- From: (unknown charset) Matthias Schunter <mts@zurich.ibm.com>
- Date: Tue, 17 Jan 2012 17:45:32 +0100
- To: (unknown charset) public-tracking@w3.org
You are right: This discussion has been misplaced. ISSUES-51 and ISSUE-81 are better (albeit not perfect) fits. matthias On 1/17/2012 1:04 AM, Kevin Smith wrote: > Matthias, > > Did you intend to attach this to Issue 105? Seems like that issue focuses on responses to requests on which there was no DNT: request, not when the server gets a DNT:1 request header. Seems like this should perhaps be attached to Issue 51 or 81. Sorry if I am missing something obvious. > > -----Original Message----- > From: Matthias Schunter [mailto:mts@zurich.ibm.com] > Sent: Monday, January 16, 2012 10:01 AM > To: John Simpson > Cc: public-tracking@w3.org > Subject: Re: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)] > > Hi All, > > > I gave this another thought and I now had the impression that SHOULD may be sufficient. A wording like: > If a site receives a DNT;1 request header, > then it SHOULD send a DNT response header. > (header details defined elsewhere) > > Reasoning: > 1. In order to be compliant, a site needs to satisfy the compliance and DNT specs 2. A site that is compliant with above wording honors a DNT=1 request > but may not send a corresponding acknowledgement (for whatever reason) > > The result would be that a site sufficiently protects privacy (according to the compliance spec) while not advertising the fact. > This will make users assume the worst (i.e., that DNT=1 was not honored). > > While this is not optimal, it at least ensures that the site provides more privacy than promised which I believe to be OK from a privacy perspective. > > A benefit of SHOULD is that sites could improve their data collection/retention/usage first to satisfy the compliance spec and then later do further upgrades to provide transparency/notice. An example would be a site that never stores anything while ignoring DNT. > Similar to today's practice that privacy policies usually over-state the potential uses of the collected data. > > What do you think? > > > Regards, > matthias > > > On 12/20/2011 9:58 PM, John Simpson wrote: >> Agree that if request header is DNT=1, then a site MUST send a >> response header to be compliant. >> > > > > > >
Received on Tuesday, 17 January 2012 16:49:22 UTC