- From: Rigo Wenning <rigo@w3.org>
- Date: Mon, 11 Jun 2012 09:32 +0200
- To: Tamir Israel <tisrael@cippic.ca>
- Cc: ifette@google.com, Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>, Ninja Marnau <nmarnau@datenschutzzentrum.de>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Tamir, we have some logic breaks in the below and that leads to the Canadien issue, which is IMHO just an instance of a larger problem. On Friday 08 June 2012 22:56:20 Tamir Israel wrote: > The similarities in regime break down, however, where a server > rejects a DNT-1 (because it was set by default), and there is no > alternate mechanism left for the user to opt-out. As the server > can no longer rely on implicit/opt-out consent in this case, > presumably they can no longer track. Again, a protocol can't mean that a service MUST respect the things in the compliance specification without having committed to it by sending ACK. To get to a situation you describe above in the Canadian system, a law would have to oblige services to respect DNT:1 and apply the rules of the compliance specification for all and every request they get with a DNT:1 header. I can't read that into the Canadian law. One can only come to this conclusion if DNT:1 is only applied to online behavioral advertisement by third parties. Roy has urged us many times to define tracking in this way and the WG consistently refused. One consequence of this refusal is that a DNT:1 header can be sent to almost anything. This would turn off single-sign-on and other personalized services. So a service must be able to deny DNT:1 if the service would not make sense in the DNT:1 - mode. Additionally, the right to opt-out does not create a right to receive the content. So in a Canadian context, if a service does not offer an opt-out, it can still deny content delivery. What a service wouldn't be able to do is to just continue tracking as if nothing happened. Now if a user has sent DNT:1 and the service responds with NACK and the user continues to use that service, the service can reasonably assume that the user has implicitly agreed not to opt out. If the user still sends DNT:1 headers, the OPC has to decide whether it wants the service to trigger an exception in the face of the user to stop the non-interaction of two blind-deaf DNT implementations. Which brings me to the point (which ISSUE should I attach it to?) that a compliant user agent SHOULD NOT resend a request with DNT:1 to a URI after having received an NACK. (Some may want to prompt the user, others will find better solutions) Best, Rigo
Received on Monday, 11 June 2012 07:32:42 UTC