X>" and you're clear
>>>>> about your practices then you're not breaking any promises.
>>>>> 
>>>>> On Wed, Jun 13, 2012 at 8:28 AM, Peter Cranstone
>>>>> <peter.cranstone@gmail.com> wrote:
>>>>> 
>>>>> Ian,
>>>>> 
>>>>>  
>>>>> 
>>>>> This is a case of win the battle on the forum but lose the war in the real
>>>>> world. It doesn't matter if it's neither hard or complex. The point is
>>>>> that it has to be done, tested and then updated and maintained. That
>>>>> requires resources – not something that everyone can afford to do.
>>>>> 
>>>>>  
>>>>> 
>>>>> Secondly, lets flog the dead horse one more time on "who set the DNT
>>>>> flag". If I have to write code that cannot guarantee 100% accuracy when it
>>>>> comes to this privacy setting AND there are legal consequences of me
>>>>> getting said code wrong (i.e. fines or pissed off customers) then I'm not
>>>>> going to do it.
>>>>> 
>>>>>  
>>>>> 
>>>>> We all know that per the spec that MSIE is not compliant because it sets
>>>>> the flag by default. But what admin in his right mind is going to reject
>>>>> it? If the server is DNT compliant then there is NO downside to MSIE
>>>>> setting the default.
>>>>> 
>>>>>  
>>>>> 
>>>>> We're back to stupid browser wars again and pissing off the customer. Not
>>>>> a good thing.
>>>>> 
>>>>>  
>>>>> 
>>>>>  
>>>>> 
>>>>> 
>>>>> Peter
>>>>> ___________________________________
>>>>> Peter J. Cranstone
>>>>> 720.663.1752 <tel:720.663.1752>
>>>>> 
>>>>>  
>>>>> 
>>>>> From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
>>>>> Reply-To: <ifette@google.com>
>>>>> Date: Wednesday, June 13, 2012 9:22 AM
>>>>> To: Peter Cranstone <peter.cranstone@gmail.com>
>>>>> Cc: W3 Tracking <public-tracking@w3.org>
>>>>> Subject: Re: The Rubber meets the Road - DNT compliance code
>>>>> 
>>>>>  
>>>>>> Many websites already do this -- "serve this JS to this user agent". It
>>>>>> is neither complex nor hard.
>>>>>> 
>>>>>> On Wed, Jun 13, 2012 at 7:44 AM, Peter Cranstone
>>>>>> <peter.cranstone@gmail.com> wrote:
>>>>>> 
>>>>>> All,
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> There's a lot of questions around a non-compliant UA sending a DNT
>>>>>> header. There's still no definition on the forum or the spec on what
>>>>>> constitutes a non compliant UA, or even who is going to maintain a
>>>>>> "blacklist" of those non-compliant UA's. Finally there's no description
>>>>>> of a message that should be sent back to the consumer indicating that
>>>>>> he's using a non-compliant UA.
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> So I'm posting a link today of what something might look like running on
>>>>>> a server. The reason this is in PHP is because there are lot of servers
>>>>>> (in the 10's of millions) that cannot suddenly start adding server side
>>>>>> modules that do the detection. So it will all have to be done via a
>>>>>> script.
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> Think about this for a moment. In the real world server side admins are
>>>>>> going to have to add code to EVERY CGI script to do this. The performance
>>>>>> hit is going to be HUGE.
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> Here's the link: http://www.5o9mm.com/mod_dnt_test_1.php
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> We've blacklisted the following browsers:
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> HTTP_DNT_BLACKLISTED_USER_AGENT_1 = Mozilla/4.0 (compatible; MSIE 7.0;
>>>>>> Windows NT 6.1; Trident/5.0)
>>>>>> 
>>>>>> HTTP_DNT_BLACKLISTED_USER_AGENT_2 = Mozilla/5.0 (compatible; MSIE 9.0;
>>>>>> Windows NT 6.1; Trident/5.0)
>>>>>> 
>>>>>> HTTP_DNT_BLACKLISTED_USER_AGENT_3 = Mozilla/4.0 (compatible; MSIE 7.0;
>>>>>> Windows NT 6.0; Trident/5.0)
>>>>>> 
>>>>>> HTTP_DNT_BLACKLISTED_USER_AGENT_4 = Mozilla/5.0 (compatible; MSIE 9.0;
>>>>>> Windows NT 6.0; Trident/5.0)
>>>>>> 
>>>>>> HTTP_DNT_BLACKLISTED_USER_AGENT_5 = Mozilla/5.0 (Windows NT 6.0;
>>>>>> rv:8.0.1) Gecko/20100101 Firefox/8.0.1
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> So every time someone hits the Web site we have to run a check. The
>>>>>> request time for this check on our server is:
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> REQUEST_TIME = 1339597469
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> For that single page. Now multiply that by every page on your Web site
>>>>>> that is scripted. Ouch.
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> Now here's where it gets really interesting. Let's say that I'm on the
>>>>>> blacklist. What does the server do? By rights it should abort the entire
>>>>>> request and send a 400 invalid request response back to the user.
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> So what the heck does the user do now?
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> If this spec is going to be Trusted and used it has to work in the real
>>>>>> world which is NOT 100% technical. They turn it on (or have it turned on
>>>>>> for them) and they expect magic. They don't expect to be told that there
>>>>>> browser is non-compliant and they can either go get another one or get
>>>>>> tracked.
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>>  
>>>>>> 
>>>>>> 
>>>>>> Peter
>>>>>> ___________________________________
>>>>>> Peter J. Cranstone
>>>>>> 720.663.1752 <tel:720.663.1752>
>>>>>>  
>>>>>  
>
Received on Wednesday, 13 June 2012 23:04:59 UTC