Re: tracking-ISSUE-149: Compliance section for user agents [Tracking Definitions and Compliance]

On May 29, 2012, at 19:38 , Tracking Protection Working Group Issue Tracker wrote:

> tracking-ISSUE-149: Compliance section for user agents [Tracking Definitions and Compliance]
> Raised by: Aleecia McDonald
> On product: Tracking Definitions and Compliance
> We have some related sub-issues we may need to break out, or perhaps we can do this as one. We will talk as a group to see which of the itemized points below are things we wish to take on.  I expect we will need to create a new section in the Compliance document specifically about user agents.
> First, and a motivating factor underlying other issues, we have the example of the AVG anti-spyware package enabling DNT:1 for new users who purchase their product. As a group, we have discussed the idea that users must be making some choice for privacy -- perhaps via slider, or by downloading MyPrivateWebBrowser, or something -- in order for them to send DNT:1. Reasonable people who were part of those discussions are disagreeing as to whether installing AVG counts as a decision for privacy, or not. This is problematic. Whatever decision we make as a group, we need to (a) be clear about it ourselves so we can (b) write it down clearly for others. 

Somewhere else Shane wrote some nice language telling servers that they shouldn't 'bundle' decisions together, and we might need something like that for UAs as well.  But I don't see we can or should try to outlaw UAs that are designed and chosen because they send DNT:1 by default.

> Second, due to multiple addons that support Do Not Track, there could be conflicts. For example, a user could turn off DNT (not unset, actually off, sending DNT:0) in Firefox, yet install Abine's "Do Not Track Plus" addon (which sends DNT:1). More fun, users could have three different addons, each with a different value. Do we have either best practices or requirements for user agents here?

Ah, I suspect the TPE spec. needs to say that there may be at most one DNT header?

> Third, while we have documented DNT as being on / off / unset, do we want to write that as a requirement for user agents? User interface is out of scope by charter, but we could require user agents to offer all three options. Currently we only state all three are possible values (which we do document well.)

Unless DNT:0 means something other than no DNT, for server behavior, I think the user only needs to be asked "DNT with that, sir?".  DNT:0 is an artefact of the way that exceptions (user-granted) work, not a third choice.  I hope.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Thursday, 31 May 2012 00:01:23 UTC