RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)]

Perhaps I do see some elements of your perspective.  Could I present an example
to see if this reflects how you see DNT working.   Lets consider a search box widget
that loads with Tk:3 (lets say the request itself for the widget conforms to the 3rd
party requirements), and then when the user interacts with the search box and
submits a query a new XHR request is dispatched and lets say returns with Tk:1 to
inform the user that it decided it was a first party and that they have been tracked.

Perhaps I still misunderstand, but if correct then this would appear to tilt the power
towards the website and give the user little defense apart from blacklisting the
resource so that it is not used again.  It also appears to exclude the ability for a
negotiation and gives little room for DNT to grow.   Some resources may want to
adapt to a preference to conform to 1st party or 3rd party requirements, or to
some future requires yet to be defined.

Perhaps you are suggesting that the UA first read the tracking status resource
with the appropriate DNT header to indicate a preference for the resource to
comply with either the 1st or 3rd party requirements and then the server could
return a tracking status resource specific to this preference and the browser could
then decided if to load or block the resource?   This would add a lot of latency to
requests, but perhaps could be cached.

cheers
Fred

From: fielding@gbiv.com
Date: Tue, 23 Oct 2012 17:11:07 -0700
CC: ifette@google.com; public-tracking@w3.org
To: fredandw@live.com
Subject: Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value  for  EU [Tracking Preference Expression (DNT)]

On Oct 23, 2012, at 4:34 PM, Fred Andrews wrote:'Yes, I support DNT' is not a clear answer as currently defined.

Does this mean 'Yes, I support DNT and conform to the 1st party requirements'
or does it mean 'Yes, I support DNT and conform to the 3rd party requirements'?

User agents do have a real need for a specific answer so they can defend the
users tracking preference.
No, they don't need a specific answer on an after-the-factresponse header field.  Either the server is telling the truth,(there is nothing to defend) or the server is lying (thereis nothing that the protocol can add to be more truthful).
This would not prevent a user agent interested in more detailsfrom obtaining that information via the tracking status resource.
As I said, if we are defining first party in terms ofuser expectations then it is impossible for the user agentto know whether the response should be 1st or 3rd party, andeven if it were possible to identify the first party by thefirst origin server identified in a hypertext reference(it is not), the UA would then have to automatically identifythe shared domain ownerships and contractual relationshipsthat determine how wide the scope of first party might be.
+1 to Ian's comments about simplifying the header response.
  Mike has also mentioned concern about EU requirements.

The EU requirements are not satisfied by automating incorrectanswers.
....Roy

Received on Wednesday, 24 October 2012 02:18:03 UTC