Re: ACTION-212: Draft text on how user agents must obtain consent to turn on a DNT signal

On Nov 1, 2012, at 4:28 PM, Rigo Wenning wrote:
> On Thursday 01 November 2012 15:32:31 Roy T. Fielding wrote:
>> If no protocol mechanism is provided, then it is likely that users
>> will be notified via the privacy policy, assuming that the server
>> adheres to any DNT signals.
> 
> See, I have trouble with this generic privacy policy notification 
> where it says in 35 pages that "we may ignore your DNT-signal if we 
> believe it was wrong". Unfortunately, the user agent cannot detect 
> when this is the case. The end of the story is that a user can't 
> know whether his DNT signal is honored or not. This is as bad as 
> having no DNT at all.

That's obviously not what it would say.  It would say something
like: "DNT:1 is treated as an opt-out except when received from the
following user agents that have a broken implementation of DNT: ...".
It is not as bad as having no DNT signal.

> If the service sends status back and the browser doesn't show, the 
> lacking transparency is the browsers fault. So IMHO, a service must 
> have the ability to say no, but also MUST indicate that. We do not 
> contradict the "must understand" of web services in general service 
> conditions either. We need a status IMHO..

Sorry, I think you are assuming that the server would send a
compliant response to DNT if they had no ability to indicate
non-compliance via the protocol.  I was assuming that they would
not send any compliance signal, ignore the W3C spec, and explain
in their privacy policy why this is so.  They could still adhere
to DNT semantics for the valid browsers, just like many sites
already do in a persistent opt-out way.

I do not mean to suggest that the privacy policy is a better
alternative; it is, however, an alternative, and it is not
subject to our compliance specification because it does not
claim to be compliant.

If we want these servers to be compliant with DNT, we have to
allow them to communicate non-compliance in specific instances
without implying non-compliance in all instances.

> As you do this on a per-
> request basis (you can't know whether the next request comes from a 
> bogus DNT implementation), you can only do so economically by 
> returning a header IMHO, but I won't teach http to Roy...

That simply isn't true.  Responses are on a per-UA basis, as
must be the case for any protocol influenced by cookie state,
and are just as capable for long-term communication as a cached
HTML file is capable of being rendered.  Servers are fully
capable of communicating intentions that are beyond the scope
of a single interaction.

....Roy

Received on Friday, 2 November 2012 10:05:59 UTC