- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Fri, 26 Apr 2013 10:49:51 +0100
- To: "'Roy T. Fielding'" <fielding@gbiv.com>, "'Nicholas Doty'" <npdoty@w3.org>
- Cc: "'David Singer'" <singer@apple.com>, <public-tracking@w3.org>
+1 DNT is in essence a 1 bit super cookie which indicates a signal with a supposedly universal meaning. With third-party blocking becoming common maybe we don't need the x-domain ability anyway. Maybe all we need to do is specify a well-known name for a "can-track-me" cookie, and a consent API to signal back from the server that the user has agreed to tracking so stop (site-specifically) blocking these named cookies. The latter is in the interests of the third-party advertisers so it should be easier to get agreement on, and the well-known cookie name can be initially inserted by the UA in every domain with the value indicating the Do Not Track general preference. This way we leverage existing standards, let servers and UAs differentiate on privacy, get a duration knob for revocation etc. Mike -----Original Message----- From: Roy T. Fielding [mailto:fielding@gbiv.com] Sent: 26 April 2013 09:31 To: Nicholas Doty Cc: David Singer; public-tracking@w3.org (public-tracking@w3.org) Subject: Re: TPE sec 6.11 on clearing granted exceptions On Apr 25, 2013, at 4:40 PM, Nicholas Doty wrote: > I think in-band user-granted exceptions have at least two advantages over use of cookies in storing exception consent: > * DNT:0 can be sent even when there is no cookie or cookies are not > sent > * user-agent-managed exceptions can be reviewed and cleared from a > centralized store So can a specialized cookie (a standard name that can optionally be manipulated by an additional set of tools on the browser). If a user agent is not sending any cookies, sending DNT:0 is not going to help much. > I think perhaps the SHOULD text is a little too specific; browsers are taking different approaches to clearing client-side state and while I think there probably always should be an option to clear all client-side state simultaneously, there will also very likely be implementations that clear cookies or other caches separately. I think the general principle of clearing state set and then subsequently accessible by JavaScript is an important one, and worth noting in the spec. > > That would be a third advantage for using in-band exceptions: exceptions may be retained when a user chooses to clear cookies but not other client-side state. > > Thanks, > Nick I don't think I was clear. Currently, the only advantage the UGE framework has is that it doesn't get cleared when cookies get cleared. If that isn't true, we should delete the entire framework and replace it with a named cookie that is sent along with the DNT:1 signal. Then we wouldn't have to wait until all browsers implement UGEs and we wouldn't have to implement two different opt-in consent mechanisms. ....Roy
Received on Friday, 26 April 2013 09:50:23 UTC