RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] from Fred Andrews on 2012-10-24 (public-tracking@w3.org from October 2012)

From: Fred Andrews <fredandw@live.com>
Date: Wed, 24 Oct 2012 00:39:50 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: "ifette@google.com" <ifette@google.com>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <BLU002-W119C7E42814CA5C21576A2CAA780@phx.gbl>

There is more to tracking than just tracking the resource request.  A browser can
block further tracking using the declared response tracking status value.

For example, a webpage includes a search box in an iframe and the UA signals
DNT:1 and that the resource conform to the 3rd party requirements when
requesting this resource and expects Tk:3, and the response is Tk:1 so the browser
may choose to block the loading of the resource well before a search query has
been entered and tracked.

cheers
Fred

From: fielding@gbiv.com
Date: Tue, 23 Oct 2012 17:11:07 -0700
CC: ifette@google.com; public-tracking@w3.org
To: fredandw@live.com
Subject: Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value  for  EU [Tracking Preference Expression (DNT)]

On Oct 23, 2012, at 4:34 PM, Fred Andrews wrote:'Yes, I support DNT' is not a clear answer as currently defined.

Does this mean 'Yes, I support DNT and conform to the 1st party requirements'
or does it mean 'Yes, I support DNT and conform to the 3rd party requirements'?

User agents do have a real need for a specific answer so they can defend the
users tracking preference.
No, they don't need a specific answer on an after-the-factresponse header field.  Either the server is telling the truth,(there is nothing to defend) or the server is lying (thereis nothing that the protocol can add to be more truthful).
This would not prevent a user agent interested in more detailsfrom obtaining that information via the tracking status resource.
As I said, if we are defining first party in terms ofuser expectations then it is impossible for the user agentto know whether the response should be 1st or 3rd party, andeven if it were possible to identify the first party by thefirst origin server identified in a hypertext reference(it is not), the UA would then have to automatically identifythe shared domain ownerships and contractual relationshipsthat determine how wide the scope of first party might be.
+1 to Ian's comments about simplifying the header response.
  Mike has also mentioned concern about EU requirements.

The EU requirements are not satisfied by automating incorrectanswers.
....Roy

Received on Wednesday, 24 October 2012 00:40:17 UTC