W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Today's call: summary on user agent compliance

From: イアンフェッティ <ifette@google.com>
Date: Fri, 8 Jun 2012 19:03:48 -0700
Message-ID: <CAF4kx8e-=MBwgwXQ4=eX4bVm_q+fcE_FbeijBiLxogWaifPUsQ@mail.gmail.com>
To: Tamir Israel <tisrael@cippic.ca>
Cc: Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>, Ninja Marnau <nmarnau@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Tamir and others,

I don't think the point is to say "a server merely notifies the user they
will ignore their DNT-1 signal, that this is sufficient to gain user
consent for server tracking.".

Many jurisdictions don't require explicit opt-in consent for "server
tracking". Take the US for example. In this case, as long as we're not
promising something that we fail to deliver, there is no problem here.

I think you are getting hung up on the case where, in some countries
depending on what finalized legislation comes out, there might be a
requirement to obtain explicit opt-in consent. I agree with you that the
mere act of rejecting the user's DNT:1 signal is not explicit opt-in
consent in that context, and the website would probably have to take
further steps to obtain that explicit opt-in consent. But that does not
need to be the problem of this working group or specification.

The point of DNT is to allow a user to express a preference on tracking.
The point of DNT is not to solve the EU regulatory debacle, or any other
country-specific regulations. If it can be useful in that manner, then
great, but I continue to question whether we should allow this working
group to get continually railroaded into trying to solve country-specific
regulatory problems.

-Ian

On Fri, Jun 8, 2012 at 10:59 AM, Tamir Israel <tisrael@cippic.ca> wrote:

> Hi Shane,
>
> I want to reiterate what I said earlier on -- I understand there is
> already an agreement on defaults in the group, and it is not my intention
> to question that.
>
> However, in this context, I'm not clear that where a server merely
> notifies the user they will ignore their DNT-1 signal, that this is
> sufficient to gain user consent for server tracking.
>
> Let me explain. The basis for tracking under the current spec is that the
> server is gaining implicit, opt-out consent to track the user. The
> 'opt-out' consent is mediated through the UA's browser mechanism. Now, if
> the server is saying 'I will ignore your DNT-1 because I deem it
> non-compliant', there is no longer an opt-out consent mechanism in place
> for the server to rely on.
>
> Best,
> Tamir
>
>
> On 6/8/2012 11:29 AM, Shane Wiley wrote:
>
>> Tamir,
>>
>> While I agree it does add a degree of uncertainty initially, as long as
>> the outcome is completely transparent to the user then I believe the
>> appropriate outcome has been reached.
>>
>> We are attempting to resolve this in the specification by appropriately
>> signaling to a user that they will not honor the DNT signal from a specific
>> UA.
>>
>> - Shane
>>
>> -----Original Message-----
>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>> Sent: Friday, June 08, 2012 8:11 AM
>> To: Shane Wiley
>> Cc: Jeffrey Chester; Ninja Marnau; Rigo Wenning; ifette@google.com;
>> Bjoern Hoehrmann; David Singer; public-tracking@w3.org (
>> public-tracking@w3.org)
>> Subject: Re: Today's call: summary on user agent compliance
>>
>> Hi Shane,
>>
>> I suppose the question is what the objective here is.
>>
>> Allowing any entity to unilaterally question the validity of a facially
>> valid signal introduces a great degree of uncertainty into the equation,
>> and since this is an anticipated source of disagreement and confusion,
>> it might be better to explore addressing it within the spec.
>>
>> On 6/8/2012 10:16 AM, Shane Wiley wrote:
>>
>>> Jeff and Ninja,
>>>
>>> I respectfully disagree and believe any standard that has outlined what
>>> a valid signal should consist of (in our case, that a user has activated
>>> this signal directly) then any signal not meeting the standard is itself
>>> non-compliant and therefore should allow Servers to appropriately respond
>>> to users that their current UA is non-compliant and therefore will not be
>>> honored - again, hopefully with options for valid UAs the user can access
>>> their free services with.  If the user doesn't feel comfortable with this
>>> outcome WHICH IS COMPLETELY TRANSPARENT, they can decide to keep consuming
>>> those free services with DNT not being honored, not access the free content
>>> from that particular site, or switch to a compliant UA so their DNT signal
>>> is honored while interacting with that site.  With transparent and clear
>>> messaging to the user, this places the power within the user's hands to
>>> decide how best to move forward.  I believe this is much better than the
>>> user being left in the dark, or alternately no publishers supporting DNT
>>> since they are forced to honor non-compliant signals.
>>>
>>> Predictability - The user is clearly messaged in all cases - so outcomes
>>> are completely "predictable".
>>>
>> I'm not clear that there is any obligation for the user to be clearly
>> messaged here. In any case, how would that play out? User: don't track
>> me; UA: server does not acknowledge. What's the next step here?
>>
>>  Only for "uncompliant" UAs?  - Yes, but this is subjective choice by the
>>> Server and they must defend their position.  Since messaging is
>>> transparent, consumers can quickly raise concerns if they feel a UA is
>>> being ignored incorrectly.
>>>
>>> Who decides wether a UA is "uncompliant"?  - The Server does.
>>>
>> You are correct that ultimately, this could be referred to a regulator
>> if the customer disagrees with the server's decision.
>>
>>  Liability issues - disagree on your assessment of liability in this case
>>> as the claim is directly tied to a voluntary code and therefore the only
>>> legal enforcement is that the Server must follow through on what it says it
>>> will (contract).
>>>
>>> Hindering privacy-by-default - It is FAR too early in the process to
>>> attempt to quote draft regulations that will go through tremendous change
>>> over the next two years prior to becoming a regulation in force.
>>>
>>> - Shane
>>>
>>> -----Original Message-----
>>> From: Jeffrey Chester [mailto:jeff@democraticmedia.**org<jeff@democraticmedia.org>
>>> ]
>>> Sent: Friday, June 08, 2012 3:52 AM
>>> To: Ninja Marnau
>>> Cc: Rigo Wenning; ifette@google.com; Bjoern Hoehrmann; David Singer;
>>> public-tracking@w3.org (public-tracking@w3.org)
>>> Subject: Re: Today's call: summary on user agent compliance
>>>
>>> I support what Ninja says below, and the concerns Jonathan raises.
>>>  There shouldn't be "cherry-picking" allowed in the spec.  When sites
>>> receive DNT, they should honor it.  The W3C should not develop a policy
>>> that permits the over-riding of requests/intent of global Internet users.
>>>
>>> The key issue for us to address is the need to limit collection and
>>> retention.  I hope we can discuss and build support for a consensus on the
>>> proposal sent the other day by EFF/Mozilla and Jonathan.  Without
>>> meaningful collection and retention policy, we risk not having a spec that
>>> can receive the support from many stakeholders (esp civil society).  That
>>> is critical to the fate of the privacy and digital consumer protection
>>> debates, esp. both sides of the Atlantic.
>>>
>>> Finally, I want to add that in my view and fairly quickly a site that
>>> doesn't honor DNT will not be considered "brand safe."  Responsible
>>> advertisers and brands concerned about their reputation will need to
>>> respect a robust DNT.  They will have to add DNT to the blacklist/whitelist
>>> systems in place.  It behooves us to continue to advance the process of
>>> ensuring monetization and privacy can thrive together in the digital
>>> economy.
>>>
>>> Jeff
>>>
>>> On Jun 8, 2012, at 5:26 AM, Ninja Marnau wrote:
>>>
>>>  We are discussing two different issues here.
>>>>
>>>> First is, I support that servers should give the users a clear answer
>>>> wether their DNT request is honored. There should be an option to answer
>>>> NACK.
>>>>
>>>> Second is, a company claiming "We will honor DNT when it's coming from
>>>> the following user agents" or "We will honor DNT from all user agents
>>>> except for the following" (I am quoting Ian's example here) is honest - and
>>>> I appreciate that. But whether it is "compliant" to the DNT recommendation
>>>> or not, is up to us as a working group. It is our task to discuss whether
>>>> we want the spec to allow this cherry-picking. (Don't get me wrong,
>>>> companies can stll do so. But will they be able to claim DNT compliance?).
>>>> I oppose this. I think the spec should state that when you receive a
>>>> valid signal, no matter from what UA, you have to honor it in order to
>>>> claim DNT compliance.
>>>>
>>>> There are several reasons for this:
>>>> 1) predictability
>>>> David raised this point and I agree: "Defining that "I'll stop tracking
>>>> unless I don't feel like it" as *compliant* makes it basically
>>>> unpredictable what will happen."
>>>>
>>>> 2) only for "uncompliant" UAs?
>>>> If we open the spec to cherry-picking. Will it stop at "uncompliant"?
>>>> Or will the spec just stay silent or explicitly allow for other
>>>> motivations? Patent lawsuits, harming competitors, just feeling like it -
>>>> for painting a very black picture.
>>>> I don't support this as being considered DNT compliant.
>>>>
>>>> 3) Who decides wether a UA is "uncompliant"?
>>>> As long as there is no judgement by a competent authority, this is a
>>>> very critical statement.
>>>>
>>>> 4) liability issues
>>>> If the spec allows to NACK the DNT requests of "uncompliant" UAs, and I
>>>> site claims to "honor DNT from all user agents except for the following
>>>> ..." it makes a legally relevant statement about these UAs. Which may lead
>>>> to liability and claims for damages by these UAs if the judgement is wrong.
>>>> If the spec is more open ->   issue 2.
>>>>
>>>> 5) hindering privacy-by-default
>>>> The proposed Data Protection Regulation of the EC explicitly asks for
>>>> privacy by default. (Art. 23)
>>>>
>>>>
>>>> Ninja
>>>>
>>>>
>>>>
>>>> Am 08.06.2012 10:25, schrieb Rigo Wenning:
>>>>
>>>>> On Thursday 07 June 2012 18:25:27 Ian Fette wrote:
>>>>>
>>>>>> A site is already under no obligation to conform to DNT. Would you
>>>>>> rather have the user be clear that their request is being
>>>>>> ignored, or left to wonder?
>>>>>>
>>>>> Precisely my point! Thanks Ian
>>>>>
>>>>> Rigo
>>>>>
>>>>>  --
>>>>
>>>> Ninja Marnau
>>>> mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.**
>>>> de <http://www.datenschutzzentrum.de>
>>>> Telefon: +49 431/988-1285, Fax +49 431/988-1223
>>>> Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
>>>> Independent Centre for Privacy Protection Schleswig-Holstein
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
Received on Saturday, 9 June 2012 02:04:21 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC