Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance] from Dobbs, Brooks on 2012-06-01 (public-tracking@w3.org from June 2012)

From: Dobbs, Brooks <Brooks.Dobbs@kbmg.com>
Date: Fri, 1 Jun 2012 19:18:34 -0400
To: "Justin Brookman" <justin@cdt.org>
Cc: <public-tracking@w3.org>
Message-ID: <E5775FB6-BD00-441F-A80C-6BCB2A7564AE@kbmg.com>
Justin,
I think your example of choosing a browser based on knowledge that it sends DNT:1 by default isn't a fair representation of what we are seeing here.  If you could reasonably assume that the choice of a browser indicates a consumer's DNT preference than I would agree, but I wouldn't say most people who run IE do so because the know it sets DNT by default.  I suspect if they like FF better they'll just change the setting rather than switching browsers over the convenience of a default setting.

The question seems to me to be - given what a server knows about a UA is it reasonable to conclude that you understand the USER's preference.  I don't think we can conclude that the choice of browser demonstrates that intent.

Sent from my iPhone

On Jun 1, 2012, at 6:32 PM, "Justin Brookman" <justin@cdt.org> wrote:

> As a user, if I'm going to pick a party to guess my preference, I am going to pick *my* user agent instead of some downstream third party I have no relationship with whatsoever.  If I choose to run PrivacyBrowser because it has been marketed as the privacy-protective browser that runs DNT automatically, I am going to be rather surprised to hear that AdNetzUnlimited has ignored or stripped the header because I probably never meant it in the first place.  You can't do that with default cookie settings today in Safari, and you won't be able to do it with DNT either.  If an ISP changed the user's headings from DNT:1 to DNT:0 without user interaction, I am comfortable that existing law would address that situation and I would not expect third party websites to be in a position to police that.  If anyone feels they have a legal case against a user agent for pre-checking DNT or otherwise pushing users toward using the header, W3C will pose no barrier to the pursuit of those remedies.
> 
> We spent the last several months stating we're not going to specify UI or guess user intent.  The group rejected specifying standards of consent for exceptions to DNT.  I still haven't heard how you are going to deal with the example of PrivacySuite configuring Mozilla to send DNT.  If lawyers or coders at each of the companies are going to have to guess what constitutes UA compliance for a part of the spec we haven't written yet and guess what the UI was for that UA for each user, you're opening yourselves up to extra compliance costs and significant exposure to liability, let alone intense press and user scrutiny.
> Justin Brookman
> Director, Consumer Privacy
> Center for Democracy & Technology
> 1634 I Street NW, Suite 1100
> Washington, DC 20006
> tel 202.407.8812
> fax 202.637.0969
> justin@cdt.org
> http://www.cdt.org

> @CenDemTech
> @JustinBrookman
> 
> On 6/1/2012 6:56 PM, Dobbs, Brooks wrote:     
>> 
>> New voice here...  I might as well jump right into the controversy.
>> 
>> I am not sure there is full consistency here.  I read the spec as saying “Key to that notion of expression is that it must reflect the user's preference”.  This seems pretty foundational to me.  Where there is a significant likelihood for the origin server to believe that the expression is not a reflection of the user’s preference (either as a 1 or a 0), wouldn’t such server  be in error to process it accordingly?  Conversely to the IE/AVG cases, if hypothetically an ISP were to inject an extension into every DNT header which in the future allowed for an exception, wouldn’t the server be in error for always making room for this exception where they           know it to be coming from that ISP?
>> 
>> -Brooks
>> 
>> -- 
>> 
>> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the Wunderman Network
>> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com 
>> brooks.dobbs@kbmg.com
>> 
>> <mime-attachment.png>
>> 
>> This email – including attachments – may contain confidential information. If you are not the intended recipient,
>>  do not copy, distribute or act on it. Instead, notify the sender immediately and delete the message.
>> 
>> 
>> On 6/1/12 4:36 PM, "Justin Brookman" <justin@cdt.org> wrote:
>> 
>>   Agree with David --- we don't even know what MSFT's eventual implementation is going to be, and I can't say I know what AVG's is today.  Is there a screen that's pre-checked?  Is there some sort of ephemeral notice saying "by the way, DNT is on."  Will those UIs change over time?  Who is going to monitor the UIs and make the decision: "No, this isn't user choicey enough!"  How will you know what the UI was when the user installed the user agent?  Even if the default is on and there's no notice at all, how will the party know that the user didn't turn it off at some point, see a retargeted ad for a Vegas casino, and then turn in back on again?
>>  
>>  I can't see how a standard answers those questions.
>>  
>> Justin Brookman
>> Director, Consumer Privacy
>> Center for Democracy & Technology
>> 1634 I Street NW, Suite 1100
>> Washington, DC 20006
>> tel 202.407.8812
>> fax 202.637.0969
>> justin@cdt.org
>> http://www.cdt.org

>> @CenDemTech
>> @JustinBrookman
>>  
>>  On 6/1/2012 5:28 PM, David Singer wrote: 
>> 
>>  
>>  
>> On Jun 1, 2012, at 14:22 , Shane Wiley wrote:
>>  
>>  
>> 
>>  
>>  
>> David,
>> 
>> 
>> 
>> I disagree.  If you know that an UA is non-compliant, it should be fair to NOT honor the DNT signal from that non-compliant UA and message this back to the user in the well-known URI or Response Header.  Further, we can provide information for the user to use a UA that is DNT compliant if they wish for their preference to be honored in that regard.
>> 
>> 
>> 
>>  
>>  
>> 
>>  
>>  
>> OK, I think we will have to agree to disagree.  I can't think of any other spec., off hand, that allows one end to 'misbehave' if they believe the other end is misbehaving.  There *are* specs that deal with what you do if you see actual invalid values, incorrect responses, etc., but none that I know of that allow you to conclude 'you didn't really mean that' and do something other than what was signalled.
>>  
>> 
>>  
>>  
>> I still don't know how you tell the difference between a user who agree with, and wanted, the choice, and a user who wasn't aware of it.
>>  
>> 
>>  
>>  
>> 
>>  
>>  
>>  
>>   
>> 
>>  
>>  
>> David Singer
>>  
>> Multimedia and Software Standards, Apple Inc.
>>  
>>  
>>  
>> 
>>  
>>  
>>
Received on Saturday, 2 June 2012 20:52:22 UTC