Re: [ISSUE-81, ACTION-13] Response Header Format

On Oct 19, 2011, at 19:18 , Bjoern Hoehrmann wrote:

> * David Singer wrote:
>> I am not a fan of sending of a "please don't track me" into the void and
>> having no idea which sites, if any, are at the moment tracking me.
> 
> At the moment it is common to not conduct even the most trivial audits
> like "does logging out remove the userid cookie", "does disabling geo
> location tracking turn off geo location tracking", or "does the phone
> purge data after a week as it should, or does it keep it for years". I
> see no reason to assume a "do not track" response would give you any
> idea on what's going on if we cannot expect the largest data mining
> firms on the planet to discover such obvious problems on their own. It
> also seems clear that normal users would have to rely on third party
> analysis to get an actual idea of what's going on (what is this site,
> what does it do, should I block it, and so on). If you go and find out
> about that, you can also take a look at whether their privacy policy
> claims they honour the do not track signal.

I think you are allowing your pessimism to run too far. Strictly, logging out means I can't do anything I'd need to log in to do; it doesn't strictly mean 'forget me'.  But if a site responds "I am not tracking you in this transaction" and it later transpires that it was, that's pretty useful.

> I note that would be possible to require sending a Link header linking
> the "human-readable" privacy policy and require the policy document to
> indicate do not track compliance using meta data.

I don't have any problem with standardizing a location for a privacy policy (human-, machine-, or un- readable :-(), but I think it's out of scope of this activity.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Thursday, 20 October 2011 18:25:37 UTC