- From: Rob van Eijk <rob@blaeu.com>
- Date: Sat, 23 Mar 2013 08:40:37 +0100
- To: Ronan Heffernan <ronansan@gmail.com>, Justin Brookman <justin@cdt.org>
- CC: public-tracking@w3.org
- Message-ID: <8d7e412f-984c-40af-ae0e-e78eee902348@email.android.com>
Eventually is not good enough. It seriously undermines the whole concept of DNT as a consent mechanism. Rob Ronan Heffernan <ronansan@gmail.com> wrote: >> I do think that for DNT to work, you need to be able to figure out >who >thinks they have an exception to track. > >As Matthias and I discussed back-and-forth (yesterday?), it should be >possible to do an asynchronous check, where a user who received an "L" >response comes to a well-known URI and submits a "Do you think you have >an >out-of-band exception to track me?" query and comes back 24-48 hours >later >for an answer (as long as they do not clear their cookies in-between >the >query and the answer-check). Of course instantaneous would be nicer, >but >that isn't always possible. This would still be transparent, >eventually. > >--ronan > > > >On Fri, Mar 22, 2013 at 4:39 PM, Justin Brookman <justin@cdt.org> >wrote: > >> On 3/22/2013 3:42 PM, Ronan Heffernan wrote: >> >> Responding to a DNT:1 signal with an acknowledgement that a company >> follows DNT, and will abide by the restrictions (and permitted uses) >> therein, is easy. Responding with real-time lookups of whether OOBC >exists >> is quite difficult (in many cases impossible), especially for >large-scale >> systems that use CDNs and other distributed processing, and systems >that do >> not receive technical information required to perform OOBC lookups >until >> after some browsing has already happened. >> >> I just don't understand why these concerns hadn't been raised in the >> previous two years of discussions (it is possible they have and I was >> paying less attention to TPE, but if they were, they were resolved to >the >> editors' and chairs' satisfaction). The mandatory response signal >has been >> in the TPE for some time now. I would like to hear from others if >feedback >> is effectively impossible for OOB. In which case, that's an argument >that >> we need should get rid of OOB and require implementation of the >exception >> mechanism by user agents (something I had previously been reluctant >to do). >> >> If I understand the part of your proposal about the client-side >software >> overriding the user's DNT:1 with a DNT:0, I find that to be a >troubling and >> dangerous suggestion, far more open to abuse and less transparent to >users >> than non-real-time OOBC determination. >> >> I am thinking out loud trying to find a way past this impasse. I do >think >> that for DNT to work, you need to be able to figure out who thinks >they >> have an exception to track. I do not know that out-of-out-of-band >consent >> is envisioned in the TPE, but conceptually, if you have a user's >opt-in >> permission to override browser settings via your own software, >there's >> nothing in the compliance standard that would or should stop you from >doing >> that. And it would be discoverable by at least a sophisticated end >user >> that he was sending out DNT:0 signals to Nielsen domains. Not saying >this >> is optimal, but it may be better than no visibility whatsoever into >who >> asserts consent to track. And less subject to abuse precisely >because of >> this visibility. >>
Received on Saturday, 23 March 2013 07:41:31 UTC