W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78]

From: David Wainberg <dwainberg@appnexus.com>
Date: Tue, 17 Jan 2012 11:22:17 -0500
Message-ID: <4F15A039.9010608@appnexus.com>
To: David Singer <singer@apple.com>
CC: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Kevin circulated some great materials and discussion on this back in 
December: 
http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0051.html 
and http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0127.html.

But I'm happy to take a stab at explaining how I see it.

In defining 1st vs 3rd, and saying DNT doesn't, for the most part, apply 
to 1st parties, are we saying that 1st parties have an exception to 
engage in [cross-site] tracking, or are we saying 1st party data 
collection, by definition, is not [cross-site] tracking? There seems to 
be, if not consensus, at least widespread agreement that the concern of 
this standard (the "Do Not" of DNT) is something along the lines of the 
collection and accumulation of data about internet users' web browsing 
history across (unrelated | unaffiliated | non-commonly branded | ??)  
websites. I don't think we mean that 1st parties are free to engage in 
[cross-site] tracking, but rather that once it's cross-site, it's no 
longer 1st party. There may be parties who have consent to track across 
sites by virtue of their 1st party relationship with the user, but is 
there such a thing as 1st party cross-site tracking? Let's assume we can 
acheive a defition of cross-site tracking, do you imagine 1st and 3rd 
parties would be treated differently under the standard? I don't imagine 
so, though 1st parties will have different opportunities for acquiring 
users' consent.

One might then think that the 1st/3rd party distinction and "cross-site" 
are equivalent. But I would argue they're not, for at least the 
following. First, defining cross-site tracking is closer to the problem 
we're trying to solve, and that's generally a good thing. By tailoring 
our definitions to the actual problems we are trying to solve, we reduce 
the risk of being overinclusive, creating ambiguity, or creating 
unintended consequences.

Additionally, although we will still need to define cross-site tracking, 
I think that's an easier problem to solve and will be easier for all 
parties to implement. Parties can be lots of things. It's impossible to 
account for all the different relationships between parties and users, 
and parties and parties, and so on. Cross-site tracking data is a much 
more constrained set, so will be that much easier to put a definition 
around.

By taking the cross-site approach, DNT becomes as simple as:

1. Cross-site tracking = X
2. If DNT == 1, X may not be done, except:
     a. with consent; or
     b. for these purposes: [...]

Some of the benefits:
- Relies simply on a clear definition of the data collection and use 
practices DNT is concerned with, rather than a multi-step process of 
determining party status and then covered collection and use.
- Removes the step of determining 1st vs 3rd party status in any given 
circumstance, and then possibly having separate compliance paths for each.
- Saves us from defining 1st vs 3rd parties, and thus eliminates having 
to deal with edge cases like widgets and URL shorteners.
- Solves the 3rd party as agent problem: if it's not cross-site, it's 
not covered.



On 1/13/12 5:41 PM, David Singer wrote:
> In reading a separate thread, I realized that there is a potential issue here over DNT:0.
>
> A little while back we discussed whether the UA should send a DNT header to the first party.  A number of us argued that it should, even if the first party is exempt: because the first party may care that its third parties are being asked not to track - it might ask for payment in consequence, for example.
>
> This argument relies on the assumption that DNT is a single 'big switch', either on or off, but the discussion around DNT:0 reveals that people think it may be OK for the UA to send DNT:1 to some sites, and DNT:0 to others.
>
> So what, then, does the first party get?  DNT:1 if any third party is getting DNT:1, else DNT:0 if all are getting DNT:0?  An average of the DNT values :-) DNT:0.7 ??!
>
> Am I, as a UA, allowed to mix non-DNT requests into the mix?
>
>
> David Singer
> Multimedia and Software Standards, Apple Inc.
>
>
Received on Tuesday, 17 January 2012 16:22:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC