W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

RE: Today's call: summary on user agent compliance

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Fri, 8 Jun 2012 07:16:35 -0700
To: Jeffrey Chester <jeff@democraticmedia.org>, Ninja Marnau <nmarnau@datenschutzzentrum.de>
CC: Rigo Wenning <rigo@w3.org>, "ifette@google.com" <ifette@google.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8023D1859082A@SP2-EX07VS02.ds.corp.yahoo.com>
Jeff and Ninja,

I respectfully disagree and believe any standard that has outlined what a valid signal should consist of (in our case, that a user has activated this signal directly) then any signal not meeting the standard is itself non-compliant and therefore should allow Servers to appropriately respond to users that their current UA is non-compliant and therefore will not be honored - again, hopefully with options for valid UAs the user can access their free services with.  If the user doesn't feel comfortable with this outcome WHICH IS COMPLETELY TRANSPARENT, they can decide to keep consuming those free services with DNT not being honored, not access the free content from that particular site, or switch to a compliant UA so their DNT signal is honored while interacting with that site.  With transparent and clear messaging to the user, this places the power within the user's hands to decide how best to move forward.  I believe this is much better than the user being left in the dark, or alternately no publishers supporting DNT since they are forced to honor non-compliant signals.

Predictability - The user is clearly messaged in all cases - so outcomes are completely "predictable".

Only for "uncompliant" UAs?  - Yes, but this is subjective choice by the Server and they must defend their position.  Since messaging is transparent, consumers can quickly raise concerns if they feel a UA is being ignored incorrectly.  

Who decides wether a UA is "uncompliant"?  - The Server does.

Liability issues - disagree on your assessment of liability in this case as the claim is directly tied to a voluntary code and therefore the only legal enforcement is that the Server must follow through on what it says it will (contract).

Hindering privacy-by-default - It is FAR too early in the process to attempt to quote draft regulations that will go through tremendous change over the next two years prior to becoming a regulation in force.

- Shane

-----Original Message-----
From: Jeffrey Chester [mailto:jeff@democraticmedia.org] 
Sent: Friday, June 08, 2012 3:52 AM
To: Ninja Marnau
Cc: Rigo Wenning; ifette@google.com; Bjoern Hoehrmann; David Singer; public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: Today's call: summary on user agent compliance

I support what Ninja says below, and the concerns Jonathan raises.  There shouldn't be "cherry-picking" allowed in the spec.  When sites receive DNT, they should honor it.  The W3C should not develop a policy that permits the over-riding of requests/intent of global Internet users.  

The key issue for us to address is the need to limit collection and retention.  I hope we can discuss and build support for a consensus on the proposal sent the other day by EFF/Mozilla and Jonathan.  Without meaningful collection and retention policy, we risk not having a spec that can receive the support from many stakeholders (esp civil society).  That is critical to the fate of the privacy and digital consumer protection debates, esp. both sides of the Atlantic.

Finally, I want to add that in my view and fairly quickly a site that doesn't honor DNT will not be considered "brand safe."  Responsible advertisers and brands concerned about their reputation will need to respect a robust DNT.  They will have to add DNT to the blacklist/whitelist systems in place.  It behooves us to continue to advance the process of ensuring monetization and privacy can thrive together in the digital economy.


On Jun 8, 2012, at 5:26 AM, Ninja Marnau wrote:

> We are discussing two different issues here.
> First is, I support that servers should give the users a clear answer wether their DNT request is honored. There should be an option to answer NACK.
> Second is, a company claiming "We will honor DNT when it's coming from the following user agents" or "We will honor DNT from all user agents except for the following" (I am quoting Ian's example here) is honest - and I appreciate that. But whether it is "compliant" to the DNT recommendation or not, is up to us as a working group. It is our task to discuss whether we want the spec to allow this cherry-picking. (Don't get me wrong, companies can stll do so. But will they be able to claim DNT compliance?).
> I oppose this. I think the spec should state that when you receive a valid signal, no matter from what UA, you have to honor it in order to claim DNT compliance.
> There are several reasons for this:
> 1) predictability
> David raised this point and I agree: "Defining that "I'll stop tracking unless I don't feel like it" as *compliant* makes it basically unpredictable what will happen."
> 2) only for "uncompliant" UAs?
> If we open the spec to cherry-picking. Will it stop at "uncompliant"? Or will the spec just stay silent or explicitly allow for other motivations? Patent lawsuits, harming competitors, just feeling like it - for painting a very black picture.
> I don't support this as being considered DNT compliant.
> 3) Who decides wether a UA is "uncompliant"?
> As long as there is no judgement by a competent authority, this is a very critical statement.
> 4) liability issues
> If the spec allows to NACK the DNT requests of "uncompliant" UAs, and I site claims to "honor DNT from all user agents except for the following ..." it makes a legally relevant statement about these UAs. Which may lead to liability and claims for damages by these UAs if the judgement is wrong.
> If the spec is more open -> issue 2.
> 5) hindering privacy-by-default
> The proposed Data Protection Regulation of the EC explicitly asks for privacy by default. (Art. 23)
> Ninja
> Am 08.06.2012 10:25, schrieb Rigo Wenning:
>> On Thursday 07 June 2012 18:25:27 Ian Fette wrote:
>>> A site is already under no obligation to conform to DNT. Would you
>>> rather have the user be clear that their request is being
>>> ignored, or left to wonder?
>> Precisely my point! Thanks Ian
>> Rigo
> -- 
> Ninja Marnau
> mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de
> Telefon: +49 431/988-1285, Fax +49 431/988-1223
> Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
> Independent Centre for Privacy Protection Schleswig-Holstein
Received on Friday, 8 June 2012 14:17:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:50 UTC