- From: Ronan Heffernan <ronansan@gmail.com>
- Date: Fri, 22 Mar 2013 18:05:24 -0400
- To: Justin Brookman <justin@cdt.org>
- Cc: public-tracking@w3.org
- Message-ID: <CAHyiW9+mRt138UK=tQpy+YFK8Sh=UW97S33WtfW8g7-oFtNV0Q@mail.gmail.com>
> I do think that for DNT to work, you need to be able to figure out who thinks they have an exception to track. As Matthias and I discussed back-and-forth (yesterday?), it should be possible to do an asynchronous check, where a user who received an "L" response comes to a well-known URI and submits a "Do you think you have an out-of-band exception to track me?" query and comes back 24-48 hours later for an answer (as long as they do not clear their cookies in-between the query and the answer-check). Of course instantaneous would be nicer, but that isn't always possible. This would still be transparent, eventually. --ronan On Fri, Mar 22, 2013 at 4:39 PM, Justin Brookman <justin@cdt.org> wrote: > On 3/22/2013 3:42 PM, Ronan Heffernan wrote: > > Responding to a DNT:1 signal with an acknowledgement that a company > follows DNT, and will abide by the restrictions (and permitted uses) > therein, is easy. Responding with real-time lookups of whether OOBC exists > is quite difficult (in many cases impossible), especially for large-scale > systems that use CDNs and other distributed processing, and systems that do > not receive technical information required to perform OOBC lookups until > after some browsing has already happened. > > I just don't understand why these concerns hadn't been raised in the > previous two years of discussions (it is possible they have and I was > paying less attention to TPE, but if they were, they were resolved to the > editors' and chairs' satisfaction). The mandatory response signal has been > in the TPE for some time now. I would like to hear from others if feedback > is effectively impossible for OOB. In which case, that's an argument that > we need should get rid of OOB and require implementation of the exception > mechanism by user agents (something I had previously been reluctant to do). > > If I understand the part of your proposal about the client-side software > overriding the user's DNT:1 with a DNT:0, I find that to be a troubling and > dangerous suggestion, far more open to abuse and less transparent to users > than non-real-time OOBC determination. > > I am thinking out loud trying to find a way past this impasse. I do think > that for DNT to work, you need to be able to figure out who thinks they > have an exception to track. I do not know that out-of-out-of-band consent > is envisioned in the TPE, but conceptually, if you have a user's opt-in > permission to override browser settings via your own software, there's > nothing in the compliance standard that would or should stop you from doing > that. And it would be discoverable by at least a sophisticated end user > that he was sending out DNT:0 signals to Nielsen domains. Not saying this > is optimal, but it may be better than no visibility whatsoever into who > asserts consent to track. And less subject to abuse precisely because of > this visibility. >
Received on Friday, 22 March 2013 22:06:12 UTC