W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

RE: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)]

From: Kevin Smith <kevsmith@adobe.com>
Date: Mon, 16 Jan 2012 16:04:44 -0800
To: Matthias Schunter <mts@zurich.ibm.com>, John Simpson <john@consumerwatchdog.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <6E120BECD1FFF142BC26B61F4D994CF3064C8B5501@nambx07.corp.adobe.com>

Did you intend to attach this to Issue 105?  Seems like that issue focuses on responses to requests on which there was no DNT: request, not when the server gets a DNT:1 request header.  Seems like this should perhaps be attached to Issue 51 or 81.  Sorry if I am missing something obvious.

-----Original Message-----
From: Matthias Schunter [mailto:mts@zurich.ibm.com] 
Sent: Monday, January 16, 2012 10:01 AM
To: John Simpson
Cc: public-tracking@w3.org
Subject: Re: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)]

Hi All,

I gave this another thought and I now had the impression that SHOULD may be sufficient. A wording like:
  If a site receives a  DNT;1 request header,
  then it SHOULD send a DNT response header.
(header details defined elsewhere)

1. In order to be compliant, a site needs to satisfy the compliance and DNT specs 2. A  site that is compliant with above wording honors a DNT=1 request
   but may not send a corresponding acknowledgement (for whatever reason)

The result would be that a site sufficiently protects privacy (according to the compliance spec) while not advertising the fact.
This will make users assume the worst (i.e., that DNT=1 was not honored).

While this is not optimal, it at least ensures that the site provides more privacy than promised which I believe to be OK from a privacy perspective.

A benefit of SHOULD is that sites could improve their data collection/retention/usage first to satisfy the compliance spec and then later do further upgrades to provide transparency/notice. An example would be a site that never stores anything while ignoring DNT.
Similar to today's practice that privacy policies usually over-state the potential uses of the collected data.

What do you think?


On 12/20/2011 9:58 PM, John Simpson wrote:
> Agree that if request header is DNT=1, then a site MUST send a 
> response header to be compliant.
Received on Tuesday, 17 January 2012 00:06:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC