W3C home > Mailing lists > Public > public-tracking@w3.org > April 2013

Re: Moving "C"onsent from Tracking Status to Permitted Use?

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 3 Apr 2013 17:23:29 -0700
Cc: Matthias Schunter <mts-std@schunter.org> (Intel Corporation), "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <6522C76F-1B81-419B-B33A-581B3232AC07@gbiv.com>
To: David Singer <singer@apple.com>
On Apr 3, 2013, at 2:52 PM, David Singer wrote:

> I have previously preferred distinguishing "who I am" from "how I am operating", and I feel that have C and ! as 'status' indicators rather than qualifiers means that I can no longer tell whether I am interacting with someone who thinks of themselves as a 1st or 3rd party.  So I agree, rather than C or ! as the first character, I think that
> 1C -- first party with consent
> 3C -- third party with consent
> 1!  -- first party under construction
> 3!  -- third party under construction
> seem to make more sense, and be more informative.  As it is, if I get "!" in today's spec I am not able to tell whether the site is trying to construct a 3rd or 1st party experience; similarly for "C".

It is impossible for the receiving server to know who is the first
or the third party in any given interaction.  That knowledge exists
only within the head of the user, and even then only if we assume
the user has a deliberate intention and awareness of the interacting
parties and not simply clicking on links because the pictures are

What an origin server can do is indicate what limitations they adhere
to during (and promise to adhere to after) a given interaction.

Neither "C" nor "!" are qualifiers -- they are the relevant answer
to the tracking status question, in each case.

"C" indicates the server operates with consent and is limited only
by the terms of that consent (whatever those terms may be, which
could be far outside the scope of DNT or even more limited than a 3).
That answer is not in any way orthogonal to 1 and 3.

"!" indicates that the server DOES NOT conform.  Such an answer
cannot in any way shape or form be orthogonal to 1 and 3, both
of which are explicit statements of conformity to a list of
requirements specified in TCS.

There is a reason why I specified it this way.  The answer given
is being portrayed as a statement of business practice from the
party answering to the consumer (and, yes, I do use that term
intentionally here).  As such, it has to be truthful.  And since
there is no possible way for an origin server to make a truthful
statement about the intentions of the user, I cannot implement
a DNT standard that says "I am a first party" without lying to
the consumer.  Period.

Nor do I need to -- the privacy benefits of this protocol are
already accomplished by the design in the spec right now, which
actually can be implemented by origin servers.  If you think not,
then please explain why and we can try to fix that.  Otherwise,
we are certain to not make any progress if we revert to a protocol
that allows trolls to sue a website owner simply by deliberately
crafting pages that make subrequests on resources that are only
designed for first party interaction.

Received on Thursday, 4 April 2013 00:23:56 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:09 UTC