Re: SHOULD or MUST for responses to DNT;1?

Hi Matthias,


I still think that the site "MUST send a corresponding DNT response header" otherwise website could stop respecting DNT without users being aware of it.

Here an example:
- A website X advertises that it respects DNT even though it's not sending the DNT response header. 
- Because users do not see any inconvenient with not receiving the header, they accept to visit website that publish X's content.  
- Later X decides to stop respecting DNT, however, users keep interacting with X because they are unaware of this change.

Best regards,

Vincent


On Jan 19, 2012, at 5:59 PM, Matthias Schunter wrote:

> Hi Folks,
> 
> 
> Here is the proposed text that evolved during yesterday's telco:
> 
> --------------------------------------
> A site that receives DNT;1 MUST follow the corresponding practices as
> defined in the [standards compliance] document and SHOULD send a
> corresponding DNT response header.
> 
> Note: If a site chooses not to send a response header, then the user
> agent does not obtain information whether the preference has been
> accepted or not. This may have negative consequences for the site such as:
> - Preventive measures by user agents
> - Being flagged as non-compliant by scanning tools that look for
> response headers
> ---------------------------------------------------
> 
> I'll ask Roy to include this text into the draft for "PENDING REVIEW".
> Comments are welcome.
> 
> Regards,
> matthias
> 
> 
> On 1/17/2012 5:45 PM, Matthias Schunter wrote:
>> You are right: This discussion has been misplaced.  ISSUES-51 and
>> ISSUE-81 are better (albeit not perfect) fits.
>> 
>> matthias
>> 
>> 
>> On 1/17/2012 1:04 AM, Kevin Smith wrote:
>>> Matthias,
>>> 
>>> Did you intend to attach this to Issue 105?  Seems like that issue focuses on responses to requests on which there was no DNT: request, not when the server gets a DNT:1 request header.  Seems like this should perhaps be attached to Issue 51 or 81.  Sorry if I am missing something obvious.
>>> 
>>> -----Original Message-----
>>> From: Matthias Schunter [mailto:mts@zurich.ibm.com] 
>>> Sent: Monday, January 16, 2012 10:01 AM
>>> To: John Simpson
>>> Cc: public-tracking@w3.org
>>> Subject: Re: tracking-ISSUE-105: Response header without request header? [Tracking Preference Expression (DNT)]
>>> 
>>> Hi All,
>>> 
>>> 
>>> I gave this another thought and I now had the impression that SHOULD may be sufficient. A wording like:
>>>  If a site receives a  DNT;1 request header,
>>>  then it SHOULD send a DNT response header.
>>> (header details defined elsewhere)
>>> 
>>> Reasoning:
>>> 1. In order to be compliant, a site needs to satisfy the compliance and DNT specs 2. A  site that is compliant with above wording honors a DNT=1 request
>>>   but may not send a corresponding acknowledgement (for whatever reason)
>>> 
>>> The result would be that a site sufficiently protects privacy (according to the compliance spec) while not advertising the fact.
>>> This will make users assume the worst (i.e., that DNT=1 was not honored).
>>> 
>>> While this is not optimal, it at least ensures that the site provides more privacy than promised which I believe to be OK from a privacy perspective.
>>> 
>>> A benefit of SHOULD is that sites could improve their data collection/retention/usage first to satisfy the compliance spec and then later do further upgrades to provide transparency/notice. An example would be a site that never stores anything while ignoring DNT.
>>> Similar to today's practice that privacy policies usually over-state the potential uses of the collected data.
>>> 
>>> What do you think?
>>> 
>>> 
>>> Regards,
>>> matthias
>>> 
>>> 
>>> On 12/20/2011 9:58 PM, John Simpson wrote:
>>>> Agree that if request header is DNT=1, then a site MUST send a 
>>>> response header to be compliant.
>>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
> 
>

Received on Thursday, 19 January 2012 18:04:30 UTC