Re: ACTION-258: Propose 'should' for same-party and why


On Wednesday 20 March 2013 15:26:44 Adrian Bateman wrote:
> I don't believe most "everyday" browsers will take the performance hit
> of downloading the TSR. For sites with resources from dozens of
> different origins this would add a significant overhead to browsing.
> In an environment where we are competing on millisecond differences
> in page loading it is hard to imagine adding a few dozen extra
> network requests to the flow.

This was precisely (near verbatim) the argument used by MS 10 years ago 
to create the P3P compact tokens that created so many issues. As in the 
past, it hardly masks the unwillingness to implement the real concept. 
MS is free not to implement, but they should be open about it. 

Currently IE takes the performance hit of loading hundreds of trackers 
and even wait for an entire ad - auction to happen and it can't load TSR 
or look at the DNT response headers? So all performance hit for tracking 
is ok, but no performance hit for Privacy is ok? MS can't claim privacy 
championship with the above argumentation.

By avoiding a cornerstone of the legal concept behind DNT, you implement 
something, but I would really question whether you could call that W3C 
Tracking Preference Expression.  

MS' implementation will break the legal concept behind the TPE. I send a 
service a DNT:1 header and I'm not able to see/read/understand the 
response. Go to the shop and shout "I want ice" and pay $2. They respond 
"no". You can't hear that because your browser is deaf. You continue to 
shout "ice" and pay $2 despite getting nothing back. 
I know you will make the argument that a service would respond to the 
DPA's browser. But legally it doesn't hold:

1/ There will be no DPA browser as the DPAs don' t know how to make a 
2/ The legal system is not looking at how things look in general. The 
legal system wants to know whether THIS service is in THIS interaction 
lying to THIS user. Which means that pushing back users to someone who 
may or may not check responses is completely orthogonal to the user's 
need for privacy and her need for a meaningful interaction that allows 
for legal claims. 
3/ You would not need any TPE implementation at all as the only 
meaningful interaction takes place with the DPA browser. Everything else 
is the expression of a nice wish. DSL modems with default header 
injection are as good. But there is nothing binding the user can rely 
on. So there no advantage compared to the current situation where tools 
spawn DNT:1 headers and nobody knows what it means or whether it is 
4/ I doubt that Roy's claim is right that a service would never react on 
a user. At least in the EU that would mean cookies are dead because a 
service can't react on a user's DNT:0 signal. 

To be meaningful, you need at least look at the response header that you 
get anyway. It may mean that the response headers will dominate over the 
WKL despite the fact that the spec says the other way around. But I was 
always of the opinion that the WKL is adding overhead. 

Without meaningful TPE/TCS we will go further down the blocking tools. 
The transparency MS refuses to implement is key to the building of trust 
that the market place needs. So please re-consider. 


Received on Tuesday, 23 April 2013 13:01:46 UTC