W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: Updated Server Response Section of TPE

From: Rigo Wenning <rigo@w3.org>
Date: Tue, 29 May 2012 22:24:54 +0200
To: public-tracking@w3.org, "Roy T. Fielding" <fielding@gbiv.com>
Message-ID: <1543245.iW8ZEx1NLG@hegel.sophia.w3.org>
Hi Roy, 

already in the introduction (5.1), the summary sounds like we have a 
fundamental disagreement on what DNT should do or be..

It says:
The Tracking Protection protocol is designed to be applicable regardless of 
the response from servers that receive the tracking preference expression, 
allowing conformance to be achieved without impacting the operational 
performance of site resources.

This means you assume that a browser can send DNT;1 into the wild and expect 
that to work. I doubt it will work or that anybody can assume anything by 
sending some token to someone. The browser can only be sure if in the 
corresponding response from the server received (e.g. together with the 
200OK message) there is some DNT ACK header. I don't want to teach a legal 
class here, but there is a fundamental difference between sending something 
and a matching message exchange. 

It all burns down to what we call a conforming implementation. A tool that 
blindly sends some DNT;0 or DNT;1 with every request and doesn't do anything 
else isn't good enough IMHO and will also be unable to express consent. I 
also fear that having such tools being conformant is calling for trouble. We 
will have some tools only sending DNT;0 with requests and other tools 
(extensions, local proxies and what have you) that will send DNT;1 
regardless. I don't want those to be conformant implementations. They will 
call themselves DNT and the term is not protected, but the W3C version 
already acquired some renown.

So the server MAY respond is not strong enough. Either it MUST respond (via 
the header) or it MUST respond to the first request or it MUST be bound via 
the semantics in the well-known location for all requests. Perhaps we agree 
and it is only a matter of wording.

Furthermore, there is wording missing that is important for the consent to 
become semantically possible. Namely that when sending DNT;1 and receiving 
t3, the browser can assume that the site does not honor DNT. (and start the 
blocking tools)

Again, the document currently reflects the tracking status as WKL only. I 
already objected to that. If you need a complete re-write of that section  
la sauce Rigo, tell me and I will do it. If a user agent checks the tracking 
status at the well known URI and gets an error, the User Agent still has the 
header. I would even go so far to assert that a header is already in the 
response with the content. And only if there is no header, a UA should make 
the additional round trip to check that WKL. This spares one round trip. 
Aren't the browsers competing on speed anymore?

The header is not a supplement to the tracking status resource. The WKL and 
tracking status resource is an alternative to the header. 

The W3C site has over 50 000 resources in datespace with different ACL that 
will trigger different tracking feedback messages depending on the ACL. A 
WKL would mean that the entire site with tracking status has to be 
reproduced under the WKL. A header is simpler and cleaner. 

If you want to have more tracking status information in a well-known 
location, we may start to talk about reviving P3P. There are nice semantics 
that your tracking status could benefit from, e.g. who is responsible for 
the data processing (data controller), retention times and other useful 
information. But semantically, this is not responding anymore, this is 
announcing a policy. 

Roy, so if you disagree, I think we have to raise an issue so this is 
correctly tracked.

Best, 

Rigo








On Tuesday 22 May 2012 15:47:15 Matthias Schunter wrote:
> Hi Folks,
> 
> Roy has drafted an updated section 5 on server responses. It is posted at:
> 
> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#respon
> ding
> 
> Please review the update and comment to the mailing list.
> 
> 
> Regards,
> matthias
Received on Tuesday, 29 May 2012 20:25:24 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC