Re: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal from Peter Cranstone on 2012-06-13 (public-tracking@w3.org from June 2012)

From: Peter Cranstone <peter.cranstone@gmail.com>
Date: Wed, 13 Jun 2012 16:17:24 -0600
To: Kevin Smith <kevsmith@adobe.com>, "ifette@google.com" <ifette@google.com>
CC: Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CBFE6C67.32BC%peter.cranstone@gmail.com>
Kevin,

You're going to win the battle and lose the war.

Show me in the spec where you can distinguish the "origination of the
intent". It doesn't exist. So if Microsoft ships it, and then I switch to
DNT:0 or turn it back on three days later the server still sees that as
non-complaint? That's ridiculous.

Microsoft exploited a loophole in the spec – the ability to not determine
the origination of intent. It leverage that hole and is now seen leading the
charge for Privacy. The comments against are based on a technicality which
has a hole in it. 

We've beaten this mule to death.


Peter
___________________________________
Peter J. Cranstone
720.663.1752


From:  Kevin Smith <kevsmith@adobe.com>
Date:  Wednesday, June 13, 2012 4:07 PM
To:  Peter Cranstone <peter.cranstone@gmail.com>, "ifette@google.com"
<ifette@google.com>
Cc:  Justin Brookman <justin@cdt.org>, W3 Tracking <public-tracking@w3.org>
Subject:  RE: ACTION-211 Draft text on how user agents must obtain consent
to turn on a DNT signal

> Peter, its that very fact which makes MSIE 10 non-compliant and gives servers
> the right to ignore all DNT headers from IE regardless of who set them and
> still be compliant.  You are hitting the point exactly.  However, this does
> not mean that servers need to cave in and do what a non-compliant browser
> dictates to them.  In fact, it means the exact opposite.  It means that since
> you cannot tell the origination of the intent, you can ignore all DNT:1
> headers from that particular UA.  In this case, it is the user who is
> negatively affected, especially if they intended to send the DNT:1 signal.
> This will provide that user with incentive to switch browsers which will in
> turn apply pressure to the non-compliant browser to become compliant.
>  
> -kevin
>  
> 
> From: Peter Cranstone [mailto:peter.cranstone@gmail.com]
> Sent: Wednesday, June 13, 2012 8:57 AM
> To: ifette@google.com
> Cc: Justin Brookman; public-tracking@w3.org
> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to
> turn on a DNT signal
>  
> 
> The point that I'm trying to make is that the server has NO indication WHO set
> the DNT flag. There is NOTHING in the spec to indicate this.
> 
>  
> 
> You know (human) that MSIE ships with the default set to 1. Ok, I get that.
> But if I change it and then change it back two days later are you still going
> to reject every request?
> 
>  
> 
> This whole "default" issue is a red herring. The server doesn't know default
> from a hole in the wall. All it sees is DNT:1 and a UA.
> 
>  
> 
>  
> 
> 
> Peter
> ___________________________________
> Peter J. Cranstone
> 720.663.1752
> 
>  
> 
> From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
> Reply-To: <ifette@google.com>
> Date: Wednesday, June 13, 2012 8:52 AM
> To: Peter Cranstone <peter.cranstone@gmail.com>
> Cc: Justin Brookman <justin@cdt.org>, W3 Tracking <public-tracking@w3.org>
> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to
> turn on a DNT signal
> 
>  
>> Peter, what are you trying to get at? I am missing it.
>> 
>>  
>> 
>> In the case of seeing DNT:1 from IE10, by far the most likely reason for
>> seeing that is that it's the default, and so in the absence of any other
>> information a server would be justified in thinking that it wasn't an actual
>> expression by the user but rather an expression by MSFT. You're correct in
>> that in the general case it's impossible to tell who tweaked the setting
>> (except perhaps in the case of SSL, where you know it was something on the
>> user's computer), but what are you trying to get at?
>> 
>> On Wed, Jun 13, 2012 at 7:46 AM, Peter Cranstone <peter.cranstone@gmail.com>
>> wrote:
>> 
>> I know what the spec says.
>> 
>>  
>> 
>> What I'm asking you to define is how the server knows WHO set the DNT flag.
>> Nobody has been able to answer that question yet.
>> 
>>  
>> 
>> 
>> Peter
>> ___________________________________
>> Peter J. Cranstone
>> 720.663.1752 <tel:720.663.1752>
>> 
>>  
>> 
>> From: Justin Brookman <justin@cdt.org>
>> Date: Wednesday, June 13, 2012 8:41 AM
>> To: W3 Tracking <public-tracking@w3.org>
>> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to
>> turn on a DNT signal
>> Resent-From: W3 Tracking <public-tracking@w3.org>
>> Resent-Date: Wed, 13 Jun 2012 14:41:56 +0000
>> 
>>  
>>> 
>>> On 6/13/2012 10:35 AM, Peter Cranstone wrote:
>>>> 
>>>>>> >> We do not specify how tracking preference choices are offered to the
>>>>>> user or how the preference is enabled:
>>>> 
>>>>  
>>>> 
>>>> & 
>>>> 
>>>>  
>>>> 
>>>>>> >> Implementations of HTTP that are not under control of the user must
>>>>>> not express a tracking preference on their behalf.
>>>> 
>>>>  
>>>> 
>>>> Which means that MSIE 10 is compliant, because it's under the control of
>>>> the user.
>>> This alone does not mean that IE10 is compliant, as there is separate text
>>> saying that "A user agent MUST NOT express a tracking preference for a user
>>> unless the user has interacted with the user agent in such a way as to
>>> indicate a tracking preference."
>>> 
>>>  
>>> 
>>>>> >> Implementations of HTTP that are not under control of the user must not
>>>>> express a tracking preference on their behalf.
>>> 
>>>  
>>> 
>>> How do you know? All a proxy server has to do is add DNT:1  take Abine for
>>> example. A 3rd party plugin that adds DNT:1 to the outbound header. You have
>>> no idea who set it because there's no code to determine who did it. Me or
>>> the add on.
>>> 
>>> I agree that third parties should not be second guessing DNT:1 signals for
>>> all the reasons that I and others have expressed over the list in the last
>>> two weeks.
>>>> 
>>>> 
>>>> Peter
>>>> ___________________________________
>>>> Peter J. Cranstone
>>>> 720.663.1752 <tel:720.663.1752>
>>>> 
>>>>  
>>>> 
>>>> From: Justin Brookman <justin@cdt.org>
>>>> Date: Wednesday, June 13, 2012 8:26 AM
>>>> To: W3 Tracking <public-tracking@w3.org>
>>>> Subject: ACTION-211 Draft text on how user agents must obtain consent to
>>>> turn on a DNT signal
>>>> Resent-From: W3 Tracking <public-tracking@w3.org>
>>>> Resent-Date: Wed, 13 Jun 2012 14:27:17 +0000
>>>> 
>>>>  
>>>>> 
>>>>> Hello, here is draft language for the compliance document on user agent
>>>>> requirements.  The first paragraph is new, the second two are
>>>>> copied-and-pasted from Section 3 of the current TPE spec.
>>>>> 
>>>>> Replace 4.2 Intermediary Compliance (empty) with this new section:
>>>>> 
>>>>> 4.2 User Agent Compliance
>>>>> 
>>>>> A user agent MAY offer a control to express a tracking preference to third
>>>>> parties.  The control MUST communicate the user's preference in accordance
>>>>> with the [[Tracking Preference Expression (DNT)]] recommendation and
>>>>> otherwise comply with that recommendation.  A user agent MUST NOT express
>>>>> a tracking preference for a user unless the user has interacted with the
>>>>> user agent in such a way as to indicate a tracking preference.
>>>>> We do not specify how tracking preference choices are offered to the user
>>>>> or how the preference is enabled: each implementation is responsible for
>>>>> determining the user experience by which a tracking preference is enabled.
>>>>> For example, a user might select a check-box in their user agent's
>>>>> configuration, install an extension or add-on that is specifically
>>>>> designed to add a tracking preference expression, or make a choice for
>>>>> privacy that then implicitly includes a tracking preference (e.g., Privacy
>>>>> settings: high). Likewise, a user might install or configure a proxy to
>>>>> add the expression to their own outgoing requests.
>>>>> 
>>>>> Although some controlled network environments, such as public access
>>>>> terminals or managed corporate intranets, might impose restrictions on the
>>>>> use or configuration of installed user agents, such that a user might only
>>>>> have access to user agents with a predetermined preference enabled, the
>>>>> user is at least able to choose whether to make use of those user agents.
>>>>> In contrast, if a user brings their own Web-enabled device to a library or
>>>>> cafe with wireless Internet access, the expectation will be that their
>>>>> chosen user agent and personal preferences regarding Web site behavior
>>>>> will not be altered by the network environment, aside from blanket
>>>>> limitations on what resources can or cannot be accessed through that
>>>>> network. Implementations of HTTP that are not under control of the user
>>>>> must not express a tracking preference on their behalf.
>>>>> -- 
>>>>> Justin Brookman
>>>>> Director, Consumer Privacy
>>>>> Center for Democracy & Technology
>>>>> 1634 I Street NW, Suite 1100
>>>>> Washington, DC 20006
>>>>> tel 202.407.8812 <tel:202.407.8812>
>>>>> fax 202.637.0969 <tel:202.637.0969> justin@cdt.orghttp://www.cdt.org
>>>>> @CenDemTech
>>>>> @JustinBrookman
>>
Received on Wednesday, 13 June 2012 22:18:07 UTC