- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 23 Aug 2012 17:12:37 -0700
- To: David Singer <singer@apple.com>
- Cc: "public-tracking@w3.org WG" <public-tracking@w3.org>
On Aug 23, 2012, at 4:03 PM, David Singer wrote: >> 4. Does this party ever claim 'permissions'? Particularly, is it claiming the 'agent of 1st party' permission? > > The track status qualifiers will match whatever permissions the compliance document specifies, and the presence of a qualifier on the Tk header or WKR tracking-status indicates a claim of a permission. No, the member field containing qualifiers is optional. > There is currently no out-sourcing indication in either the tracking-status or tracking-qualifier. Currently an service provider (e.g. analytics) site would claim to be operating under the rules for a 1st party. If its site name appears under (one of) the actual first party's same-party list, then this is verifiable; otherwise, the user-agent may conclude that some resource that was designed to be used in a first-party context has been included in a third-party context, and raise a concern that unexpected tracking may be occurring. [problem] It is based on domain ownership, just like all of the party questions, and is documented just after the policy field. It might need more text if that isn't clear. >> 5. Does it always operate as a 3rd party, or does it sometimes become 1st (e.g. an ad that gets interacted with, vs. an analytics site). > > Tracking-status 1 (always 1st) 3 (always 3rd) or X (dynamic), provides this information. > >> 6. If the site has trusted important partners, for whom it might ask an exception, who are they? > > The resource third-party list provides this information. Again, optional. >> 7. Where do I find a readable privacy policy? > > The resource policy provides this information. Optional, unless it is a service provider using its own domain, in which case the policy must exist and point to the first-party. >> 8. Is there a place where I can express my preferences, grant exceptions, etc.? > > The resource control provides this pointer. I believe that should be "grant or remove out-of-band consent". >> personal interaction questions (that might vary from place to place, or individual to individual, but typically not transaction to transaction) >> >> 10. What header did the site receive from me? (Did my header make it through?) > > There is no way to tell [problem] > >> 11. Does the site claim an in-band (well, I'd know if it says it saw DNT:0) or out-of-band exception from me? > > The tracking status C (consent) documents this, but does not differentiate between in-band and out-of-band [possible problem] There is no in-band consent, AFAIK. User-granted exceptions are entirely within the API -- they result in sending DNT:0 and the UA already knows what they are. >> 12. Is the site going to decide not to honor my DNT:1 request for some other reason (e.g. my choice of UA, as recently discussed :-(, a court order, etc.)? > > Not indicated. [possible problem] > >> truly dynamic questions (that might vary from request to request) >> >> 20. Is the site operating as a 1st or 3rd party in this interaction? (This makes a big difference to how much tracking can happen). > > The X in the tracking-status indicates that the response may be dynamic, and then the Tk header field is required. and the request-specific resource as well if the header says X. ....Roy
Received on Friday, 24 August 2012 00:12:50 UTC