RE: TPE sec 6.11 on clearing granted exceptions from Mike O'Neill on 2013-04-26 (public-tracking@w3.org from April 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 26 Apr 2013 10:49:51 +0100
To: "'Roy T. Fielding'" <fielding@gbiv.com>, "'Nicholas Doty'" <npdoty@w3.org>
Cc: "'David Singer'" <singer@apple.com>, <public-tracking@w3.org>
Message-ID: <04fd01ce4263$6684ae50$338e0af0$@baycloud.com>

+1

DNT is in essence a 1 bit super cookie which indicates a signal with a
supposedly universal meaning.

With third-party blocking becoming common maybe we don't need the x-domain
ability anyway. Maybe all we need to do is specify a well-known name for a
"can-track-me" cookie, and a consent API to signal back from the server that
the user has agreed to tracking so stop (site-specifically) blocking these
named cookies. The latter is in the interests of the third-party advertisers
so it should be easier to get agreement on, and the well-known cookie name
can be initially inserted by the UA in every domain with the value
indicating the Do Not Track general preference. 

This way we leverage existing standards, let servers and UAs differentiate
on privacy, get a duration knob for revocation etc. 

Mike

-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com] 
Sent: 26 April 2013 09:31
To: Nicholas Doty
Cc: David Singer; public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: TPE sec 6.11 on clearing granted exceptions

On Apr 25, 2013, at 4:40 PM, Nicholas Doty wrote:

> I think in-band user-granted exceptions have at least two advantages over
use of cookies in storing exception consent:
> * DNT:0 can be sent even when there is no cookie or cookies are not 
> sent
> * user-agent-managed exceptions can be reviewed and cleared from a 
> centralized store

So can a specialized cookie (a standard name that can optionally be
manipulated by an additional set of tools on the browser).  If a user agent
is not sending any cookies, sending DNT:0 is not going to help much.

> I think perhaps the SHOULD text is a little too specific; browsers are
taking different approaches to clearing client-side state and while I think
there probably always should be an option to clear all client-side state
simultaneously, there will also very likely be implementations that clear
cookies or other caches separately. I think the general principle of
clearing state set and then subsequently accessible by JavaScript is an
important one, and worth noting in the spec.
> 
> That would be a third advantage for using in-band exceptions: exceptions
may be retained when a user chooses to clear cookies but not other
client-side state.
> 
> Thanks,
> Nick

I don't think I was clear.  Currently, the only advantage the UGE framework
has is that it doesn't get cleared when cookies get cleared.
If that isn't true, we should delete the entire framework and replace it
with a named cookie that is sent along with the DNT:1 signal.
Then we wouldn't have to wait until all browsers implement UGEs and we
wouldn't have to implement two different opt-in consent mechanisms.

....Roy

Received on Friday, 26 April 2013 09:50:23 UTC