W3C home > Mailing lists > Public > public-tracking@w3.org > November 2012

Re: Modifying a DNT Header (ISSUE-153, ACTION-285)

From: David Singer <singer@apple.com>
Date: Mon, 12 Nov 2012 16:05:29 -0800
Cc: Joseph Lorenzo Hall <joe@cdt.org>, Shane Wiley <wileys@yahoo-inc.com>, Walter van Holst <walter.van.holst@xs4all.nl>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-id: <CFC468E9-F2A1-454E-92DB-B4ABD8FD78C9@apple.com>
To: David Wainberg <david@networkadvertising.org>

On Nov 9, 2012, at 10:26 , David Wainberg <david@networkadvertising.org> wrote:

> 
> On 11/9/12 5:09 AM, David Singer wrote:
>> On Nov 8, 2012, at 15:44 , Joseph Lorenzo Hall <joe@cdt.org> wrote:
>> 
>>> Shane is this as easy as inserting a field that says what UA set DNT?
>> That's already there.  It is the UA identified.
>> 
>> Guys, this is a rat-hole.  We already say what we need to say: that a DNT header present in an HTTP request must reflect the intent of the user.  That is the functional rule we need, and we don't need to dig into the myriad ways to construct systems that end up putting it there.
>> 
>> 
> But what do we do about software that just doesn't care that the spec says that? Are you saying a UA should unquestioningly do whatever some other piece of software tells it? (just like Ron Burgundy will read whatever's on the teleprompter?)

Not quite.  Neither end can completely guard against rogues at the other end, because we are talking about a protocol that expresses something about a maintained state.  Rogue sites that track and say they're not tracking are equally problematic, for example.

I don't see how writing more rules helps us with software that doesn't want to obey rules, and I see a real danger.  If we write rules about say end-points (UAs) and proxies, and then someone writes something that they claim is neither (e.g. they claim it is a 'firewall' or 'relay' or 'plugin') and we have written no rules about it, they might feel they are off the hook.  Whereas if we write the rules to say that under all circumstances, the DNT signal must reflect the user's intent, no-one is off the hook under any imagined, possible, existing, or future architecture.  We can look at signals, and say, for example "look, here is an HTTP header going in with no DNT, and coming out saying DNT:0, and you don't even know who the user IS, let alone their intent!" and they are flat-out not compliant, whether this was a UA plugin, an OS add-on, a proxy, firewall, relay, gateway, or carrier pigeon.

On your second question, my *advice* would be for software to obey the signal while you complain like hell about the mis-behaving agent.  That is, you behave better than the other end in terms of the interaction, but fix it up by getting the software fixed, if possible.  I'd be anxious about throwing out the valid with the invalid, for example.  I also see the DNT signal as a way to avoid the deadly downward spirals we sometimes see on the 'net, where we see measure/counter-measure spirals downward.  But this is general advice -- like being in a group, that the only way I know to maintain civility is if everyone feels they are being nicer to other people than people are being to them. :-)  I realize that lots of questions arise -- for how long? how nice do I need to be? do I have a way to communicate my unhappiness with their non-compliance?  will they ever fix it?  and so onů





David Singer
Multimedia and Software Standards, Apple Inc.
Received on Tuesday, 13 November 2012 00:06:02 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:38 UTC