Re: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78]

On Jan 13, 2012, at 5:10 PM, Roy T. Fielding wrote:

> On Jan 13, 2012, at 2:41 PM, David Singer wrote:
>> In reading a separate thread, I realized that there is a potential issue here over DNT:0.
>> A little while back we discussed whether the UA should send a DNT header to the first party.  A number of us argued that it should, even if the first party is exempt: because the first party may care that its third parties are being asked not to track - it might ask for payment in consequence, for example.
>> This argument relies on the assumption that DNT is a single 'big switch', either on or off, but the discussion around DNT:0 reveals that people think it may be OK for the UA to send DNT:1 to some sites, and DNT:0 to others.
> Yes, that discussion is why I defined it as a big switch "on" with
> configurable exceptions to off.
> In that case, DNT: 0 is only received when the switch is on for
> others, which is as much information that the user agent can send
> to the first party without compromising its own configuration.
> But that only works as notification to first-parties if UAs do not
> implement a global switch with which the user can explicitly
> turn DNT off for all sites.

If a user has Do Not Track enabled with a few exceptions (through the site-specific exceptions proposal, say), I would expect that on initiating a new page load of DNT:1 is sent in the request to, even if the browser has some exceptions for trackers on
-- because the user agent doesn't know which domains resources referred to in the response HTML will be
-- because the user wants to follow the limits on 1st parties (probably something like: don't share the information of this visit with arbitrary third parties)
-- because the user might want to give a general expression of not wanting to be tracked, which the first party could choose to act on
-- because the site might want to know that their third parties may be receiving DNT:1 (though aren't necessarily).

> Until Wednesday, nobody had suggested that browsers would implement
> an off switch.  I'd like to know if WebKit will do that.

I can't speak for any browser vendors, but setting all requests to DNT:0 certainly seems like a plausible use case. Maybe I'm a European and I affirmatively want tracking by third parties while browsing so that advertising is likely to be more relevant to me.

>> So what, then, does the first party get?  DNT:1 if any third party is getting DNT:1, else DNT:0 if all are getting DNT:0?  An average of the DNT values :-) DNT:0.7 ??!
> The first party would get DNT 0 if an explicit exception exists.
> That does not tell the first party which, if any, of its
> subrequest partners might receive DNT 1 instead.  It only alerts
> them to the potential.

I think the first party's receiving DNT:1 can signal to them that other parties may be receiving DNT:1. And the first party's JavaScript can use APIs to determine which third parties are receiving that signal, if that level of detail matters to them.

>> Am I, as a UA, allowed to mix non-DNT requests into the mix?
> Not as currently defined.

I'm not sure I understand David's original question was here. I would think the spec should allow user agents to determine when to send DNT requests and when not to, which could include mixing DNT:1, DNT:0 and unspecified requests during the course of browsing. I would expect most implementations (at least initially) to send DNT:1 for all requests.


Received on Saturday, 21 January 2012 02:15:25 UTC