RE: ePrivacy & DNT

Hi Walter,

It is no different to say how Tracking Protection works in Firefox (or
Tracking Protection Lists in IE). The user agent is enforcing the users
preference not to be tracked, as A.10 requests. In these cases the action is
to block accesses to servers based on their presence on a curated list. 

What I am suggesting is action depending on whether the user use has given
affirmative consent, either in the user agent or in the application. In
addition it does not block completely or depend on a list, which has its own
problems.

I agree, there still should be a compliance spec, to particularise things
like fingerprinting and IP address retention. Also cookie synching and
re-spawning should be dealt with. But some things, like the persistence of
cookies, can be easily handled by user agents so why not?


Mike


-----Original Message-----
From: Walter van Holst [mailto:walter@vanholst.com] 
Sent: 20 December 2016 10:44
To: public-tracking@w3.org
Subject: RE: ePrivacy & DNT

On 2016-12-20 10:39, Mike O'Neill wrote:
> One thing to consider is who a compliance spec is directed at. Of
> course there should be requirements on server (i.e. web application)
> implementations but the "elephant in the room" is how user agents
> should react to DNT. It is not only a signal to applications, browsers
> can react to it also, as they must do for a host of other signals,
> e.g. cache headers.

It may be a bit unusual for us to disagree, but I don't see any place 
for a compliance spec that puts specific requirements on user agents. A 
compliance spec that would demand User Agents to shorten cookie 
lifespans makes no sense at all. Any server that would chose such a 
compliance spec can already shorten the cookie lifespan to a 
privacy-friendly period without asking the UA to do so. Conversely, a 
User Agent can already do so, regardless of how the server feels about 
DNT.

Regards,

  Walter

Received on Tuesday, 20 December 2016 11:19:50 UTC