- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Thu, 19 Jan 2012 09:01:22 -0800
- To: Matthias Schunter <mts@zurich.ibm.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Looks good - thank you Matthias! - Shane -----Original Message----- From: Matthias Schunter [mailto:mts@zurich.ibm.com] Sent: Thursday, January 19, 2012 8:59 AM To: public-tracking@w3.org Subject: Re: SHOULD or MUST for responses to DNT;1? Hi Folks, Here is the proposed text that evolved during yesterday's telco: -------------------------------------- A site that receives DNT;1 MUST follow the corresponding practices as defined in the [standards compliance] document and SHOULD send a corresponding DNT response header. Note: If a site chooses not to send a response header, then the user agent does not obtain information whether the preference has been accepted or not. This may have negative consequences for the site such as: - Preventive measures by user agents - Being flagged as non-compliant by scanning tools that look for response headers --------------------------------------------------- I'll ask Roy to include this text into the draft for "PENDING REVIEW". Comments are welcome. Regards, matthias On 1/17/2012 5:45 PM, Matthias Schunter wrote: > You are right: This discussion has been misplaced. ISSUES-51 and > ISSUE-81 are better (albeit not perfect) fits. > > matthias > > > On 1/17/2012 1:04 AM, Kevin Smith wrote: >> Matthias, >> >> Did you intend to attach this to Issue 105? Seems like that issue focuses on responses to requests on which there was no DNT: request, not when the server gets a DNT:1 request header. Seems like this should perhaps be attached to Issue 51 or 81. Sorry if I am missing something obvious. >> >> -----Original Message----- >> From: Matthias Schunter [mailto:mts@zurich.ibm.com] >> Sent: Monday, January 16, 2012 10:01 AM >> To: John Simpson >> Cc: public-tracking@w3.org >> Subject: Re: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)] >> >> Hi All, >> >> >> I gave this another thought and I now had the impression that SHOULD may be sufficient. A wording like: >> If a site receives a DNT;1 request header, >> then it SHOULD send a DNT response header. >> (header details defined elsewhere) >> >> Reasoning: >> 1. In order to be compliant, a site needs to satisfy the compliance and DNT specs 2. A site that is compliant with above wording honors a DNT=1 request >> but may not send a corresponding acknowledgement (for whatever reason) >> >> The result would be that a site sufficiently protects privacy (according to the compliance spec) while not advertising the fact. >> This will make users assume the worst (i.e., that DNT=1 was not honored). >> >> While this is not optimal, it at least ensures that the site provides more privacy than promised which I believe to be OK from a privacy perspective. >> >> A benefit of SHOULD is that sites could improve their data collection/retention/usage first to satisfy the compliance spec and then later do further upgrades to provide transparency/notice. An example would be a site that never stores anything while ignoring DNT. >> Similar to today's practice that privacy policies usually over-state the potential uses of the collected data. >> >> What do you think? >> >> >> Regards, >> matthias >> >> >> On 12/20/2011 9:58 PM, John Simpson wrote: >>> Agree that if request header is DNT=1, then a site MUST send a >>> response header to be compliant. >>> >> >> >> >> >> >> > > > >
Received on Thursday, 19 January 2012 17:02:15 UTC