Re: issue-189 from Roy T. Fielding on 2013-05-15 (public-tracking@w3.org from May 2013)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 15 May 2013 16:11:53 -0700
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: <public-tracking@w3.org>
Message-Id: <429A134C-55CA-4222-8208-C805E0BD7990@gbiv.com>

On May 14, 2013, at 11:49 PM, Mike O'Neill wrote:

> It was hoped that the TPE spec could meet the requirements for “browser settings” referred to in recital 66 of the EU Privacy Directive.  This has not been done, other than the ability to signal DNT:0 to embedded third-parties (which is nevertheless diminished by the confusion between the meaning of DNT unset in different jurisdictions). Given that tracking relies on storing unique identifiers in the browser, so that subsequent HTTP transactions from the same device/user can be associated with each other and the user’s web history collected, it would be relatively simple to extend user control over these identifiers.

It is not necessary.  Browser settings and controls over client-side
storage can be unique per browser -- they supposedly compete on UIs.
Likewise, server control over clint-side storage is based on the
origin model and can be accomplished using any resource on the origin,
which might include the edit link or some resource linked from that
resource.  Hence, there is no need for a standard interface

>  
> We could introduce a new member to the Tracking Status Resource JSON called, say, remove-storage. This contains the URI of a resource that will return a set-cookie or set-cookie2 header that deletes all cookies indicated in the request and also return an HTML document containing script that would delete localStorage. This would allow the user to cause their UA to send a GET to this resource to remove identifiers that may be used in a third-party context.
>  
> If it was thought that it is too late to introduce a protocol element at this stage we could add this as a requirement on origin servers if the resource indicated by the “edit” TSR member is accessed with DNT:1. This would only require some non-normative text to be added to the TRF description.

No, if the server wishes to provide that function, it can do so via
a link/form action from the edit resource.  It would be a poor design
to cause client-side information to disappear when the user simply
wants to find out what controls or prior consent status they might
have access to via the edit link.

....Roy

Received on Wednesday, 15 May 2013 23:12:07 UTC