W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

RE: [ISSUE-81, ACTION-13] Response Header Format

From: Amy Colando (LCA) <acolando@microsoft.com>
Date: Fri, 21 Oct 2011 18:04:57 +0000
To: David Singer <singer@apple.com>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <58271C264AD16547AC61CAFA53FBEAF934EBE5A3@TK5EX14MBXC136.redmond.corp.microsoft.com>
I did not understand Roy to be saying that there are multiple definitions of tracking.  Instead, I think he is saying that rather than sending multiple technical responses that are not visible to the user and potentially cause technical issues for server-side implementation, it would be much more useful to the end user to have a simple statement by the site/service in a single location that "I comply with DNT standard, unless I have gotten your consent to do otherwise."  Depending on what we agree for a standard, that compliance might mean "If I'm a first party, I do nothing different as set forth in standard" or it might mean that "If I'm a third party, when I receive DNT signal I will not do X, Y and Z as set forth in standard."  

-----Original Message-----
From: public-tracking-request@w3.org [mailto:public-tracking-request@w3.org] On Behalf Of David Singer
Sent: Friday, October 21, 2011 10:44 AM
To: public-tracking@w3.org Group WG
Subject: Re: [ISSUE-81, ACTION-13] Response Header Format

On Oct 20, 2011, at 17:25 , Roy T. Fielding wrote:

> On Oct 20, 2011, at 11:17 AM, David Singer wrote:
>> I think you are allowing your pessimism to run too far. Strictly, logging out means I can't do anything I'd need to log in to do; it doesn't strictly mean 'forget me'.  But if a site responds "I am not tracking you in this transaction" and it later transpires that it was, that's pretty useful.
> DNT does not mean "forget me".  If the server responds positively to 
> DNT, it means that it won't track the user beyond its own branded 
> sites (and presumably won't share the internal data collection with 
> third parties unless the user requested it for some other reason, like 
> by purchasing something with a credit card).  Please do not confuse 
> DNT with private browsing mode.  Whatever a server might say in 
> response, it won't be understandable without a full policy description.
> And the response is not just a few bytes.  It is a few bytes for every 
> single resource for which we indicate a response is needed, every time 
> those resources are accessed.  A typical site embeds dozens of such 
> requests per page.
> In contrast, a well-known location can represent exactly how the site 
> as a whole tracks, provide information specific to that user (such as 
> a link to where they can see and edit the data collected), only needs 
> to be requested once per site, and only by those browsers specifically 
> configured to do so.  It thus has no performance impact whatsoever and 
> does not require any modification to the existing code that implements 
> all of today's operating websites.

I think you are saying two things here I disagree with, but I am going to re-state them in case I misunderstand you, and then if I have, the disagreement can be ignored.
A - it's OK to add a DNT header to every request, but it's unacceptable overhead to add it to every response.
B - the definition of 'track' and specifically 'not track' may vary site-by-site, so what it means will have to be expressed in a privacy policy on each site, and a response header cannot capture those nuances.
C - it's OK for users and user-agents to make changes to handle DNT, but not acceptable for those (the sites) who are tracking and benefiting from tracking.

A seems strange; requests are generally smallish, whereas responses are typically reasonably large.  "DNT: 1,xxxxx" is quite a bit smaller than the average URL in a request, and much smaller than any HTML fragment, image, etc. that might be in a response.  Even 1x1.gif is 43 bytes according to wikipedia.

B will take a little more to discuss.  

I used to be involved in Rights Expression Languages, where the debate was essentially about whether a formal language could capture all the nuance of what might vary in the rights being transferred in (for the most part) a purchase transaction.  What was not discussed was whether the average consumer was prepared to have the rights acquired vary both in space (between different sites) and in time (different purchases on the same site).  The answer seems to be 'no', that when consumers think they have 'bought something' they want a pretty static and universal understanding of what they have bought.

Now, in the case of Rights Expressions, we're talking about sites that (a) the user chose to visit, and (b) with which they chose to have a transaction.

In the case of DNT, for 3rd-party sites, neither of these are true.  I therefore believe that it is paramount that what 'no track' means be something that is defined in the specification we are writing, and does NOT vary from site to site or over time within a given site.  If sites are at liberty to define 'not track' however they please, I think we will have achieved nothing.

C - it seems to me that the work in building the databases, correlation engines, input processing (e.g. from the URL and first party) and so on, that are involved in tracking users is vastly larger than processing the DNT header, and responding with a clear and accurate indication of what the site is doing in response.

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Friday, 21 October 2011 18:05:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:26 UTC