RE: Modifying a DNT Header (ISSUE-153, ACTION-285)


I disagree on all of your examples - and the current draft already speaks to intermediaries such as corporate or library scenarios.  If Severs have no confidence that USERS are directly activating DNT, they will not implement DNT (for the most part, I'm sure a few Universities would still implement since they don't rely on online advertising to pay for their web sites).

I'm not asking for the UA to police the situation (although that would be best) but rather to provide a method for good actor 3rd party tools to declare they are the ones setting/sending the DNT signal, not the web browser.

- Shane

-----Original Message-----
From: Walter van Holst [] 
Sent: Wednesday, November 07, 2012 1:52 PM
Subject: Re: Modifying a DNT Header (ISSUE-153, ACTION-285)

On 11/7/12 9:18 PM, Shane Wiley wrote:
> As long as 3rd party changes are recorded and sent to the Server for 
> assessment (Issue-143).  If 3rd party tools can game DNT (activate it 
> with no user interaction and make it appear as if the browser is doing 
> this), then I doubt many Servers will ever implement DNT.  This is a 
> critical issue that needs to be resolved to the satisfaction of both 
> sides of the debate if there is any hope for DNT to be a viable, 
> voluntarily implemented, standard.

That requirement that is impossible to meet. The UA has no control over the network between the UA and the server and therefore possibly cannot even detect such changes, let alone send them to the server for assessment.

A few scenarios:

1) User A uses a Chromebook in an enterprise environment, managed by X.
X has per corporate security policy transparant proxies for all HTTP traffic that insert DNT:1 for all outgoing HTTP requests, regardless of User A's preferences.

2) User B uses Chrome on a desktop machine that has an ad-blocking proxy installed, the Chrome configuration points to as a proxy, but other than that the UA has no real means to detect that there is a proxy and what it does. This particular proxy puts in DNT:1, without even paying attention to the Chrome preferences in this regard.

3) User C uses Chrome in conjunction with an extension that is acquired from outside Google's extension appstore. The extension leaves the Chrome DNT preferences untouched, but nonetheless puts in DNT:1 in outgoing HTTP requests.

How is Chrome going to be compliant with your requirement in any of the above scenarios, neither of which is unlikely to ever happen?

And I don't even think it should be problematic in the above given scenarios. In scenario 1, User A has to adhere to a corporate policy and given the business nature of the relationship with X (for example employer-employee relation), it can be argued that A's preferences are not relevant and only X's preferences.

In scenarios 2 and 3 the user most likely chose consciously to use these third party tools and it can be equally argued that the browser configuration just not happens to reflect the users informed non-consent with being tracked and that the third-party tool installation does a better job at that.

Bottom line: let's honour the principle that the user gets to decide what happens on his or her machine and not include second guesses of the user's stated intent in the specification.



Received on Wednesday, 7 November 2012 21:08:02 UTC