Re: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78]


while I like your definitions of DNT:1 and DNT:0, I maintain that the DNT 
Specification should say that DNT is enabled/disabled/unset. And not saying 
anything about "First parties not sharing information". 

The difficult part is IMHO then the definition of scope of the user's DNT-
declaration. You say "who receives it" This was my initial take to scope it, 
namely simply by the GET request. People thought that this wouldn't be 
sufficient. Then we talked about "origins" and first and third parties. 

So one of the weaknesses of the DNT - definitions is still the exact circle of 
addressees. We have tried corporation law rules (affiliate), social rules (first, 
third parties), browser habits (origins), user expectations (theoretic 
horizon). But as in the real world, if one speaks out, it is difficult to 
determine for all others what she really meant and to whom he was really 
talking to. At some point the choice ends up having something arbitrary that 
best fits the needs and integrates into web architecture. Because once this 
technology is out, it will create the user expectations we are trying to 
anticipate. But it may be hard to anticipate the non-existing. 

IMHO we haven't yet really found a good addressee (or multitude thereof) and 
should discuss this further. Once we have the addressee, we can discuss about 
how the preference expression is perceived and what it is supposed to mean. 
"Supposed to mean" is a topic for the compliance specification IMHO.



On Thursday 12 January 2012 15:36:48 Tom Lowenthal wrote:
> Correction: "All parties" in the DNT:0 blurb should be "Both first and
> third parties". The header only imparts
> information/permission/preferences to the party receiving it, not to
> anyone else. That was just sloppy writing on my part.
> Does anyone have any suggestions for modifications to this? Roy, if we
> don't get any suggested changes, could you incorporate this before the
> "let's read it on the plane" document freeze?
> On 01/12/2012 03:02 PM, Roy T. Fielding wrote:
> > On Jan 12, 2012, at 12:52 PM, Tom Lowenthal wrote:
> >> On 01/10/2012 06:12 PM, Roy T. Fielding wrote:
> >>> 1	Do not track me across differently-branded sites and do not use
> >>> previously tracked/obtained behavioral data from other sites to
> >>> personalize a response.
> >>> 
> >>> 0	Use of cross-site tracking and personalization has been
> >>> specifically permitted for this site, as described in section 6.
> >>> User-agent-managed site-specific exceptions.
> >> 
> >> [Section 4, 4.1]
> >> As mentioned on the call, I was surprised to see this definition of
> >> DNT:0 positioned as a site-specific exception to a general DNT:1
> >> preference. I was expecting (and others on the call seemed to assume)
> >> a
> >> quite different approach. My understanding is more as follows:
> >> 
> >> 
> >> DNT:1 Tells everyone who receives it that I have a heightened
> >> preference
> >> for privacy and against being tracked. First parties mustn't share any
> >> information about me. Third parties must treat me like someone about
> >> whom they know nothing, and remember nothing about me later.
> >> 
> >> DNT:0 Tells everyone who receives it that I have a preference towards
> >> a
> >> personalized service, and consent to tracking. All parties may gather
> >> data and learn about me and should use that information to improve my
> >> experience with them.
> > 
> > I have no problem defining it that way if that is how user agents intend
> > to implement it.  What I wrote is how it is currently implemented,
> > AFAICT. I agree that the current state isn't as crisp as what you
> > describe above, for a variety of reasons.
> > 
> > Can we get some input from the other browser vendors?
> > 
> > ....Roy

Received on Friday, 13 January 2012 09:31:20 UTC