Re: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)] from Rigo Wenning on 2012-01-17 (public-tracking@w3.org from January 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Tue, 17 Jan 2012 11:33:43 +0100
To: public-tracking@w3.org
Cc: Matthias Schunter <mts@zurich.ibm.com>
Message-ID: <1837555.99Z9xD7tgX@freud>

Matthias, 

the feedback mechanism is needed to record the consent. So in case you want to 
record consent, there MUST be a response on DNT=1. 

next is that if a browser sends DNT=1 and gets no response, it may want to 
turn on tor. 

I mean this as caveats that we may want to note down somewhere, not as an 
opposition to a "SHOULD". People should be aware that a browser may react if 
DNT=1 or DNT=0 is not acked...

Best, 

Rigo

On Monday 16 January 2012 18:00:40 Matthias Schunter wrote:
> Hi All,
> 
> 
> I gave this another thought and I now had the impression that SHOULD
> may be sufficient. A wording like:
>   If a site receives a  DNT;1 request header,
>   then it SHOULD send a DNT response header.
> (header details defined elsewhere)
> 
> Reasoning:
> 1. In order to be compliant, a site needs to satisfy the compliance
> and DNT specs
> 2. A  site that is compliant with above wording honors a DNT=1 request
>    but may not send a corresponding acknowledgement (for whatever reason)
> 
> The result would be that a site sufficiently protects privacy
> (according to the compliance spec) while not advertising the fact.
> This will make users assume the worst (i.e., that DNT=1 was not honored).
> 
> While this is not optimal, it at least ensures that the site provides
> more privacy than promised which I believe to be OK from a privacy
> perspective.
> 
> A benefit of SHOULD is that sites could improve their data
> collection/retention/usage first to satisfy the compliance spec and
> then later do further upgrades to provide transparency/notice. An
> example would be a site that never stores anything while ignoring DNT.
> Similar to today's practice that privacy policies usually over-state
> the potential uses of the collected data.
> 
> What do you think?
> 
> 
> Regards,
> matthias
> 
> On 12/20/2011 9:58 PM, John Simpson wrote:
> > Agree that if request header is DNT=1, then a site MUST send a
> > response header to be compliant.

Received on Tuesday, 17 January 2012 10:34:11 UTC