W3C home > Mailing lists > Public > public-tracking@w3.org > July 2012

RE: Prototype of Do Not Track Exceptions

From: TOUBIANA, VINCENT (VINCENT) <Vincent.Toubiana@alcatel-lucent.com>
Date: Mon, 2 Jul 2012 13:27:45 +0200
To: Jonathan Mayer <jmayer@stanford.edu>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4D30AC7C2C82C64580A0E798A171B4445337E2B466@FRMRSSXCHMBSD1.dc-m.alcatel-lucent.com>
Jonathan,

Thank you for sharing the code of the extension, this looks great. 
A quick note regarding point 2): I think  it should be enough for the UA to "be able to handle an exception request" (as forumlated in Issue-151). Thus the UA could be designed to accept (or reject) all exception requests and still be compliant.

Vincent
________________________________________
From: Jonathan Mayer [jmayer@stanford.edu]
Sent: Saturday, June 30, 2012 1:13 AM
To: public-tracking@w3.org
Subject: Prototype of Do Not Track Exceptions

Last week's meeting left open three sizable questions about the Do Not Track exception API.

1) Should we provide for explicit-explicit exceptions?

2) Should a compliant user agent be required to implement the exception API?

3) Should we specify some UI elements or language for the exception API?

Several working group participants suggested it could be difficult to build consensus on these issues in the abstract.  I agree.  And so I went ahead and implemented a prototype exception API in a Firefox extension.  The source is at https://github.com/jonathanmayer/Do-Not-Track/tree/master/exceptions, and I've attached a few screenshots.  I want to emphasize: this is a prototype implementation.  It's buggy, slow, insecure, and has a number of feature limitations.

Here are a few takeaways for the group to consider.

1) Once site-wide and web-wide exceptions are supported, the marginal effort to support explicit-explicit exceptions is slight.

2) A reasonable UI seems possible for explicit-explicit exceptions.

3) Implementing the exception API requires orders of magnitude greater effort than implementing the "DNT: 1" header.  Developers need to additionally build:
-a JavaScript API
-an exception backend
-an exception request backend
-an exception request UI
-an exception management UI
-more complicated header modification
And asynchronous message passing among many of those modules.  As a rough comparison, my reference Chrome header extension is 9 lines, while my prototype Firefox exception extension is already 521 lines.  If we were to require the exception API in compliant user agents, I would expect some user agents would just be non-compliant and some would decide against implementing Do Not Track.

4) The exception request and management UIs are *very* hard to get right.  I've already iterated a few times, and the prototype still needs *a lot* of work.  I would strongly caution against specifying UI elements or language; getting the Do Not Track UI right is going to be a long-term learning process.

Best,
Jonathan
Received on Monday, 2 July 2012 11:28:19 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:52 UTC