W3C home > Mailing lists > Public > public-tracking@w3.org > November 2012

Re: Modifying a DNT Header (ISSUE-153, ACTION-285)

From: Walter van Holst <walter.van.holst@xs4all.nl>
Date: Wed, 07 Nov 2012 21:51:59 +0100
Message-ID: <509AC9EF.70503@xs4all.nl>
To: public-tracking@w3.org
On 11/7/12 9:18 PM, Shane Wiley wrote:
> As long as 3rd party changes are recorded and sent to the Server for
> assessment (Issue-143).  If 3rd party tools can game DNT (activate it
> with no user interaction and make it appear as if the browser is
> doing this), then I doubt many Servers will ever implement DNT.  This
> is a critical issue that needs to be resolved to the satisfaction of
> both sides of the debate if there is any hope for DNT to be a viable,
> voluntarily implemented, standard.

That requirement that is impossible to meet. The UA has no control over
the network between the UA and the server and therefore possibly cannot
even detect such changes, let alone send them to the server for assessment.

A few scenarios:

1) User A uses a Chromebook in an enterprise environment, managed by X.
X has per corporate security policy transparant proxies for all HTTP
traffic that insert DNT:1 for all outgoing HTTP requests, regardless of
User A's preferences.

2) User B uses Chrome on a desktop machine that has an ad-blocking proxy
installed, the Chrome configuration points to 127.0.0.1:8080 as a proxy,
but other than that the UA has no real means to detect that there is a
proxy and what it does. This particular proxy puts in DNT:1, without
even paying attention to the Chrome preferences in this regard.

3) User C uses Chrome in conjunction with an extension that is acquired
from outside Google's extension appstore. The extension leaves the
Chrome DNT preferences untouched, but nonetheless puts in DNT:1 in
outgoing HTTP requests.

How is Chrome going to be compliant with your requirement in any of the
above scenarios, neither of which is unlikely to ever happen?

And I don't even think it should be problematic in the above given
scenarios. In scenario 1, User A has to adhere to a corporate policy and
given the business nature of the relationship with X (for example
employer-employee relation), it can be argued that A's preferences are
not relevant and only X's preferences.

In scenarios 2 and 3 the user most likely chose consciously to use these
third party tools and it can be equally argued that the browser
configuration just not happens to reflect the users informed non-consent
with being tracked and that the third-party tool installation does a
better job at that.

Bottom line: let's honour the principle that the user gets to decide
what happens on his or her machine and not include second guesses of the
user's stated intent in the specification.

Regards,

 Walter
Received on Wednesday, 7 November 2012 20:52:28 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:38 UTC