(unknown charset) Re: ACTION-114 ISSUE-107 : Revised response header.

Hi Sean,


On 2/9/2012 3:28 PM, Sean Harvey wrote:
> How is the third party going to know from the DNT:0 that they may only
> collect site specific information? What if the user visits two sites
> consecutively, both of which have site specific exceptions? Might not
> the third party server unknowingly (re)place a cookie on the browser
> when they see DNT:0 and then check that cookie on both site 1 and site
> 2 because they both have DNT-off values? 

this indeed seems to be a challenge: In the extreme, every request
header transmits its own (and maybe different) DNT value (a user agent
may choose to send different DNTs based on sub-site, subdomains or
whatever other criteria).

This is hard to track/emulate with cookies.

Setting opt-out cookies too broadly is no problem from a privacy
perspective (except that it may break things)

Strictly speaking, you can only clear your cookies for the given URL.
If this affects other URLs, it is at your own risk.

However, there is light at the end of the tunnel:
- I believe while it is hard to 100% emulate DNT with cookies, the
current
  proposal of the DNT responses allow you to say
  'I believe that I have your opt-in'. If the browser then disagrees,
  it can alert the user or take some other action.

Do I understand correctly that the scenario in your  mind is that a
gateway interprets DNT and then sets/removes cookies while all
back-end systems will continue to rely on these cookies?

While ultimately cookie-based DNT should be replaced by DNT;;-) I see
the benefit of cookie-based emulations to allow for quick and
cost-efficient adoption.

If this is the scenario you have in mind, I'd like to raise a separate
issue to discuss this. If not, please clarify.


Regards,
matthias

Received on Thursday, 9 February 2012 15:10:38 UTC