- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 2 Nov 2012 03:05:36 -0700
- To: Rigo Wenning <rigo@w3.org>
- Cc: public-tracking@w3.org, John Simpson <john@consumerwatchdog.org>
On Nov 1, 2012, at 4:28 PM, Rigo Wenning wrote: > On Thursday 01 November 2012 15:32:31 Roy T. Fielding wrote: >> If no protocol mechanism is provided, then it is likely that users >> will be notified via the privacy policy, assuming that the server >> adheres to any DNT signals. > > See, I have trouble with this generic privacy policy notification > where it says in 35 pages that "we may ignore your DNT-signal if we > believe it was wrong". Unfortunately, the user agent cannot detect > when this is the case. The end of the story is that a user can't > know whether his DNT signal is honored or not. This is as bad as > having no DNT at all. That's obviously not what it would say. It would say something like: "DNT:1 is treated as an opt-out except when received from the following user agents that have a broken implementation of DNT: ...". It is not as bad as having no DNT signal. > If the service sends status back and the browser doesn't show, the > lacking transparency is the browsers fault. So IMHO, a service must > have the ability to say no, but also MUST indicate that. We do not > contradict the "must understand" of web services in general service > conditions either. We need a status IMHO.. Sorry, I think you are assuming that the server would send a compliant response to DNT if they had no ability to indicate non-compliance via the protocol. I was assuming that they would not send any compliance signal, ignore the W3C spec, and explain in their privacy policy why this is so. They could still adhere to DNT semantics for the valid browsers, just like many sites already do in a persistent opt-out way. I do not mean to suggest that the privacy policy is a better alternative; it is, however, an alternative, and it is not subject to our compliance specification because it does not claim to be compliant. If we want these servers to be compliant with DNT, we have to allow them to communicate non-compliance in specific instances without implying non-compliance in all instances. > As you do this on a per- > request basis (you can't know whether the next request comes from a > bogus DNT implementation), you can only do so economically by > returning a header IMHO, but I won't teach http to Roy... That simply isn't true. Responses are on a per-UA basis, as must be the case for any protocol influenced by cookie state, and are just as capable for long-term communication as a cached HTML file is capable of being rendered. Servers are fully capable of communicating intentions that are beyond the scope of a single interaction. ....Roy
Received on Friday, 2 November 2012 10:05:59 UTC