Re: Last Call comment: require public-facing statement of server response policy

Hi Lee,

Thank you for your comments (last June) on the TPE Last Call Working Draft. The Tracking Protection Working Group has discussed each of the issues and proposed resolutions.

Editor Roy Fielding has provided summaries of the responses in each of the tracker issues for the Last Call product; I have provided links below. I would briefly summarize the resolutions as:
* no change, as TPE defines what each TSV means

https://www.w3.org/2011/tracking-protection/track/issues/259
https://lists.w3.org/Archives/Public/public-tracking/2014Sep/0008.html

Please let us know if these changes or explanations resolve your concerns.

Thanks,
Nick Doty, W3C (for the Tracking Protection Working Group)

https://lists.w3.org/Archives/Public/public-tracking-comments/2014Jun/0002.html

> On Jun 17, 2014, at 3:46 PM, Lee Tien <tien@eff.org> wrote:
> 
> To the extent that one objective of the TPE standard is to ensure that a server’s communication of its tracking status value is enforceable under Section 5 of the FTC Act or another similar regulatory regime, the TPE specification should require the server to describe within its privacy policy or other public-facing documents the meaning of its TSV and how the server responds to users’ tracking preferences.
> 
> The Last Call Document already requires an analogous explanation in a similar context.
> 
> "6.2.8 Disregarding (D)
> 
> A tracking status value of D means that the origin server is unable or unwilling to respect a tracking preference received from the requesting user agent. An origin server that sends the D tracking status value must detail within the server's corresponding privacy policy the conditions under which a tracking preference might be disregarded.
> 
> For example, an origin server might disregard the DNT field received from specific user agents (or via specific network intermediaries) that are deemed to be non-conforming, might be collecting additional data from specific source network locations due to prior security incidents, or might be compelled to disregard certain DNT requests to comply with a local law, regulation, or order."
> 
> It therefore appears reasonable and within scope of the TPE specification to require the same level of public, human-readable disclosure as to a server's response policy when it respects a tracking preference.
> 
> Obviously, servers may respond in different ways depending on the nature of the incoming request; the major variations would, in our view, be sufficient.  The point is that there must at least be a public representation of the response policy.
> 
> Thanks,
> Lee

Received on Tuesday, 9 June 2015 22:30:11 UTC