W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Today's call: summary on user agent compliance

From: Tamir Israel <tisrael@cippic.ca>
Date: Fri, 08 Jun 2012 22:56:20 -0400
Message-ID: <4FD2BB54.3080902@cippic.ca>
To: ifette@google.com
CC: Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>, Ninja Marnau <nmarnau@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Hi Ian,

On 6/8/2012 10:03 PM, Ian Fette (イアンフェッティ) wrote:
> Tamir and others,
>
> I don't think the point is to say "a server merely notifies the user 
> they will ignore their DNT-1 signal, that this is sufficient to gain 
> user consent for server tracking.".
>
> Many jurisdictions don't require explicit opt-in consent for "server 
> tracking". Take the US for example. In this case, as long as we're not 
> promising something that we fail to deliver, there is no problem here.
>
> I think you are getting hung up on the case where, in some countries 
> depending on what finalized legislation comes out, there might be a 
> requirement to obtain explicit opt-in consent. I agree with you that 
> the mere act of rejecting the user's DNT:1 signal is not explicit 
> opt-in consent in that context, and the website would probably have to 
> take further steps to obtain that explicit opt-in consent. But that 
> does not need to be the problem of this working group or specification.

The issue I'm trying to address is a scenario where opt-out consent is 
required. Functionally, the Canadian system operates much like the US in 
practice (servers are seemingly free to track without asking [as long as 
there is a readily available mechanism for opting out]). Typically, 
U.S.-based businesses find this to be a benefit, since their Canadian 
implementations can match their US implementation (given our physical 
proximity).

The similarities in regime break down, however, where a server rejects a 
DNT-1 (because it was set by default), and there is no alternate 
mechanism left for the user to opt-out. As the server can no longer rely 
on implicit/opt-out consent in this case, presumably they can no longer 
track.

>
> The point of DNT is to allow a user to express a preference on 
> tracking. The point of DNT is not to solve the EU regulatory debacle, 
> or any other country-specific regulations. If it can be useful in that 
> manner, then great, but I continue to question whether we should allow 
> this working group to get continually railroaded into trying to solve 
> country-specific regulatory problems.

The group may well decide to leave it to regulators in various countries 
to decide how to solve their own specific regulatory problems around the 
spec, but I think it is fully legitimate to at least attempt to address 
these here.

Best regards,
Tamir

>
>
>
> On Fri, Jun 8, 2012 at 10:59 AM, Tamir Israel <tisrael@cippic.ca 
> <mailto:tisrael@cippic.ca>> wrote:
>
>     Hi Shane,
>
>     I want to reiterate what I said earlier on -- I understand there
>     is already an agreement on defaults in the group, and it is not my
>     intention to question that.
>
>     However, in this context, I'm not clear that where a server merely
>     notifies the user they will ignore their DNT-1 signal, that this
>     is sufficient to gain user consent for server tracking.
>
>     Let me explain. The basis for tracking under the current spec is
>     that the server is gaining implicit, opt-out consent to track the
>     user. The 'opt-out' consent is mediated through the UA's browser
>     mechanism. Now, if the server is saying 'I will ignore your DNT-1
>     because I deem it non-compliant', there is no longer an opt-out
>     consent mechanism in place for the server to rely on.
>
>     Best,
>     Tamir
>
>
>     On 6/8/2012 11:29 AM, Shane Wiley wrote:
>
>         Tamir,
>
>         While I agree it does add a degree of uncertainty initially,
>         as long as the outcome is completely transparent to the user
>         then I believe the appropriate outcome has been reached.
>
>         We are attempting to resolve this in the specification by
>         appropriately signaling to a user that they will not honor the
>         DNT signal from a specific UA.
>
>         - Shane
>
>         -----Original Message-----
>         From: Tamir Israel [mailto:tisrael@cippic.ca
>         <mailto:tisrael@cippic.ca>]
>         Sent: Friday, June 08, 2012 8:11 AM
>         To: Shane Wiley
>         Cc: Jeffrey Chester; Ninja Marnau; Rigo Wenning;
>         ifette@google.com <mailto:ifette@google.com>; Bjoern
>         Hoehrmann; David Singer; public-tracking@w3.org
>         <mailto:public-tracking@w3.org> (public-tracking@w3.org
>         <mailto:public-tracking@w3.org>)
>         Subject: Re: Today's call: summary on user agent compliance
>
>         Hi Shane,
>
>         I suppose the question is what the objective here is.
>
>         Allowing any entity to unilaterally question the validity of a
>         facially
>         valid signal introduces a great degree of uncertainty into the
>         equation,
>         and since this is an anticipated source of disagreement and
>         confusion,
>         it might be better to explore addressing it within the spec.
>
>         On 6/8/2012 10:16 AM, Shane Wiley wrote:
>
>             Jeff and Ninja,
>
>             I respectfully disagree and believe any standard that has
>             outlined what a valid signal should consist of (in our
>             case, that a user has activated this signal directly) then
>             any signal not meeting the standard is itself
>             non-compliant and therefore should allow Servers to
>             appropriately respond to users that their current UA is
>             non-compliant and therefore will not be honored - again,
>             hopefully with options for valid UAs the user can access
>             their free services with.  If the user doesn't feel
>             comfortable with this outcome WHICH IS COMPLETELY
>             TRANSPARENT, they can decide to keep consuming those free
>             services with DNT not being honored, not access the free
>             content from that particular site, or switch to a
>             compliant UA so their DNT signal is honored while
>             interacting with that site.  With transparent and clear
>             messaging to the user, this places the power within the
>             user's hands to decide how best to move forward.  I
>             believe this is much better than the user being left in
>             the dark, or alternately no publishers supporting DNT
>             since they are forced to honor non-compliant signals.
>
>             Predictability - The user is clearly messaged in all cases
>             - so outcomes are completely "predictable".
>
>         I'm not clear that there is any obligation for the user to be
>         clearly
>         messaged here. In any case, how would that play out? User:
>         don't track
>         me; UA: server does not acknowledge. What's the next step here?
>
>             Only for "uncompliant" UAs?  - Yes, but this is subjective
>             choice by the Server and they must defend their position.
>              Since messaging is transparent, consumers can quickly
>             raise concerns if they feel a UA is being ignored incorrectly.
>
>             Who decides wether a UA is "uncompliant"?  - The Server does.
>
>         You are correct that ultimately, this could be referred to a
>         regulator
>         if the customer disagrees with the server's decision.
>
>             Liability issues - disagree on your assessment of
>             liability in this case as the claim is directly tied to a
>             voluntary code and therefore the only legal enforcement is
>             that the Server must follow through on what it says it
>             will (contract).
>
>             Hindering privacy-by-default - It is FAR too early in the
>             process to attempt to quote draft regulations that will go
>             through tremendous change over the next two years prior to
>             becoming a regulation in force.
>
>             - Shane
>
>             -----Original Message-----
>             From: Jeffrey Chester [mailto:jeff@democraticmedia.org
>             <mailto:jeff@democraticmedia.org>]
>             Sent: Friday, June 08, 2012 3:52 AM
>             To: Ninja Marnau
>             Cc: Rigo Wenning; ifette@google.com
>             <mailto:ifette@google.com>; Bjoern Hoehrmann; David
>             Singer; public-tracking@w3.org
>             <mailto:public-tracking@w3.org> (public-tracking@w3.org
>             <mailto:public-tracking@w3.org>)
>             Subject: Re: Today's call: summary on user agent compliance
>
>             I support what Ninja says below, and the concerns Jonathan
>             raises.  There shouldn't be "cherry-picking" allowed in
>             the spec.  When sites receive DNT, they should honor it.
>              The W3C should not develop a policy that permits the
>             over-riding of requests/intent of global Internet users.
>
>             The key issue for us to address is the need to limit
>             collection and retention.  I hope we can discuss and build
>             support for a consensus on the proposal sent the other day
>             by EFF/Mozilla and Jonathan.  Without meaningful
>             collection and retention policy, we risk not having a spec
>             that can receive the support from many stakeholders (esp
>             civil society).  That is critical to the fate of the
>             privacy and digital consumer protection debates, esp. both
>             sides of the Atlantic.
>
>             Finally, I want to add that in my view and fairly quickly
>             a site that doesn't honor DNT will not be considered
>             "brand safe."  Responsible advertisers and brands
>             concerned about their reputation will need to respect a
>             robust DNT.  They will have to add DNT to the
>             blacklist/whitelist systems in place.  It behooves us to
>             continue to advance the process of ensuring monetization
>             and privacy can thrive together in the digital economy.
>
>             Jeff
>
>             On Jun 8, 2012, at 5:26 AM, Ninja Marnau wrote:
>
>                 We are discussing two different issues here.
>
>                 First is, I support that servers should give the users
>                 a clear answer wether their DNT request is honored.
>                 There should be an option to answer NACK.
>
>                 Second is, a company claiming "We will honor DNT when
>                 it's coming from the following user agents" or "We
>                 will honor DNT from all user agents except for the
>                 following" (I am quoting Ian's example here) is honest
>                 - and I appreciate that. But whether it is "compliant"
>                 to the DNT recommendation or not, is up to us as a
>                 working group. It is our task to discuss whether we
>                 want the spec to allow this cherry-picking. (Don't get
>                 me wrong, companies can stll do so. But will they be
>                 able to claim DNT compliance?).
>                 I oppose this. I think the spec should state that when
>                 you receive a valid signal, no matter from what UA,
>                 you have to honor it in order to claim DNT compliance.
>
>                 There are several reasons for this:
>                 1) predictability
>                 David raised this point and I agree: "Defining that
>                 "I'll stop tracking unless I don't feel like it" as
>                 *compliant* makes it basically unpredictable what will
>                 happen."
>
>                 2) only for "uncompliant" UAs?
>                 If we open the spec to cherry-picking. Will it stop at
>                 "uncompliant"? Or will the spec just stay silent or
>                 explicitly allow for other motivations? Patent
>                 lawsuits, harming competitors, just feeling like it -
>                 for painting a very black picture.
>                 I don't support this as being considered DNT compliant.
>
>                 3) Who decides wether a UA is "uncompliant"?
>                 As long as there is no judgement by a competent
>                 authority, this is a very critical statement.
>
>                 4) liability issues
>                 If the spec allows to NACK the DNT requests of
>                 "uncompliant" UAs, and I site claims to "honor DNT
>                 from all user agents except for the following ..." it
>                 makes a legally relevant statement about these UAs.
>                 Which may lead to liability and claims for damages by
>                 these UAs if the judgement is wrong.
>                 If the spec is more open ->   issue 2.
>
>                 5) hindering privacy-by-default
>                 The proposed Data Protection Regulation of the EC
>                 explicitly asks for privacy by default. (Art. 23)
>
>
>                 Ninja
>
>
>
>                 Am 08.06.2012 10:25, schrieb Rigo Wenning:
>
>                     On Thursday 07 June 2012 18:25:27 Ian Fette wrote:
>
>                         A site is already under no obligation to
>                         conform to DNT. Would you
>                         rather have the user be clear that their
>                         request is being
>                         ignored, or left to wonder?
>
>                     Precisely my point! Thanks Ian
>
>                     Rigo
>
>                 -- 
>
>                 Ninja Marnau
>                 mail: NMarnau@datenschutzzentrum.de
>                 <mailto:NMarnau@datenschutzzentrum.de> -
>                 http://www.datenschutzzentrum.de
>                 Telefon: +49 431/988-1285
>                 <tel:%2B49%20431%2F988-1285>, Fax +49 431/988-1223
>                 <tel:%2B49%20431%2F988-1223>
>                 Unabhaengiges Landeszentrum fuer Datenschutz
>                 Schleswig-Holstein
>                 Independent Centre for Privacy Protection
>                 Schleswig-Holstein
>
>
>
>
>
>
>
Received on Saturday, 9 June 2012 03:02:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC