Re: Issue-4 from Tom Lowenthal on 2011-10-27 (public-tracking@w3.org from October 2011)

From: Tom Lowenthal <tom@mozilla.com>
Date: Thu, 27 Oct 2011 12:11:24 -0700
To: public-tracking@w3.org
Message-ID: <4EA9ACDC.3080602@mozilla.com>
### Scope ###

Section 1.2 of our charter ("Out of Scope") states:

> "While guidelines that define the user experience or user interface
may be useful (and within scope), the Working Group will not specify the
exact presentation to the user."

It is not this group's job to define how a user's agent should present
this feature to the user. We should define the criteria for compliance,
and the technical mechanism of expression. After that it is the
responsibility of the user's agent to accurately determine that user's
needs, and whether this user would prefer that this particular signal be
sent.

One option might be an checkbox in the browser's privacy settings, which
the user has to find and check. Another option might be Aleecia's
suggestion of a privacy slider. A super-duper-privacy-protecting browser
might always send the header. Some savvy users might use an older
browser, but manually add the header via a proxy on their machine or
their local network. In the year 2142, your personal robot may interview
you about your preferences and choose whether to send DNT based on its
assessment of your needs.

My point here is that talking about the defaults or the way that this
feature may be presented to users (if agents even choose to explicitly
present it at all) is a red herring. It's a browser's job to give a user
the web how that user wants it, and the UX teams at browsers are
infinitely more qualified to build an interface which accurately
interprets users' needs than this group is.


### Default Reaction ###

With regards to Roy's point on the call yesterday, and later Rigo's
email, from a protocol perspective, it doesn't matter what a browser's
default settings are. On day one of our first meeting, we agreed the
following points:

- When a server receives a header of "DNT:1" DNT is on.
- If a server does not receive that header, DNT is not on.

This is quite adequate from a server's perspective. Given receipt of a
particular signal, they know how to respond. Further, a site does not
need to know *how* a browser interrogated their user to determine that
user's preference, only that they did, just like with every other signal
sent by the browser.


### "Network Neutrality" ###

I think we all agree that we don't want to see the behavior where an ISP
forges DNT headers from its users unless it gets protection money.
However, we don't want to rule out users who might set DNT via a local
network proxy or similar technical means. We might also imagine a small
ISP which differentiates itself on its robust privacy features, and
offers a control panel where users can universally switch DNT on or off
for their own connection. I don't think we want to prevent this sort of
innovation.

In light of this, language prohibiting entities other than the browser
from setting DNT does not seem preferable, in addition to being about as
effective as standing on the beach and telling the tide not to come in.
Rather, I suggest language like:

> The DNT header **must only** be added, removed, or modified based on
the known preference of the user.

But leaving it up to any entity or piece of software to determine
exactly what their best method is for asking the user what they want.

   ---

Apologies for the wall of text,
-Tom



On 10/26/2011 12:12 PM, Jonathan Mayer wrote:
> A quick technical clarifying point on this - the DNT protocol could trivially encode whether an option is explicit or implicit.  We could (not saying we should) have five states.
> 
> User has expressed no preference and no intermediary has added a preference
> User has explicitly opted into tracking
> User has explicitly opted out of tracking
> User has expressed no preference, but an intermediary has added a preference indicating opt in to tracking
> User has expressed no preference, but an intermediary has added a preference indicating opt out of tracking
> 
> Likewise, we could (not saying we should) have corresponding policy for each of the states.  (It appears there's near-consensus that no preferences = governing law trumps, and I suspect there's near-consensus that there should be a very high bar to implicit opt in.)
> 
> On Oct 26, 2011, at 11:44 AM, Aleecia M. McDonald wrote:
> 
>>
>> Based on what we discussed in Boston, plus the conference call today, here is where I think we are for Issue-4:
>>
>> 	It is out of scope for the TPWG to decide to make DNT opt-in or opt-out. That is a purely political question that may be country-by-country. However, as Roy notes, we need a technical specification that is clear to implement. 
>>
>> 	What we are trying to support is the idea that DNT decisions may be implicit. For example, installing a proxy or a specialized privacy-protective browser is, itself, a user decision for privacy even in the absence of explicitly understanding that DNT happens to be one of the mechanisms used. What we are trying to avoid is a case where an ISP tells advertisers "I'm turning on DNT for all of my users, regardless of their actual privacy preferences, unless you give me a cut of advertising revenue." The basic concept here is that DNT is the user's voice, and must be the user's preference. 
>>
>> Proposed text to react to:
>>
>> A compliant user agent must offer users a minimum of two choices: on, and off. When DNT is on, the user agent sends an HTTP header of “DNT: 1”. When DNT is off, the user agent sends an HTTP header of “DNT: 0”. If the user has not expressed a privacy preference, neither the user agent nor any service may send a DNT header on the user’s behalf. For example, neither a browser nor an ISP may inject “DNT: 1” on behalf of all of their users who have not selected a choice corresponding to “DNT: 0”. However, a user may make a choice for privacy that then implicitly includes a DNT setting. For example, a user choosing something like “Privacy settings: high” in a user agent might include a bundle of responses, including turning on DNT. That is acceptable. Similarly, users installing a browser plugin that advertises itself as protecting privacy could also have DNT turned on. Users need not understand the technical mechanisms for DNT and we do not address user interface presentation. 
The basic principle here is that DNT reliably expresses users’ choices. 
>>
>> DNT should only and exactly send a signal of a user's preference. In the absence of user choice, there must be no DNT signal sent. In some cases users will not have DNT preferences, including while using older user agents that do not support DNT. Consequently, services (websites and others) would be wise to assume some users will not send a DNT expression. In the absence of regulatory, legal, or other requirements, services are free to interpret lack of DNT header as they find most appropriate for their users, particularly in light of users’ privacy expectations and cultural circumstances.
>>
>> 	Aleecia
> 
>
Received on Thursday, 27 October 2011 19:12:12 UTC