Privacy consideration specifies an unenforceable "MUST NOT" condition on developers

[mgiuca]

Under "Privacy consideration: start_url tracking", there is the following normative requirement:

Additionally, developers MUST NOT use the start URL to include information that uniquely identifies a user (e.g., "?user=123" or "/user/123/", or "https://user123.foo.bar").

Although it has good intentions, this is unenforceable. Specs do not give requirements to site developers, they give requirements to user agents, and information to developers. If you identify potentially bad developer behaviour, you can't simply say "MUST NOT" to the developer, you have to identify the behaviour and give recommendations to the user agents on how to mitigate it.

In this case, I would recommend:

1. Removing this requirement for developers.
2. Adding a non-normative note that tells developers it would be irresponsible to do this (but acknowledging that we can't practically prevent it).
3. A practical mitigation: Adding a MAY requirement for user agents to offer to uninstall apps associated with an origin when clearing site data. (I don't know of a browser that does this, but it's a reasonable UI and I think it's something that we've discussed before.)