- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 13 Feb 2012 12:49:54 -0800
- To: Ninja Marnau <nmarnau@datenschutzzentrum.de>
- Cc: "<public-tracking@w3.org> (public-tracking@w3.org)" <public-tracking@w3.org>
On Feb 13, 2012, at 8:10 AM, Ninja Marnau wrote: > Here is my proposal for a definition of "absolutely not tracking": > > A party may claim that it is not tracking, if it > 1) only collects identifying data which is strictly necessary to answer the user's HTTP request and to fulfil it's contractual obligation towards the user > 2) does not send, collect or check for unique identifiers > 3) does not correlate the data of a DNT HTTP request with any other data > 4) deletes the identifying data as soon as the original purpose is fulfilled > > > Motivation: > This should be a starting point fo discussing a possible response header (This site does not track at all) fo very small websites that do no profiling or customisation at all. Currently, these websites have only the option to state within the response header that they comply with DNT and may use all the exceptions of the standard. This should not necessarily indicate that sites which do not adhere to the points above are tracking their users. Please be aware that this would require Apache httpd to respond that it is always tracking, by default, regardless of how the underlying services are implemented. Likewise for Squid, TrafficServer, haproxy, and all other HTTP servers that I am aware of. If we can't find a definition that allows HTTP access logs and normal retention for fraud control, then let's give up. I will not implement DNT if it can be used as a bypass for fraud and security controls. ....Roy
Received on Monday, 13 February 2012 20:50:15 UTC