W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Today's call: summary on user agent compliance

From: Tamir Israel <tisrael@cippic.ca>
Date: Mon, 11 Jun 2012 20:12:02 -0400
Message-ID: <4FD68952.9090201@cippic.ca>
To: Rigo Wenning <rigo@w3.org>
CC: ifette@google.com, Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>, Ninja Marnau <nmarnau@datenschutzzentrum.de>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Hi Rigo,

On 6/11/2012 3:32 AM, Rigo Wenning wrote:
> Tamir,
>
> we have some logic breaks in the below and that leads to the
> Canadien issue, which is IMHO just an instance of a larger problem.
>
> On Friday 08 June 2012 22:56:20 Tamir Israel wrote:
>> The similarities in regime break down, however, where a server
>> rejects a  DNT-1 (because it was set by default), and there is no
>> alternate mechanism left for the user to opt-out. As the server
>> can no longer rely on implicit/opt-out consent in this case,
>> presumably they can no longer track.
> Again, a protocol can't mean that a service MUST respect the things
> in the compliance specification without having committed to it by
> sending ACK.

You are correct that the obligation to comply with a signal will come 
from [Canadian] law, not the spec. But the manner in which the spec 
defines the validity of signals (as opposed to the scope of signals) 
will make a difference for server implementations and this, in turn, 
will impact on the utility of this DNT mechanism in addressing 
regulatory obligations.

> To get to a situation you describe above in the
> Canadian system, a law would have to oblige services to respect
> DNT:1 and apply the rules of the compliance specification for all
> and every request they get with a DNT:1 header. I can't read that
> into the Canadian law.
>
> One can only come to this conclusion if DNT:1 is only applied to
> online behavioral advertisement by third parties. Roy has urged us
> many times to define tracking in this way and the WG consistently
> refused.
>
> One consequence of this refusal is that a DNT:1 header can be sent
> to almost anything. This would turn off single-sign-on and other
> personalized services. So a service must be able to deny DNT:1 if
> the service would not make sense in the DNT:1 - mode.

Food for thought. Offhand, I think the concern I was expressing was not 
that servers should be obligated to respect all DNT-1 signals regardless 
of /scope/. Rather, my concern was that they can reject facially valid 
DNT-1s solely on the basis that they do not deem them to be valid in 
contexts where consent is required.

But let me think about this some more....

> Additionally, the right to opt-out does not create a right to
> receive the content. So in a Canadian context, if a service does not
> offer an opt-out, it can still deny content delivery. What a service
> wouldn't be able to do is to just continue tracking as if nothing
> happened.

This is an interesting question. It is not clear how this would work on 
a site by site case (and I understood the site-specific exceptions might 
be designed to handle such exceptions, but I will take a closer look). 
The OPC did make clear in their guidelines that obligating users to 
consent to online tracking "should not be considered a term or condition 
for individuals to use the Internet generally. There are still other 
forms of advertising that web sites can rely on". I had understood the 
FTC's writings on this to be along the same lines.

> Now if a user has sent DNT:1 and the service responds with NACK and
> the user continues to use that service, the service can reasonably
> assume that the user has implicitly agreed not to opt out. If the
> user still sends DNT:1 headers, the OPC has to decide whether it
> wants the service to trigger an exception in the face of the user to
> stop the non-interaction of two blind-deaf DNT implementations.
>
> Which brings me to the point (which ISSUE should I attach it to?)
> that a compliant user agent SHOULD NOT resend a request with DNT:1
> to a URI after having received an NACK. (Some may want to prompt the
> user, others will find better solutions)

I'm not sure this is the solution. The OPC's guidelines make it clear 
that there has to be an effective, readily available opt-out mechanism 
in place before the server can rely on opt-out consent. The fact that 
the server denies a UA's DNT-1 /on the basis that it deems the signal 
invalid /(not on the basis of scope) and lets the UA know this -- this 
would not amount to consent, so servers will still lack a mechanism for 
achieving consent in this particular context.

Best regards,
Tamir
Received on Tuesday, 12 June 2012 00:13:17 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC