RE: ISSUE-125: Finding out whether a user agent supports DNT from SULLIVAN, BRYAN L on 2012-03-27 (public-tracking@w3.org from March 2012)

From: SULLIVAN, BRYAN L <bs3131@att.com>
Date: Tue, 27 Mar 2012 06:18:04 +0000
To: Shane Wiley <wileys@yahoo-inc.com>, Sean Harvey <sharvey@google.com>, Nicholas Doty <npdoty@w3.org>
CC: Matthias Schunter <mts-std@schunter.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <59A39E87EA9F964A836299497B686C350F486E81@WABOTH9MSGUSR8A.ITServices.sbc.com>

We would also like to extend DNT protections to users of devices/browsers that do not support DNT. There are various ways in which such preferences (and exceptions to them) can be managed and indicated by the user, in addition to DNT settings on the browser. These in most part don't require standardization (we've already mentioned some, e.g. the setting of DNT headers through an enterprise or service proxy), if the effect on user privacy and the parties in the service delivery path (e.g. the presence of DNT headers in requests and handling of them in responses) is per the spec. Even for users that do have DNT-enabled devices, such "out-of-band" preferences management can simplify (and make more reliable) their overall privacy experience.

Thanks,
Bryan Sullivan

From: Shane Wiley [mailto:wileys@yahoo-inc.com]
Sent: Monday, March 26, 2012 6:37 PM
To: Sean Harvey; Nicholas Doty
Cc: Matthias Schunter; public-tracking@w3.org
Subject: RE: ISSUE-125: Finding out whether a user agent supports DNT

Nick, thank you for the text - looks good to me.

Sean, this was to allow companies to begin setting "user granted exceptions" up front and not rely on out of band consent if they didn't want to.

For example, a publisher has several options to manage "user granted exceptions":

- 100% out of band - allows them to ignore the DNT:1 signal for users who grant the exception but the web browser will not be aware of this
- Mixed - request out of band exceptions from non-DNT users for some set of activities and only use browser user granted exceptions for those users that activate DNT
- 100% browser based - request all user granted exceptions through the browser regardless of the user's DNT signal (this is the text Nick provided)

It's still too early for me call which way publishers would like to go and will likely be depended on the type of exception they'd be seeking.  That said, it's nice to know that Yahoo!, as a publisher, has the full array of options to choose from as we discuss the pros/cons of each in context.

- Shane

From: Sean Harvey [mailto:sharvey@google.com]
Sent: Monday, March 26, 2012 7:06 PM
To: Nicholas Doty
Cc: Matthias Schunter; Shane Wiley; public-tracking@w3.org
Subject: Re: ISSUE-125: Finding out whether a user agent supports DNT

Hi Nick, I can't recall my involvement in this request, but in general i wasn't concerned about requesting exceptions even where there is no header. shane, what is the context in which this is relevant/important?

On Tue, Mar 27, 2012 at 4:06 AM, Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>> wrote:
I drafted a brief section in response to this request (which I think was coming primarily from Shane and Sean); that was ACTION-122.

6.6 Exceptions without a DNT header

Sites might wish to request exceptions even when a user arrives without a DNT header. Users might wish to grant affirmative permission to tracking on or by certain sites even without expressing general tracking preferences.

User agents may instantiate NavigatorDoNotTrack.requestSiteSpecificTrackingException even when navigator.doNotTrack is null. Sites should test for the existence of requestSiteSpecificTrackingException before calling the method. If an exception is granted in this context and the user-agent stores that preference, a user agent may send a DNT:0 header even if a tracking preference isn't expressed for other requests. Persisted preferences may also affect which header is transmitted if a user later chooses to express a tracking preference.

Note: Users might not configure their agents to have simple values for DNT, but use different browsing modes or other contextual information to decide on a DNT value. What algorithm a user agent employs to determine DNT values (or the lack thereof) is out of the scope of this specification.

http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#exceptions-when-not-enabled

If we're happy with that text as a response, then I think we can close this as having resolved the issue. Shane and Sean, does this text work for you? If not, would you like to take an action to write a counter-proposal or detail the use cases that this doesn't work for?

Thanks,
Nick

--
Sean Harvey
Business Product Manager
Google, Inc.
212-381-5330
sharvey@google.com<mailto:sharvey@google.com>

Received on Tuesday, 27 March 2012 06:19:17 UTC