On Jul 13, 2012, at 9:01 AM, Tamir Israel wrote:
> Yes. But as a third party. If we really want to be sticklers about this:
> <http://tools.ietf.org/html/rfc2965>
The relevant spec is RFC 6265: http://www.rfc-editor.org/rfc/rfc6265.txt
> If there are limited security justifications for tracking, it may be useful to discuss these.
No, it wouldn't be useful to discuss them on a public list, and
I didn't say the ID cookies are being used for tracking or collecting
personal information.
>> ID cookies are not a significant privacy concern if data retention
>> is constrained in the ways already outlined for frequency capping.
>
> It is a significant privacy concern if users are not able to say: I don't trust server X. I've expressed my intention not to be tracked [DNT-1] (so I assume server X is no longer tracking me for any reason), and I do not wish to grant server X any type of exception. Because I don't trust them.
Then don't send requests to them. That kind of distrust can be handled
entirely within the browser. If you trust a server enough to think that
an extra eight bytes of information in the form of DNT:1 is sufficient
to protect your privacy, then you can trust them not to retain the
information that would be privacy sensitive even if an ID cookie is
part of the exchange.
If you don't trust the server, DNT:1 is a total waste of bytes.
....Roy