(unknown charset) Re: SHOULD or MUST for responses to DNT;1? from (unknown charset) Matthias Schunter on 2012-01-19 (public-tracking@w3.org from January 2012)

From: (unknown charset) Matthias Schunter <mts@zurich.ibm.com>
Date: Thu, 19 Jan 2012 17:59:07 +0100
To: (unknown charset) public-tracking@w3.org
Message-ID: <4F184BDB.8080205@zurich.ibm.com>

Hi Folks,


Here is the proposed text that evolved during yesterday's telco:

--------------------------------------
A site that receives DNT;1 MUST follow the corresponding practices as
defined in the [standards compliance] document and SHOULD send a
corresponding DNT response header.

Note: If a site chooses not to send a response header, then the user
agent does not obtain information whether the preference has been
accepted or not. This may have negative consequences for the site such as:
 - Preventive measures by user agents
 - Being flagged as non-compliant by scanning tools that look for
response headers
---------------------------------------------------

I'll ask Roy to include this text into the draft for "PENDING REVIEW".
Comments are welcome.

Regards,
matthias


On 1/17/2012 5:45 PM, Matthias Schunter wrote:
> You are right: This discussion has been misplaced.  ISSUES-51 and
> ISSUE-81 are better (albeit not perfect) fits.
> 
> matthias
> 
> 
> On 1/17/2012 1:04 AM, Kevin Smith wrote:
>> Matthias,
>>
>> Did you intend to attach this to Issue 105?  Seems like that issue focuses on responses to requests on which there was no DNT: request, not when the server gets a DNT:1 request header.  Seems like this should perhaps be attached to Issue 51 or 81.  Sorry if I am missing something obvious.
>>
>> -----Original Message-----
>> From: Matthias Schunter [mailto:mts@zurich.ibm.com] 
>> Sent: Monday, January 16, 2012 10:01 AM
>> To: John Simpson
>> Cc: public-tracking@w3.org
>> Subject: Re: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)]
>>
>> Hi All,
>>
>>
>> I gave this another thought and I now had the impression that SHOULD may be sufficient. A wording like:
>>   If a site receives a  DNT;1 request header,
>>   then it SHOULD send a DNT response header.
>> (header details defined elsewhere)
>>
>> Reasoning:
>> 1. In order to be compliant, a site needs to satisfy the compliance and DNT specs 2. A  site that is compliant with above wording honors a DNT=1 request
>>    but may not send a corresponding acknowledgement (for whatever reason)
>>
>> The result would be that a site sufficiently protects privacy (according to the compliance spec) while not advertising the fact.
>> This will make users assume the worst (i.e., that DNT=1 was not honored).
>>
>> While this is not optimal, it at least ensures that the site provides more privacy than promised which I believe to be OK from a privacy perspective.
>>
>> A benefit of SHOULD is that sites could improve their data collection/retention/usage first to satisfy the compliance spec and then later do further upgrades to provide transparency/notice. An example would be a site that never stores anything while ignoring DNT.
>> Similar to today's practice that privacy policies usually over-state the potential uses of the collected data.
>>
>> What do you think?
>>
>>
>> Regards,
>> matthias
>>
>>
>> On 12/20/2011 9:58 PM, John Simpson wrote:
>>> Agree that if request header is DNT=1, then a site MUST send a 
>>> response header to be compliant.
>>>
>>
>>
>>
>>
>>
>>
> 
> 
> 
>

Received on Thursday, 19 January 2012 16:59:38 UTC