- From: Dobbs, Brooks <brooks.dobbs@kbmg.com>
- Date: Mon, 04 Jun 2012 10:52:31 -0500
- To: Rigo Wenning <rigo@w3.org>, <public-tracking@w3.org>
- CC: Justin Brookman <justin@cdt.org>, Shane Wiley <wileys@yahoo-inc.com>
Rigo, Great to be working with you again! Hope you have been well. To your points, I agree, but I am lost on your conclusion. I see where there is a requirement that the intermediaries don't inject headers, but equally I see a big red capital MUST describing that the expression reflect the user's preference. Both injecting/modifying the header or instantiating it (one way or the other) absent a reflection of the user's preference seem equally non-compliant. IMHO it sets a very dangerous precedent (no matter where you side on the desirability of high adoption of DNT: 1) to say 1) the specification is founded in reflecting preference and, simultaneously, 2) default settings can reflect this preference. Isn't this argued very differently with respect to default browser settings implying consent for cookies in the EU? -Brooks On 6/3/12 9:48 AM, "Rigo Wenning" <rigo@w3.org> wrote: > Hi Brooks, > > welcome back in the game. We have already discussed a requirement in the > Specification that intermediaries shouldn't inject stuff. Issue is that the > server doesn't see that it is an injection as we do not have hashing or some > such SSL. So by receiving a DNT;1 header, the server has to assume this > status and by receiving a DNT;0 can assume an exception. In case of > injections, injecting DNT;1 is creating trouble for the server and injecting > DNT;0 is creating trouble for the user. This is just a weak point of the > protocol because of the lacking end-to-end security. We can surely require > it, but does it buy us anything? I don't know. I would not object if someone > would come up with a good wording. > > Rigo > > On Friday 01 June 2012 17:56:21 Dobbs, Brooks wrote: >> New voice here... I might as well jump right into the controversy. >> >> I am not sure there is full consistency here. I read the spec as saying >> łKey to that notion of expression is that it must reflect the user's >> preference˛. This seems pretty foundational to me. Where there is a >> significant likelihood for the origin server to believe that the >> expression is not a reflection of the userąs preference (either as a 1 or >> a 0), wouldnąt such server be in error to process it accordingly? >> Conversely to the IE/AVG cases, if hypothetically an ISP were to inject >> an extension into every DNT header which in the future allowed for an >> exception, wouldnąt the server be in error for always making room for >> this exception where they know it to be coming from that ISP? >> >> -Brooks > -- Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the Wunderman Network (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com brooks.dobbs@kbmg.com This email including attachments may contain confidential information. If you are not the intended recipient, do not copy, distribute or act on it. Instead, notify the sender immediately and delete the message.
Received on Monday, 4 June 2012 17:48:07 UTC