RE: on negotiating site exceptions (was Re: Work ahead; volunteers?)

I am hoping that DNT will help us move away from opt-out cookies. Using cookies for exceptions will also be problematic for consumers.

JC

-----Original Message-----
From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
Sent: Tuesday, March 27, 2012 7:29 PM
To: David Singer; public-tracking@w3.org (public-tracking@w3.org)
Subject: RE: on negotiating site exceptions (was Re: Work ahead; volunteers?)

David,

We're attempting to move beyond cookies with DNT.  If cookies were "enough" there wouldn't be calls for a persistent preference store on the web browser that sits outside of cookies (aka - DNT).  I believe your comments are looking a bit in the rear-view mirror instead of the future of the Internet in front of us that is relying less on cookies (mobile and interactive TV experiences for example).

- Shane

-----Original Message-----
From: David Singer [mailto:singer@apple.com] 
Sent: Tuesday, March 27, 2012 7:45 PM
To: public-tracking@w3.org (public-tracking@w3.org)
Subject: on negotiating site exceptions (was Re: Work ahead; volunteers?)

I tend to wonder whether we've got the right model here.

As I see it (maybe askew), we're saying that roughly:
* the user visits a 1st party site with DNT on, and the first party loads some scripts into the UA, which then "asks the user" (actually the UA) to get some kind of exception for this 1st party site's 3rd parties.  If granted, the UA will then send DNT:0 to those 3rd parties when present on that 1st party.

In some sense, we're asking that the UA remember something and return it later - which is what cookies do.

I think it equally likely, and rather easier to engineer, that the 1st party site sees the DNT header and takes the user to a page, where it can explain 
* either accept the reduced site for DNT-users
* or pay for the premium tracking-and-advertising free site;
* or grant my third parties an exception.

If the user chooses the last, the 1st party does an "out of band" signal to the 3rd party (e.g. by using a special URL form) that they has the exception, and the 3rd party can then use a cookie to remember that.  All that remains is when the UA sees the [response header | well-known resource] saying "this 3rd party claims a user exception on this 1st party site" the UA can check with the user, if it likes, and then remember that. In this case, the 3rd party would get the 'blanket' DNT:1 from the UA, and the cookie that it set saying "but this user gave me an exception".

It seems that using regular pages to do the explanation and interaction could be more pleasant than scripts.

In this scenario, the UA can still allow the user to configure 'trusted third parties' or 'trusted 3rd parties when on specific 1st parties' if it likes, as well (and send them DNT:0).

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 28 March 2012 15:35:35 UTC