Re: What are the Response Header and Well-Known Resource for? from David Singer on 2012-08-23 (public-tracking@w3.org from August 2012)

From: David Singer <singer@apple.com>
Date: Thu, 23 Aug 2012 16:03:42 -0700
To: "public-tracking@w3.org WG" <public-tracking@w3.org>
Message-id: <38602A9E-4FD0-42B6-BB34-8DDE51B6871D@apple.com>
following up to my own email (I know, bad idea), I have tried to intersperse some answers to the questions.  Some are currently un-answerable, I think.  The answers reflect the current text and status (as of today), not anything I am proposing or suggesting.

(WKR == well-known-resource)

On Jul 31, 2012, at 15:49 , David Singer <singer@apple.com> wrote:

> Friends
> 
> I would like ti suggest we include an informative section in the specification of questions that a user/user-agent might have about 'what's going on with my DNT requests', and how the response header and/or well-known resource (or some other mechanism) provide answers. This is kinda like a FAQ that UAs might have for sites.
> 
> For each of these questions, we can decide to use the header, the WKR, or some other mechanism, or a combination of tools.  I think that the static ones naturally lend themselves to the WKR, and we tentatively said that if your status (1st/3rd) changes, a header will alert you.  
> 
> I am sure I missed a few questions, these are off the top of my head. Can I suggest we assemble this list, and then we can decide on the best proposed answers to the questions, and make the set of questions+answers into an informative section?
> 
> I have divided my questions into categories (static, personal interaction, and dynamic).
> 
> (Note that enquiries to the WKR are required to be un-tracked under all circumstances.)
> 
> 
> static questions
> 
> 1. Does this site implement or recognize DNT at all?  

If the well-known resource exists, yes, the site recognizes the DNT header.

> 2. If so, does it claim compliance?

The main tracking-status of the WKR is the indication of the claimed compliance.

> 3. Is this site part of a larger 'party' of affiliated sites that share information? Who is the main party and/or master site?

Sites in the same party are designated using the same-party part of the WKR.  The 'master site' is not currently identified. [possible problem]

> 4. Does this party ever claim 'permissions'?  Particularly, is it claiming the 'agent of 1st party' permission?

The track status qualifiers will match whatever permissions the compliance document specifies, and the presence of a qualifier on the Tk header or WKR tracking-status indicates a claim of a permission.

There is currently no out-sourcing indication in either the tracking-status or tracking-qualifier.  Currently an service provider (e.g. analytics) site would claim to be operating under the rules for a 1st party.  If its site name appears under (one of) the actual first party's same-party list, then this is verifiable;  otherwise, the user-agent may conclude that some resource that was designed to be used in a first-party context has been included in a third-party context, and raise a concern that unexpected tracking may be occurring.  [problem]

> 5. Does it always operate as a 3rd party, or does it sometimes become 1st (e.g. an ad that gets interacted with, vs. an analytics site).

Tracking-status 1 (always 1st) 3 (always 3rd) or X (dynamic), provides this information.

> 6. If the site has trusted important partners, for whom it might ask an exception, who are they?

The resource third-party list provides this information.

> 7. Where do I find a readable privacy policy?

The resource policy provides this information.

> 8. Is there a place where I can express my preferences, grant exceptions, etc.?

The resource control provides this pointer.

> 
> personal interaction questions (that might vary from place to place, or individual to individual, but typically not transaction to transaction)
> 
> 10. What header did the site receive from me? (Did my header make it through?)

There is no way to tell [problem]

> 11. Does the site claim an in-band (well, I'd know if it says it saw DNT:0) or out-of-band exception from me?

The tracking status C (consent) documents this, but does not differentiate between in-band and out-of-band [possible problem]

> 12. Is the site going to decide not to honor my DNT:1 request for some other reason (e.g. my choice of UA, as recently discussed :-(, a court order, etc.)?

Not indicated. [possible problem]

> truly dynamic questions (that might vary from request to request)
> 
> 20. Is the site operating as a 1st or 3rd party in this interaction? (This makes a big difference to how much tracking can happen).

The X in the tracking-status indicates that the response may be dynamic, and then the Tk header field is required.

> 
> David Singer
> Multimedia and Software Standards, Apple Inc.
> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Thursday, 23 August 2012 23:04:10 UTC