W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance]

From: Manu Mukerji <manu16m@gmail.com>
Date: Thu, 31 May 2012 16:07:47 -0700
Message-ID: <CANt+7cXkZJC6tDOT=EPGnzuLi8QvfhgpSjCd3daxhVS3pkWU6w@mail.gmail.com>
To: Heather West <heatherwest@google.com>
Cc: "Aleecia M. McDonald" <aleecia@aleecia.com>, Shane Wiley <wileys@yahoo-inc.com>, Lauren Gelman <gelman@blurryedge.com>, "ifette@google.com" <ifette@google.com>, Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Wouldn't it make life easier to ask the browsers not to expose the ability
to control the DNT setting from outside the browser.

-Manu

On Thu, May 31, 2012 at 3:59 PM, Heather West <heatherwest@google.com>wrote:

> I think that these developments - and the resulting surprise from many -
> make it pretty clear that we should take some time and outline what we
> expect of user agents. I definitely think we should add a section for that.
>
>
> On Thu, May 31, 2012 at 6:31 PM, Aleecia M. McDonald <aleecia@aleecia.com>wrote:
>
>> Some very quick points:
>>
>> - Until we have a published recommendation, there is nothing to comply
>> with.
>> - I see this as a reason to push for a recommendation sooner rather than
>> later: this is the sort of thing that happens in the days before a
>> recommendation, with companies interpreting and implementing as they like
>> on all sides.
>>
>> I've had calmer days, how about all of you?
>>
>> On the call yesterday I suggested we add a new section on what user
>> agents either must or should do to be in compliance with the spec. As
>> written, there are currently no requirements on browsers. This seems like
>> an area for further discussion. If a user agent claims to be compliant and
>> is not, they have the FTC to answer to in the US. If a user agent is not
>> compliant, they have press questions to answer. This is what I had in mind
>> when we started the conversation yesterday.
>>
>> Of note: I did not know about MSFT's upcoming announcement prior to the
>> call yesterday.
>>
>> Aleecia
>>
>> On May 31, 2012, at 2:25 PM, Shane Wiley wrote:
>>
>> This is an invalid use case as the draft compliance document already
>> states a user must actively turn on DNT and this cannot be turned on by
>> default.  IE10 is already out of DNT compliance.****
>> ** **
>> - Shane****
>> ** **
>>  *From:* Lauren Gelman [mailto:gelman@blurryedge.com]
>> *Sent:* Thursday, May 31, 2012 2:21 PM
>> *To:* ifette@google.com
>> *Cc:* Shane Wiley; Justin Brookman; public-tracking@w3.org
>> *Subject:* Re: tracking-ISSUE-150: DNT conflicts from multiple user
>> agents [Tracking Definitions and Compliance]****
>> ** **
>> ** **
>> I just saw this, so in fairness I am revisiting Shane's question: ****
>>
>> http://www.microsoft.com/en-us/news/Press/2012/May12/05-31Windows8RPPR.aspx
>> ****
>> ** **
>> If a browser ships DNT:0 by default and a user turns it to DNT:1, then
>> "informed, explicit" consent is needed for a publisher to cookie the user.
