Re: Today's call: summary on user agent compliance

We are discussing two different issues here.

First is, I support that servers should give the users a clear answer 
wether their DNT request is honored. There should be an option to answer 
NACK.

Second is, a company claiming "We will honor DNT when it's coming from 
the following user agents" or "We will honor DNT from all user agents 
except for the following" (I am quoting Ian's example here) is honest - 
and I appreciate that. But whether it is "compliant" to the DNT 
recommendation or not, is up to us as a working group. It is our task to 
discuss whether we want the spec to allow this cherry-picking. (Don't 
get me wrong, companies can stll do so. But will they be able to claim 
DNT compliance?).

I oppose this. I think the spec should state that when you receive a 
valid signal, no matter from what UA, you have to honor it in order to 
claim DNT compliance.

There are several reasons for this:
1) predictability
David raised this point and I agree: "Defining that "I'll stop tracking 
unless I don't feel like it" as *compliant* makes it basically 
unpredictable what will happen."

2) only for "uncompliant" UAs?
If we open the spec to cherry-picking. Will it stop at "uncompliant"? Or 
will the spec just stay silent or explicitly allow for other 
motivations? Patent lawsuits, harming competitors, just feeling like it 
- for painting a very black picture.
I don't support this as being considered DNT compliant.

3) Who decides wether a UA is "uncompliant"?
As long as there is no judgement by a competent authority, this is a 
very critical statement.

4) liability issues
If the spec allows to NACK the DNT requests of "uncompliant" UAs, and I 
site claims to "honor DNT from all user agents except for the following 
..." it makes a legally relevant statement about these UAs. Which may 
lead to liability and claims for damages by these UAs if the judgement 
is wrong.
If the spec is more open -> issue 2.

5) hindering privacy-by-default
The proposed Data Protection Regulation of the EC explicitly asks for 
privacy by default. (Art. 23)


Ninja



Am 08.06.2012 10:25, schrieb Rigo Wenning:
> On Thursday 07 June 2012 18:25:27 Ian Fette wrote:
>> A site is already under no obligation to conform to DNT. Would you
>> rather have the user be clear that their request is being
>> ignored, or left to wonder?
>
> Precisely my point! Thanks Ian
>
> Rigo
>

-- 

Ninja Marnau
mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de
Telefon: +49 431/988-1285, Fax +49 431/988-1223
Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
Independent Centre for Privacy Protection Schleswig-Holstein

Received on Friday, 8 June 2012 09:24:44 UTC