RE: SHOULD or MUST for responses to DNT;1?

But the average user won't see the response header anyway, right?  And in the scenario below, there would certainly be legal repercussions on a site that advertised or stated (more publicly than a response header) that is was respecting DNT and then silently changed its practices.

I think that without having more information on the server load and impact from response headers, we shouldn't require this.

-----Original Message-----
From: Vincent Toubiana [mailto:v.toubiana@free.fr] 
Sent: Thursday, January 19, 2012 10:04 AM
To: Matthias Schunter
Cc: public-tracking@w3.org
Subject: Re: SHOULD or MUST for responses to DNT;1?

Hi Matthias,


I still think that the site "MUST send a corresponding DNT response header" otherwise website could stop respecting DNT without users being aware of it.

Here an example:
- A website X advertises that it respects DNT even though it's not sending the DNT response header. 
- Because users do not see any inconvenient with not receiving the header, they accept to visit website that publish X's content.  
- Later X decides to stop respecting DNT, however, users keep interacting with X because they are unaware of this change.

Best regards,

Vincent


On Jan 19, 2012, at 5:59 PM, Matthias Schunter wrote:

> Hi Folks,
> 
> 
> Here is the proposed text that evolved during yesterday's telco:
> 
> --------------------------------------
> A site that receives DNT;1 MUST follow the corresponding practices as 
> defined in the [standards compliance] document and SHOULD send a 
> corresponding DNT response header.
> 
> Note: If a site chooses not to send a response header, then the user 
> agent does not obtain information whether the preference has been 
> accepted or not. This may have negative consequences for the site such as:
> - Preventive measures by user agents
> - Being flagged as non-compliant by scanning tools that look for 
> response headers
> ---------------------------------------------------
> 
> I'll ask Roy to include this text into the draft for "PENDING REVIEW".
> Comments are welcome.
> 
> Regards,
> matthias
> 
> 
> On 1/17/2012 5:45 PM, Matthias Schunter wrote:
>> You are right: This discussion has been misplaced.  ISSUES-51 and
>> ISSUE-81 are better (albeit not perfect) fits.
>> 
>> matthias
>> 
>> 
>> On 1/17/2012 1:04 AM, Kevin Smith wrote:
>>> Matthias,
>>> 
>>> Did you intend to attach this to Issue 105?  Seems like that issue focuses on responses to requests on which there was no DNT: request, not when the server gets a DNT:1 request header.  Seems like this should perhaps be attached to Issue 51 or 81.  Sorry if I am missing something obvious.
>>> 
>>> -----Original Message-----
>>> From: Matthias Schunter [mailto:mts@zurich.ibm.com]
>>> Sent: Monday, January 16, 2012 10:01 AM
>>> To: John Simpson
>>> Cc: public-tracking@w3.org
>>> Subject: Re: tracking-ISSUE-105: Response header without request 
>>> header? [Tracking Preference Expression (DNT)]
>>> 
>>> Hi All,
>>> 
>>> 
>>> I gave this another thought and I now had the impression that SHOULD may be sufficient. A wording like:
>>>  If a site receives a  DNT;1 request header,  then it SHOULD send a 
>>> DNT response header.
>>> (header details defined elsewhere)
>>> 
>>> Reasoning:
>>> 1. In order to be compliant, a site needs to satisfy the compliance and DNT specs 2. A  site that is compliant with above wording honors a DNT=1 request
>>>   but may not send a corresponding acknowledgement (for whatever 
>>> reason)
>>> 
>>> The result would be that a site sufficiently protects privacy (according to the compliance spec) while not advertising the fact.
>>> This will make users assume the worst (i.e., that DNT=1 was not honored).
>>> 
>>> While this is not optimal, it at least ensures that the site provides more privacy than promised which I believe to be OK from a privacy perspective.
>>> 
>>> A benefit of SHOULD is that sites could improve their data collection/retention/usage first to satisfy the compliance spec and then later do further upgrades to provide transparency/notice. An example would be a site that never stores anything while ignoring DNT.
>>> Similar to today's practice that privacy policies usually over-state the potential uses of the collected data.
>>> 
>>> What do you think?
>>> 
>>> 
>>> Regards,
>>> matthias
>>> 
>>> 
>>> On 12/20/2011 9:58 PM, John Simpson wrote:
>>>> Agree that if request header is DNT=1, then a site MUST send a 
>>>> response header to be compliant.
>>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
> 
> 

Received on Thursday, 19 January 2012 18:36:58 UTC