>> ****
>> ** **
>> If a browser ships DNT:1 by default, and a user turns it to DNT:0 then
>> "informed, explicit" consent would be needed for a publisher to not collect
>> cookies from the user.****
>> ** **
>> So it still seems to be a matter of requiring heightened awareness based
>> on a PROCESS-- when someone who has changed their default setting is asked
>> to override that default and not SUBSTANCE-- whether the change is turning
>> on or off DNT.****
>> ** **
>> Lauren Gelman
>> BlurryEdge Strategies
>> 415-627-8512****
>> ** **
>> On May 30, 2012, at 9:31 PM, Ian Fette (イアンフェッティ) wrote:****
>>
>>
>> ****
>>
>> It's also to note that over time, things have tended to shift, e.g. some
>> browsers are now blocking third party cookies by default...****
>> On Wed, May 30, 2012 at 4:44 PM, Lauren Gelman <gelman@blurryedge.com>
>> wrote:****
>> ** **
>> Of course-- but realistically, majority default DNT is not the world this
>> standard will exist in.  DNT is going to be a 10% solution.****
>> ** **
>> Frankly, having done privacy for almost 20 years, the idea that millions
>> of users are going to turn on any privacy setting such that they
>> unknowingly stop sharing their data in a way that actually has any impact
>> on any businesses bottom line is unrealistic at best.  (Can anyone point to
>> any internet business, ever, where this has happened??) I've heard of spam,
>> spyware, fishing, spear fishing, etc.  I've never heard of a massive
>> pro-privacy viral campaign that worked.   There's lots of $ behind
>> companies trying to get users to turn off DNT and no $ to try to get them
>> to turn it on, so I think this is really orthogonal to what this group is
>> working on.****
>> ** **
>> Lauren Gelman
>> BlurryEdge Strategies
>> 415-627-8512****
>> ** **
>> On May 30, 2012, at 4:05 PM, Ian Fette (イアンフェッティ) wrote:****
>>
>>
>> ****
>> I think the desire though is that DNT is a representation of a user's
>> explicit preference. If a browser set it by default, for instance, would a
>> site be obligated to respect it?****
>> ** **
>>
>> -Ian****
>> On Wed, May 30, 2012 at 3:33 PM, Lauren Gelman <gelman@blurryedge.com>
>> wrote:****
>> ** **
>> I don't see the parity here. One is a user's affirmative action being
>> overruled by another entity.  The other is the user opting to change a
>> default setting.   ****
>> ** **
>> Lauren Gelman
>> BlurryEdge Strategies
>> 415-627-8512****
>> ** **
>> On May 30, 2012, at 3:22 PM, Shane Wiley wrote:****
>>
>>
>> ****
>> Justin,****
>>  ****
>> If companies are expected to achieve “informed and explicit” consent to
>> turn off DNT, then it is only fair that User Agents also achieve “informed
>> and explicit” consent to turn on DNT.  Do you disagree?****
>>  ****
>> - Shane****
>>  ****
>>  *From:* Justin Brookman [mailto:justin@cdt.org]
>> *Sent:* Wednesday, May 30, 2012 3:17 PM
>> *To:* public-tracking@w3.org
>> *Subject:* Re: tracking-ISSUE-150: DNT conflicts from multiple user
>> agents [Tracking Definitions and Compliance]****
>>  ****
>>
>> What problem?  You honor the header by doing what the spec says.  There
>> is no need for you to try to discern user intent, and indeed, no way for
>> you to do so.  Ad networks cannot be and are not expected to be responsible
>> for every UI or every possible bit of misinformation someone saw in a
>> comment thread on Reddit to get them to turn on DNT in the first place.
>>
>> Today, if someone sets their browser to block third-party cookies, you
>> don't try to circumvent that on the theory that someone maybe didn't
>> understand what cookies did in the first place.  Nor do we dictate to the
>> user agents how and when to surface and describe those capabilities.
>>
>> If there are conflicting headers, that's a different issue, and Ian and
>> Jonathan are putting together draft text on that issue.****
>>
>> Justin Brookman****
>>
>> Director, Consumer Privacy****
>>
>> Center for Democracy & Technology****
>>
>> 1634 I Street NW, Suite 1100****
>>
>> Washington, DC 20006****
>>
>> tel 202.407.8812****
>>
>> fax 202.637.0969****
>>
>> justin@cdt.org****
>>
>> http://www.cdt.org****
>>
>> @CenDemTech****
>>
>> @JustinBrookman****
>>
>>
>> On 5/30/2012 3:34 PM, Chris Mejia wrote:****
>> I believe new Issue-150 is closely related to open Issue-143. If the
>> user's intent in turning on/off DNT is not clear (especially in cases where
>> the user doesn't even know they are specifically sending a DNT:1 header),
>> there is no way for publishers to understand how to accurately "honor" any
>> consumer's DNT header flag― *it's a fundamental flaw with this scope of
>> this proceeding*.  I laid out the concern in some detail in my previous
>> email to the group ("In Support of Issue-143"); so I'll just give the brief
>> version here: if publishers do not understand the context of the user's DNT
>> expression (was the user properly informed about what setting does/means,
>> before it was set) how are publishers to determine what the user actually
>> intended, or if they user is even aware that a DNT flag is being sent?  If
>> any question/statement in any UI can lead to the sending of DNT:1 or DNT:0,
>> where is the integrity of the system/solution?  ****
>>  ****
>> To give just one example (there are many) of how a DNT mechanism that
>> lacks a uniform informed consent requirement might be abused, consider the
>> theoretical yet plausible scenario where an email is sent to (millions of)
>> users informing the users that they should "*click here to prevent evil
>> doers from knowing who you are*" or even worse, "*click here if you
>> think blue is a pretty color*" (replace with a variety of malware
>> tactics), the user's click leading to a programatic setting of DNT, without
>> the user's informed consent under uniform compliance rules.  When that
>> happens (some zealot decides to abuse the system), I'm sure we'll
>> eventually learn about it, after some amount of damage being done. ****
>>  ****
>> *When it becomes known that users were deceived into sending a DNT
>> expression (no uniform informed consent), here's what the end-game of
>> publishers might be: * without a way of discerning how DNT was set
>> (which program; who owns the program; being able to inspect the program),
>> and under which auspices it was set (what did the user agree to when they
>> clicked?), when learning of a set of users who were deceived into setting
>> DNT, publishers may be forced to consider if they should honor any DNT
>> header requests at all, in an effort to protect the web experience of all
>> users.  Under this scenario, publishers may be compelled to issue public
>> statements outlining the fatal flaws of this W3C DNT mechanism, citing the
>> specific abuses, and walking away from compliance on the grounds that being
>> "compliant" with such a system would be harmful to the majority of its
>> users.****
>>  ****
>> Is that really the result that this working group is looking for?  If
>> not, I strongly suggest that we all get on board with defining a system
>> where the actual intent of the user is absolutely clear― the only way I can
>> think to accomplish this is to require compliance with a uniform
>> requirement to properly educate/inform the user about their choice, at the
>> point user choice is made.  Of course I'm open to hearing other suggestions
>> for solving this problem, but I feel that "*it's out of scope/Charter
>> for this project*" is not an acceptable solution― that answer does not
>> solve the problem described here and in open Issue-143.  Please, let's
>> solve the actual problem.****
>>  ****
>> Chris Mejia, IAB/DAA****
>>  ****
>>  ****
>> On 5/30/12 1:35 PM, "Tracking Protection Working Group Issue Tracker" <
>> sysbot+tracker@w3.org> wrote:****
>>  ****
>>
>> tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking
>> Definitions and Compliance]****
>>  ****
>> http://www.w3.org/2011/tracking-protection/track/issues/150****
>>  ****
>> Raised by: Aleecia McDonald****
>> On product: Tracking Definitions and Compliance****
>>  ****
>> Due to multiple addons that support Do Not Track, there could be
>> conflicts. For example, a user could turn off DNT (not unset, actually off,
>> sending DNT:0) in Firefox, yet install Abine's "Do Not Track Plus" addon
>> (which sends DNT:1). More fun, users could have three different addons,
>> each with a different value. Do we have either best practices or
>> requirements for user agents here?****
>>  ****
>> Created from original issue-148, with actions taken by ifette and jmayer
>> to write proposals.****
>>  ****
>>  ****
>>  ****
>>  ****
>>
>> ** **
>> ** **
>> ** **
>> ** **
>> ** **
>>
>>
>>
>
>
> --
>
> Heather West | Google Policy | heatherwest@google.com | 202-643-6381
>
Received on Friday, 1 June 2012 09:23:29 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC