Re: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78]

My question was, can a UA mix dnt:0, dnt:1 and requests with no dnt header at all?

Dave Singer (iPhone)

On Jan 20, 2012, at 18:14, Nicholas Doty <npdoty@w3.org> wrote:

> On Jan 13, 2012, at 5:10 PM, Roy T. Fielding wrote:
> 
>> On Jan 13, 2012, at 2:41 PM, David Singer wrote:
>> 
>>> In reading a separate thread, I realized that there is a potential issue here over DNT:0.
>>> 
>>> A little while back we discussed whether the UA should send a DNT header to the first party.  A number of us argued that it should, even if the first party is exempt: because the first party may care that its third parties are being asked not to track - it might ask for payment in consequence, for example.
>>> 
>>> This argument relies on the assumption that DNT is a single 'big switch', either on or off, but the discussion around DNT:0 reveals that people think it may be OK for the UA to send DNT:1 to some sites, and DNT:0 to others.
>> 
>> Yes, that discussion is why I defined it as a big switch "on" with
>> configurable exceptions to off.
>> 
>> In that case, DNT: 0 is only received when the switch is on for
>> others, which is as much information that the user agent can send
>> to the first party without compromising its own configuration.
>> But that only works as notification to first-parties if UAs do not
>> implement a global switch with which the user can explicitly
>> turn DNT off for all sites.
> 
> If a user has Do Not Track enabled with a few exceptions (through the site-specific exceptions proposal, say), I would expect that on initiating a new page load of example.com DNT:1 is sent in the request to example.com, even if the browser has some exceptions for trackers on example.com.
> -- because the user agent doesn't know which domains resources referred to in the response HTML will be
> -- because the user wants example.com to follow the limits on 1st parties (probably something like: don't share the information of this visit with arbitrary third parties)
> -- because the user might want to give a general expression of not wanting to be tracked, which the first party could choose to act on
> -- because the site might want to know that their third parties may be receiving DNT:1 (though aren't necessarily).
> 
>> Until Wednesday, nobody had suggested that browsers would implement
>> an off switch.  I'd like to know if WebKit will do that.
> 
> I can't speak for any browser vendors, but setting all requests to DNT:0 certainly seems like a plausible use case. Maybe I'm a European and I affirmatively want tracking by third parties while browsing so that advertising is likely to be more relevant to me.
> 
>>> So what, then, does the first party get?  DNT:1 if any third party is getting DNT:1, else DNT:0 if all are getting DNT:0?  An average of the DNT values :-) DNT:0.7 ??!
>> 
>> The first party would get DNT 0 if an explicit exception exists.
>> That does not tell the first party which, if any, of its
>> subrequest partners might receive DNT 1 instead.  It only alerts
>> them to the potential.
> 
> I think the first party's receiving DNT:1 can signal to them that other parties may be receiving DNT:1. And the first party's JavaScript can use APIs to determine which third parties are receiving that signal, if that level of detail matters to them.
> 
>>> Am I, as a UA, allowed to mix non-DNT requests into the mix?
>> 
>> Not as currently defined.
> 
> I'm not sure I understand David's original question was here. I would think the spec should allow user agents to determine when to send DNT requests and when not to, which could include mixing DNT:1, DNT:0 and unspecified requests during the course of browsing. I would expect most implementations (at least initially) to send DNT:1 for all requests.
> 
> —Nick

Received on Saturday, 21 January 2012 03:31:37 UTC