Re: Issue-4

Hi Jonathan, 

the people addressed by the DNT-header are the Services (sites). They don't 
know whether some script has set the header and what happened on the user's 
computer or whether somebody pirated all machines on a given DSL network and 
set all their interactions to DNT. The only thing the services sees is
DNT = unset
DNT = 0
DNT = 1

The service is the final entity to react, whoever injected what on the way of 
the packet from the data subject to the service. And either they honor DNT or 
they don't. If you want to be sure that it was really the user, use SSL. But 
even then, I'm not sure it couldn't be some malware that has set all to DNT.

Consequently, I think that the only valid viewpoint here is whether the HTTP 
request arriving at the service contains a DNT header as mentioned above. This 
is then seen as a user preference (for our purpose/specification even an 
absolute presumption) and triggers (or not) DNT behavior of the service.

Best, 

Rigo

On Wednesday 26 October 2011 12:12:44 Jonathan Mayer wrote:
> A quick technical clarifying point on this - the DNT protocol could
> trivially encode whether an option is explicit or implicit.  We could (not
> saying we should) have five states.
> 
> User has expressed no preference and no intermediary has added a preference
> User has explicitly opted into tracking
> User has explicitly opted out of tracking
> User has expressed no preference, but an intermediary has added a preference
> indicating opt in to tracking User has expressed no preference, but an
> intermediary has added a preference indicating opt out of tracking
> 
> Likewise, we could (not saying we should) have corresponding policy for each
> of the states.  (It appears there's near-consensus that no preferences =
> governing law trumps, and I suspect there's near-consensus that there
> should be a very high bar to implicit opt in.)

Received on Wednesday, 26 October 2011 21:20:34 UTC