Re: ACTION-253 ISSUE: 119 and ACTION 208 ISSUE-148 Response signal for "not tracking" and definition for DNT:0 from Rigo Wenning on 2012-09-16 (public-tracking@w3.org from September 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Sun, 16 Sep 2012 23:13:48 +0200
To: public-tracking@w3.org
Cc: "Amy Colando (LCA)" <acolando@microsoft.com>, David Singer <singer@apple.com>, David Wainberg <david@networkadvertising.org>, Nicholas Doty <npdoty@w3.org>
Message-ID: <58603434.XgEcCAY4lo@hegel.sophia.w3.org>

Amy, 

the "not tracking at all" is one possible answer to the DNT:1 token 
sent by a user. Remember, the UA can send those DNT-tokens also to 
first party sites. Especially in the EU context, this also makes 
sense. And it provides some very easy handshake for those simple 
sites. (and may give them DNT:0 for EU controls and session cookies 
etc)

So the tracking definition is one thing (minima -> US)
But the DNT protocol is useful far beyond that as a communication 
mechanism capable of expressing privacy statements (consent -> EU)

The problem is then that a kind of "super privacy state" is created 
(as we have seen in past discussions). We can compromise by allowing 
them to just send the "not tracking" status back. Because we have no 
other token conveying that meaning. We could send "1" for first 
party. But this isn't really what happens here. "N" just says, there 
is no collection beyond the security mechanisms (usual logging etc). 

I'm really missing a status token that just sends back that a site 
accepts and honors the DNT:1 header. For the moment, the 
Specification is too implicit and thus makes difficulties for 
logging and audit on the client side. One could imagine that sending 
"1" has the meaning. "first party and honoring your DNT:1"

Rigo

On Thursday 13 September 2012 20:08:33 Amy Colando wrote:
> This is (one of) the items that continues to confuse me about the
> "no tracking" claim -- aren't all of these examples that David
> Singer cites below (including the original example of
> http://duckduckgo.com/) first parties?  In which case, having a
> first party say that they don't make use of the permitted uses
> that apply only to third parties makes little sense.  And I
> cannot imagine a scenario in which a third party would respond
> that they weren't making use of permitted use exceptions -- they
> simply wouldn't be present on the site at all.
> 
> Also agree with David Wainberg on tracking definition.

Received on Sunday, 16 September 2012 21:14:16 UTC