FW: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] from Mike O'Neill on 2012-10-23 (public-tracking@w3.org from October 2012)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Tue, 23 Oct 2012 14:48:31 +0100
To: <public-tracking@w3.org>
Message-ID: <046f01cdb125$16eefdc0$44ccf940$@baycloud.com>
 

Fred,

 

My comments in-line.

 

Cheers,

 

Mike

 

 

From: Fred Andrews [mailto:fredandw@live.com] 
Sent: 23 October 2012 13:37
To: Mike O'Neill; 'Nicholas Doty'
Cc: public-tracking@w3.org
Subject: RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value
for EU [Tracking Preference Expression (DNT)]

 

Hi Mike,

> From: michael.oneill@baycloud.com
...
> I agree that returning a 3 status would be functionally equivalent, but
both
> the value and descriptive text will not correspond to the majority usage
in
> Europe. Request handlers (associated with particular URIs) could have been
> written to always operate in a 1st party context but will have to cause
the
> 3 status to be returned (if DNT = 1) which seems inappropriate.
Implementers
> will also be confused by the text which says "the designated resource is
> designed for use within a third-party context", when it has not.
> 
> I initially thought that we could fix this by changing the descriptive
text,
> but it gets too long winded and confusing. My suggestion is to add another
> status value for this majority situation with a simpler description, to
make
> the requirement clear for implementers. I do not think the added
complexity
> of an extra status value, though it may be technically redundant, is too
bad
> compared with the resulting gain in clarity.

The handler needs to decide if it confirms to the requirements of a 1st
party
or 3rd party so surely it could just return 1 or 3.  Having to further
decide
between 3 or E seems an extra step that may not even be trivial given the
rather vague distinction between 1st and 3rd party contexts.

 


The handler can return either, (3 or E), it doesn't have to decide (because
they are functionally equivalent).

 

What I mean is if the handler was designed to operate in a 1st party context
but conforms to the TPC as a 3rd party (with exemptions etc., otherwise it
would just return N) it could return E, where the description is "the
designated resource may be designed for use in a first-party context but
conforms to the requirements on a third party". There is no requirement for
more logic, this is just for clarity.


A description such as "3: The designated resource conforms to the
requirements
on a third party." seems simpler and clearer to me and is not conflated by
the
1st / 3rd party context distinction.

I would agree with that text but the value 3 is still confusing in the
majority case.



I thought you agreed there should be no 1st / 3rd party distinction so
surely
it would be better to ride the response status values of the 1st / 3rd party
context
distinction rather than adding to the mess.

 

I do agree but that is how the spec is now, and is the distinction is
unlikely to be removed. As it exists we should make the situation clear for
implementers who want to signal they acknowledge DNT:1 (conform as 3rd
parties as per the TPC) even in a 1st party context.



> The point about particular resource URIs changing from 3rd to 1st party
> context is one of the reasons for the change I suggested in issue-182. The
> user-agent has the party information at hand when it sends out a request,
> and it would be simple for it to communicate this to the server in the DNT
> header. For example the handler associated with a social widget will
> normally receive a request indicating 3rd party context usage ( DNT: 1)
and
> the handler will return Tk3. If a user clicks on it a request will be sent
> out with the f qualifier ( DNT: 1f) and the handler can return a Tk1
> response if it now conforms to 1st party rules. 

If a social widget reserves the right to act as a 1st party then surely it
must
return Tk1 when loaded.  If the intention is otherwise then a new response
tracking status value is needed for this ambiguous or 'deferred decision'
case.

It should only return 1 when it has been requested in a 1st party context
i.e. it has been clicked on. A particular URI (handler) may have been
designed to always operate in a 1st party context but if the element causing
the request has been placed in error, say the same URI is the value of a src
attribute on an image tag, then it should (and regulators may want to) be
able to determine that. 

When a widget URI has been designed to be used in both a 1st party and 3rd
party context there should be a transparent way for the decision to be made,
otherwise bad actors may just always return Tk1 and claim they had
out-of-band evidence for it.

 



Browsers should not be burdened with having to monitor all communication
to social widgets to detect a Tk1 response and then have to try and disable
it.

I agree, I didn't imagine they would. 

A test for a workable DNT spec. should be that a browser can block resources
at load time if they do not agreed to the expressed tracking preference.

I agree, and they should be able to detect when a resource claims 1st party
compliance but is in fact loaded in a 3rd party context. Moreover external
compliance scanners, plug-ins etc. should be able to also, and entities
responsible for 3rd party resources should also be able to prove they have
received DNT:0 from a correctly formed API request.



cheers
Fred
Received on Tuesday, 23 October 2012 13:49:27 UTC