W3C home > Mailing lists > Public > public-tracking@w3.org > August 2012

Re: What are the Response Header and Well-Known Resource for?

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 23 Aug 2012 17:12:37 -0700
Cc: "public-tracking@w3.org WG" <public-tracking@w3.org>
Message-Id: <3E9045A8-CE3F-4B27-8006-1AD82DA06618@gbiv.com>
To: David Singer <singer@apple.com>
On Aug 23, 2012, at 4:03 PM, David Singer wrote:

>> 4. Does this party ever claim 'permissions'?  Particularly, is it claiming the 'agent of 1st party' permission?
> 
> The track status qualifiers will match whatever permissions the compliance document specifies, and the presence of a qualifier on the Tk header or WKR tracking-status indicates a claim of a permission.

No, the member field containing qualifiers is optional.

> There is currently no out-sourcing indication in either the tracking-status or tracking-qualifier.  Currently an service provider (e.g. analytics) site would claim to be operating under the rules for a 1st party.  If its site name appears under (one of) the actual first party's same-party list, then this is verifiable;  otherwise, the user-agent may conclude that some resource that was designed to be used in a first-party context has been included in a third-party context, and raise a concern that unexpected tracking may be occurring.  [problem]

It is based on domain ownership, just like all of the party
questions, and is documented just after the policy field.
It might need more text if that isn't clear.

>> 5. Does it always operate as a 3rd party, or does it sometimes become 1st (e.g. an ad that gets interacted with, vs. an analytics site).
> 
> Tracking-status 1 (always 1st) 3 (always 3rd) or X (dynamic), provides this information.
> 
>> 6. If the site has trusted important partners, for whom it might ask an exception, who are they?
> 
> The resource third-party list provides this information.

Again, optional.

>> 7. Where do I find a readable privacy policy?
> 
> The resource policy provides this information.

Optional, unless it is a service provider using its own domain,
in which case the policy must exist and point to the first-party.

>> 8. Is there a place where I can express my preferences, grant exceptions, etc.?
> 
> The resource control provides this pointer.

I believe that should be "grant or remove out-of-band consent".

>> personal interaction questions (that might vary from place to place, or individual to individual, but typically not transaction to transaction)
>> 
>> 10. What header did the site receive from me? (Did my header make it through?)
> 
> There is no way to tell [problem]
> 
>> 11. Does the site claim an in-band (well, I'd know if it says it saw DNT:0) or out-of-band exception from me?
> 
> The tracking status C (consent) documents this, but does not differentiate between in-band and out-of-band [possible problem]

There is no in-band consent, AFAIK.  User-granted exceptions are
entirely within the API -- they result in sending DNT:0 and the UA
already knows what they are.

>> 12. Is the site going to decide not to honor my DNT:1 request for some other reason (e.g. my choice of UA, as recently discussed :-(, a court order, etc.)?
> 
> Not indicated. [possible problem]
> 
>> truly dynamic questions (that might vary from request to request)
>> 
>> 20. Is the site operating as a 1st or 3rd party in this interaction? (This makes a big difference to how much tracking can happen).
> 
> The X in the tracking-status indicates that the response may be dynamic, and then the Tk header field is required.

and the request-specific resource as well if the header says X.

....Roy
Received on Friday, 24 August 2012 00:12:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:54 UTC