- From: Vincent Toubiana <v.toubiana@free.fr>
- Date: Thu, 19 Jan 2012 19:03:46 +0100
- To: Matthias Schunter <mts@zurich.ibm.com>
- Cc: public-tracking@w3.org
Hi Matthias, I still think that the site "MUST send a corresponding DNT response header" otherwise website could stop respecting DNT without users being aware of it. Here an example: - A website X advertises that it respects DNT even though it's not sending the DNT response header. - Because users do not see any inconvenient with not receiving the header, they accept to visit website that publish X's content. - Later X decides to stop respecting DNT, however, users keep interacting with X because they are unaware of this change. Best regards, Vincent On Jan 19, 2012, at 5:59 PM, Matthias Schunter wrote: > Hi Folks, > > > Here is the proposed text that evolved during yesterday's telco: > > -------------------------------------- > A site that receives DNT;1 MUST follow the corresponding practices as > defined in the [standards compliance] document and SHOULD send a > corresponding DNT response header. > > Note: If a site chooses not to send a response header, then the user > agent does not obtain information whether the preference has been > accepted or not. This may have negative consequences for the site such as: > - Preventive measures by user agents > - Being flagged as non-compliant by scanning tools that look for > response headers > --------------------------------------------------- > > I'll ask Roy to include this text into the draft for "PENDING REVIEW". > Comments are welcome. > > Regards, > matthias > > > On 1/17/2012 5:45 PM, Matthias Schunter wrote: >> You are right: This discussion has been misplaced. ISSUES-51 and >> ISSUE-81 are better (albeit not perfect) fits. >> >> matthias >> >> >> On 1/17/2012 1:04 AM, Kevin Smith wrote: >>> Matthias, >>> >>> Did you intend to attach this to Issue 105? Seems like that issue focuses on responses to requests on which there was no DNT: request, not when the server gets a DNT:1 request header. Seems like this should perhaps be attached to Issue 51 or 81. Sorry if I am missing something obvious. >>> >>> -----Original Message----- >>> From: Matthias Schunter [mailto:mts@zurich.ibm.com] >>> Sent: Monday, January 16, 2012 10:01 AM >>> To: John Simpson >>> Cc: public-tracking@w3.org >>> Subject: Re: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)] >>> >>> Hi All, >>> >>> >>> I gave this another thought and I now had the impression that SHOULD may be sufficient. A wording like: >>> If a site receives a DNT;1 request header, >>> then it SHOULD send a DNT response header. >>> (header details defined elsewhere) >>> >>> Reasoning: >>> 1. In order to be compliant, a site needs to satisfy the compliance and DNT specs 2. A site that is compliant with above wording honors a DNT=1 request >>> but may not send a corresponding acknowledgement (for whatever reason) >>> >>> The result would be that a site sufficiently protects privacy (according to the compliance spec) while not advertising the fact. >>> This will make users assume the worst (i.e., that DNT=1 was not honored). >>> >>> While this is not optimal, it at least ensures that the site provides more privacy than promised which I believe to be OK from a privacy perspective. >>> >>> A benefit of SHOULD is that sites could improve their data collection/retention/usage first to satisfy the compliance spec and then later do further upgrades to provide transparency/notice. An example would be a site that never stores anything while ignoring DNT. >>> Similar to today's practice that privacy policies usually over-state the potential uses of the collected data. >>> >>> What do you think? >>> >>> >>> Regards, >>> matthias >>> >>> >>> On 12/20/2011 9:58 PM, John Simpson wrote: >>>> Agree that if request header is DNT=1, then a site MUST send a >>>> response header to be compliant. >>>> >>> >>> >>> >>> >>> >>> >> >> >> >> > >
Received on Thursday, 19 January 2012 18:04:30 UTC