W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: Issue-4

From: David Singer <singer@apple.com>
Date: Fri, 28 Oct 2011 15:27:40 -0700
Message-id: <F716CE4F-3458-450B-A19C-E8CF3DB0CC5B@apple.com>
To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Thanks to Roy for the dialog.

I think it's worth working out the various scenarios that may happen when intermediate nodes get involved, and what can 'go wrong'.

1) 'Old' (bad) proxies that delete headers they don't understand.  In this circumstance, users may set DNT: 0 or 1, and they will get no response from the server, because their request was deleted, and any pro-active server statement was also deleted.  Correctly, the UA or user deduces that they may well be tracked.

2) 'Helpful' proxies that set DNT even if the user said nothing or even DNT-off.  The users get notice that they are not being tracked (by compliant sites) even when they didnt ask not to be. Again, the UA and user can be aware that 'something is going on'. Also in this case, the user may (depending on what we decide) get signals from various sites that because DNT is on, they need to take some action, or that their browsing is changed in some way. 

3) Proxies that turn DNT off even if the user turned it on, but leave the response.  Again, the users will see the response 'thank you for letting me track you' which is in contradiction to their request, and realize something is afoot.

4) Proxies that turn DNT off, and then 'spoof' the response to pretend to the user that everything is fine.  Done well, the user (apart from maybe realizing that the targeting is working), will be none the wiser.

5) Caches that (incorrectly) cache the response to user A and provide that response to user B.  If the cache is responding, in fact, the tracking is probably not happening (as the actual site is not involved). Users may notice the disparity between their request and the response.  (We could protect against this, at excessive cost, by allowing a nonce string in the request which has to be repeated in the response, but I don't think it's worth it).

In several of these I see clear advantage to a response, and in none a clear advantage to a defined lack of response.


David Singer
Multimedia and Software Standards, Apple Inc.
Received on Friday, 28 October 2011 22:28:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC