- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 22 Mar 2013 14:53:35 -0700
- To: Justin Brookman <justin@cdt.org>
- Cc: public-tracking@w3.org
On Mar 22, 2013, at 1:39 PM, Justin Brookman wrote: > On 3/22/2013 3:42 PM, Ronan Heffernan wrote: >> Responding to a DNT:1 signal with an acknowledgement that a company follows DNT, and will abide by the restrictions (and permitted uses) therein, is easy. Responding with real-time lookups of whether OOBC exists is quite difficult (in many cases impossible), especially for large-scale systems that use CDNs and other distributed processing, and systems that do not receive technical information required to perform OOBC lookups until after some browsing has already happened. > I just don't understand why these concerns hadn't been raised in the previous two years of discussions (it is possible they have and I was paying less attention to TPE, but if they were, they were resolved to the editors' and chairs' satisfaction). The mandatory response signal has been in the TPE for some time now. I would like to hear from others if feedback is effectively impossible for OOB. In which case, that's an argument that we need should get rid of OOB and require implementation of the exception mechanism by user agents (something I had previously been reluctant to do). I think Alex raised the issue early on and we simply neglected to design for it. There do exist systems that only *use* collected data in essentially offline batch processing, so it is reasonable for a site to say "we are collecting data for all transactions but will only retain and use data from users identified as having previously given consent". I would not suggest using "C" for that. It is a different answer. Alternatively, we could just make it part of the "3" definition to be that DNT:1 data will not be retained (beyond the minimum period allowed for non-processed raw data) unless agreed to separately by the user under contract. That would be consistent with prior consent overriding DNT. And, again, whether or not this meets what the user asked by DNT:1 depends entirely on the definition of Do Not Track. If DNT:1 means let me browse anonymously, then sites that can't support anonymous browsing can't comply with DNT. Panel studies should simply require that members in the panel turn off DNT. OTOH, if DNT:1 means do not follow my activity across non-affiliated sites without my prior consent, then it would be sufficient for OOB consent sites to implement DNT by stating that the data will be deleted within X hours if it does not correspond to a user that has consented. ....Roy
Received on Friday, 22 March 2013 21:53:58 UTC