- From: Rigo Wenning <rigo@w3.org>
- Date: Fri, 04 May 2012 22:31:18 +0200
- To: ifette@google.com, Nicholas Doty <npdoty@w3.org>
- Cc: public-tracking@w3.org, Matthias Schunter <mts-std@schunter.org>, rob@blaeu.com
Ian, this is very clear and I think we are at the core of the issue. I have to leave it to Rob (and it may take some time) to answer the question whether informed consent can be given to an unknown list of third parties tracking me. From my german and french law roots, I have a feeling it doesn't work, but maybe I'm wrong. Your protocol would look like this: -> GET example.org/index.html <- only if you accept my third parties -> "*", now gimme the content <- DNT:t 200 OK [flood of subsequent uncontrolled requests] Very simple. This mainly implements the use case to allow sites to turn users down if they have DNT on. It is very service centric. Simple, efficient, addressing the one use case that is of interest to the service. But the effort started because of user concerns. We are not here because the services have complained that they can't turn down users. It is also absolutely centric on the first party. In this scenario, a web- wide exception doesn't buy you anything anymore, because a user will either accept tracking for all or being turned down. There is no other possibility, apart from a friendly site allowing you to get the content without tracking. But wait, in this case it would be even simpler to send the DNT;0/1 header to the first party and get a 0/1/2 header back that tells my browser whether I'm blocked, tracked or not. This header would only be sent to the first party, because once the blocking was overcome, everybody gets a DNT;0 anyway. This way we can remove at least 50% of the wording in the TPE Specification. I think this is already implemented in most browser and we would just have to adapt the feedback headers and a box saying: You only get the content if you click OK. And you're right: What you call à la carte is perhaps too much data self determination and too much believe that the browser actually knows where it is sending requests to. If it knows that, shouldn't it accept the user's preferences on where to send what? I still believe the burden of à la carte is justified and that the blocking situation that you describe is effectively a prompt for login, only faster. Best, Rigo On Friday 04 May 2012 09:39:54 Ian Fette wrote: > You seem to believe that for European use cases to be met, a site must > request an explicit list of third parties rather than *. If that's true, > it basically renders * useless, and would require polling on each site > and introducing 1 round trip to the server to figure out if all third > parties on your site are covered by exceptions. The browser can't tell > the site "all your third parties are covered" a-priori in the à la carte > case because the browser knows what third parties are covered, but not > what third parties will actually be present on the site. This means that > if a site only wants to show content if it's gotten an exception, it must > first serve some javascript to poll which sites have exceptions, send the > result back to the server, and then do something. This adds a HUGE amount > of latency and is unacceptable.
Received on Friday, 4 May 2012 20:31:46 UTC