- From: Peter Cranstone <peter.cranstone@3pmobile.com>
- Date: Fri, 13 Jul 2012 21:17:54 +0000
- To: "Roy T. Fielding" <fielding@gbiv.com>, Tamir Israel <tisrael@cippic.ca>
- CC: Peter Eckersley <peter.eckersley@gmail.com>, "W3C DNT Working Group Mailing List" <public-tracking@w3.org>
- Message-ID: <2A61AB2B87BB9342ABE5E22B2CA93C3ED5FCC7@mbx022-e1-nj-10.exch022.domain.local>
>> then you can trust them not to retain the >> information that would be privacy sensitive even if an ID cookie is >> part of the exchange. Unfortunately you can't because there's no way to verify that they are trustworthy. Peter _________________________ Peter J. Cranstone CEO. 3PMobile Boulder, CO USA [cid:ED8BCC9F-0228-4C11-AAE7-136B70863D81] Improving the Mobile Web Experience Cell: 720.663.1752 Skype: cranstone www.3pmobile.com<http://www.3pmobile.com/> From: "Roy T. Fielding" <fielding@gbiv.com<mailto:fielding@gbiv.com>> Date: Friday, July 13, 2012 2:45 PM To: Tamir Israel <tisrael@cippic.ca<mailto:tisrael@cippic.ca>> Cc: Peter Eckersley <peter.eckersley@gmail.com<mailto:peter.eckersley@gmail.com>>, W3C DNT Working Group Mailing List <public-tracking@w3.org<mailto:public-tracking@w3.org>> Subject: Re: Frequency Capping Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>> Resent-Date: Friday, July 13, 2012 2:45 PM On Jul 13, 2012, at 9:01 AM, Tamir Israel wrote: Yes. But as a third party. If we really want to be sticklers about this: <http://tools.ietf.org/html/rfc2965> The relevant spec is RFC 6265: http://www.rfc-editor.org/rfc/rfc6265.txt If there are limited security justifications for tracking, it may be useful to discuss these. No, it wouldn't be useful to discuss them on a public list, and I didn't say the ID cookies are being used for tracking or collecting personal information. ID cookies are not a significant privacy concern if data retention is constrained in the ways already outlined for frequency capping. It is a significant privacy concern if users are not able to say: I don't trust server X. I've expressed my intention not to be tracked [DNT-1] (so I assume server X is no longer tracking me for any reason), and I do not wish to grant server X any type of exception. Because I don't trust them. Then don't send requests to them. That kind of distrust can be handled entirely within the browser. If you trust a server enough to think that an extra eight bytes of information in the form of DNT:1 is sufficient to protect your privacy, then you can trust them not to retain the information that would be privacy sensitive even if an ID cookie is part of the exchange. If you don't trust the server, DNT:1 is a total waste of bytes. ....Roy
Attachments
- image/png attachment: 05B3284E-EE58-4E48-95D8-7E2993C54A41_1_.png
Received on Friday, 13 July 2012 21:18:21 UTC