W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: [ISSUE-81, ACTION-13] Response Header Format

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 20 Oct 2011 04:18:45 +0200
To: David Singer <singer@apple.com>
Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <glsu97dv81km2844fb6j8ti68s5fg419kk@hive.bjoern.hoehrmann.de>
* David Singer wrote:
>I am not a fan of sending of a "please don't track me" into the void and
>having no idea which sites, if any, are at the moment tracking me.

At the moment it is common to not conduct even the most trivial audits
like "does logging out remove the userid cookie", "does disabling geo
location tracking turn off geo location tracking", or "does the phone
purge data after a week as it should, or does it keep it for years". I
see no reason to assume a "do not track" response would give you any
idea on what's going on if we cannot expect the largest data mining
firms on the planet to discover such obvious problems on their own. It
also seems clear that normal users would have to rely on third party
analysis to get an actual idea of what's going on (what is this site,
what does it do, should I block it, and so on). If you go and find out
about that, you can also take a look at whether their privacy policy
claims they honour the do not track signal.

>I fear that going to the well-known location gets us back into P3P, or
>worse, only human-readable documents describing what's going on.  (And I
>use the phrase "human readable" rather loosely for most privacy policy
>documents :-().

There http://events.ccc.de/camp/2011/wiki/index.php?title=ToS;DR was
an effort earlier this year to make a "crowd-reading hub for those
texts we never read when we sign up on a website." It's defunct now,
but it would have offered a platform where you could get better infor-
mation from than your browser telling your one thing or another about's response to the header. What percentage of users
would make good use of any reporting feature here? More than 1 in 1000?

I note that would be possible to require sending a Link header linking
the "human-readable" privacy policy and require the policy document to
indicate do not track compliance using meta data. You could still auto-
mate the discovery process if need be, and users who would like to know
more about some site's privacy practises would find information more
easily, it avoids the caching problems that come with headers, and odds
are better that any do not track policy will be updated alongside the
rest of the privacy policy if needed, unlike if you separate the two.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Thursday, 20 October 2011 02:19:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:26 UTC