W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Today's call: summary on user agent compliance

From: Vinay Goel <vigoel@adobe.com>
Date: Fri, 8 Jun 2012 07:12:20 -0700
To: Jeffrey Chester <jeff@democraticmedia.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <CBF77EED.D00F%vigoel@adobe.com>
Hi Jeff,

I want to make sure I understand your statements below.

You say below "there shouldn't be 'cherry-picking' allowed in the spec".
Is your intention to apply that statement to both websites and browser
manufacturers?  Specifically, I believe your statements below suggest that
a website cannot pick parts of the spec it wants to comply with, and not
comply with the parts where DNT:1 was set by a browser.  But, I would
argue that Microsoft IE 10 would be, in fact, cherry-picking parts of the
spec that it wants to comply with (such as the DNT mechanism, what it is
suppose to impact, etc.) but ignoring a part of the spec (that the DNT
preference must be set by the user).

In addition, you say that in your view a site that doesn't honor DNT will
not be considered brand safe.  Will Microsoft IE 10, with setting DNT:1 by
default and therefore not honoring all of the DNT specs, not be considered
"brand safe"?


Vinay Goel | Privacy Product Manager | Adobe Systems | Office: 917.934.0867

On 6/8/12 6:51 AM, "Jeffrey Chester" <jeff@democraticmedia.org> wrote:

>I support what Ninja says below, and the concerns Jonathan raises.  There
>shouldn't be "cherry-picking" allowed in the spec.  When sites receive
>DNT, they should honor it.  The W3C should not develop a policy that
>permits the over-riding of requests/intent of global Internet users.
>The key issue for us to address is the need to limit collection and
>retention.  I hope we can discuss and build support for a consensus on
>the proposal sent the other day by EFF/Mozilla and Jonathan.  Without
>meaningful collection and retention policy, we risk not having a spec
>that can receive the support from many stakeholders (esp civil society).
>That is critical to the fate of the privacy and digital consumer
>protection debates, esp. both sides of the Atlantic.
>Finally, I want to add that in my view and fairly quickly a site that
>doesn't honor DNT will not be considered "brand safe."  Responsible
>advertisers and brands concerned about their reputation will need to
>respect a robust DNT.  They will have to add DNT to the
>blacklist/whitelist systems in place.  It behooves us to continue to
>advance the process of ensuring monetization and privacy can thrive
>together in the digital economy.
>On Jun 8, 2012, at 5:26 AM, Ninja Marnau wrote:
>> We are discussing two different issues here.
>> First is, I support that servers should give the users a clear answer
>>wether their DNT request is honored. There should be an option to answer
>> Second is, a company claiming "We will honor DNT when it's coming from
>>the following user agents" or "We will honor DNT from all user agents
>>except for the following" (I am quoting Ian's example here) is honest -
>>and I appreciate that. But whether it is "compliant" to the DNT
>>recommendation or not, is up to us as a working group. It is our task to
>>discuss whether we want the spec to allow this cherry-picking. (Don't
>>get me wrong, companies can stll do so. But will they be able to claim
>>DNT compliance?).
>> I oppose this. I think the spec should state that when you receive a
>>valid signal, no matter from what UA, you have to honor it in order to
>>claim DNT compliance.
>> There are several reasons for this:
>> 1) predictability
>> David raised this point and I agree: "Defining that "I'll stop tracking
>>unless I don't feel like it" as *compliant* makes it basically
>>unpredictable what will happen."
>> 2) only for "uncompliant" UAs?
>> If we open the spec to cherry-picking. Will it stop at "uncompliant"?
>>Or will the spec just stay silent or explicitly allow for other
>>motivations? Patent lawsuits, harming competitors, just feeling like it
>>- for painting a very black picture.
>> I don't support this as being considered DNT compliant.
>> 3) Who decides wether a UA is "uncompliant"?
>> As long as there is no judgement by a competent authority, this is a
>>very critical statement.
>> 4) liability issues
>> If the spec allows to NACK the DNT requests of "uncompliant" UAs, and I
>>site claims to "honor DNT from all user agents except for the following
>>..." it makes a legally relevant statement about these UAs. Which may
>>lead to liability and claims for damages by these UAs if the judgement
>>is wrong.
>> If the spec is more open -> issue 2.
>> 5) hindering privacy-by-default
>> The proposed Data Protection Regulation of the EC explicitly asks for
>>privacy by default. (Art. 23)
>> Ninja
>> Am 08.06.2012 10:25, schrieb Rigo Wenning:
>>> On Thursday 07 June 2012 18:25:27 Ian Fette wrote:
>>>> A site is already under no obligation to conform to DNT. Would you
>>>> rather have the user be clear that their request is being
>>>> ignored, or left to wonder?
>>> Precisely my point! Thanks Ian
>>> Rigo
>> --
>> Ninja Marnau
>> mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de
>> Telefon: +49 431/988-1285, Fax +49 431/988-1223
>> Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
>> Independent Centre for Privacy Protection Schleswig-Holstein

Confidentiality Notice: The contents of this e-mail (including any attachments) may be confidential to the intended recipient, and may contain information that is privileged and/or exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and destroy the original e-mail and any attachments (and any copies that may have been made) from your system or otherwise. Any unauthorized use, copying, disclosure or distribution of this information is strictly prohibited. <ACL>
Received on Friday, 8 June 2012 14:12:51 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:50 UTC