W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Evolving Online Privacy - Advancing User Choice

From: Kevin Kiley <kevin.kiley@3pmobile.com>
Date: Thu, 21 Jun 2012 07:56:48 +0000
To: "public-tracking@w3.org" <public-tracking@w3.org>
CC: "wileys@yahoo-inc.com" <wileys@yahoo-inc.com>, "fielding@gbiv.com" <fielding@gbiv.com>, "rigo@w3.org" <rigo@w3.org>, Kevin Kiley <kevin.kiley@3pmobile.com>
Message-ID: <B400AD156CAF3E4680360A8988DCC9752C26E7C7@MBX022-E1-NJ-6.exch022.domain.local>
Regarding the changes made today to section 3 of the TPE...

Comment are inline below...

> ** Current Editor's Draft ( As of 06/20/12. Not yet PUBLISHED )
>
> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
>
> Tracking Preference Expression (DNT)
> W3C Editor's Draft 20 June 2012
>
> 3. Determining User Preference
>
> The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application
> that they communicate with via HTTP, thereby allowing each service to either adjust their behavior to meet the user's expectations or
> reach a separate agreement with the user to satisfy all parties.
>
> Key to that notion of expression is that it must reflect the user's choice, not the choice of some vendor, institution, or network-imposed
> mechanism outside the user's control. The basic principle is that a tracking preference expression is only transmitted when it reflects a
> deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed.
>
> A user agent must offer users a minimum of two alternative choices for a "Do Not Track" preference: unset or on. A user agent may offer a
> third alternative choice: off. If the user's choice is on or off, the tracking preference is enabled; otherwise, the tracking preference is not enabled.
>
> A user agent must have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to
> use that agent. For example, use of a general-purpose browser would not imply a tracking preference when invoked normally as "SuperFred",
> but might imply a preference if invoked as "SuperDoNotTrack" or "UltraPrivacyFred".

Seriously?

So the essence of whether a User Agent is going to be able to specify a default for DNT is going to based on what the NAME of the software might be?

If Mozilla releases a version of Firefox named 'SuperDoNotTrackFirefox', that version is allowed to have a DNT default, but 'Firefox' isn't?

I think this all needs to be redone so it is MUCH clearer what the real criteria is for a piece of software being able to have a DNT default.

What you have now is about as clear as MUD.

> Likewise, a user agent extension or add-on must not alter
> the tracking preference unless the act of installing and enabling that extension or add-on is an explicit choice by the user for that tracking preference.
>
> We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for
> determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent's
> configuration, install an extension or add-on that is specifically designed to add a tracking preference expression, or make a choice for privacy that
> then implicitly includes a tracking preference (e.g., "Privacy settings: high"). Likewise, a user might install or configure a proxy to add the expression
> to their own outgoing requests.
>
> Although some controlled network environments, such as public access terminals or managed corporate intranets, might impose restrictions on
> the use or configuration of installed user agents, such that a user might only have access to user agents with a predetermined preference enabled,
> the user is at least able to choose whether to make use of those user agents.

That's a false statement. The user MIGHT not 'have that choice'.

The included example (yours) of ''managed corporate intranets" automatically includes "places of employment".

The only 'choice' the user might have in that case is whether or not to work there ( anymore ).

> In contrast, if a user brings their own Web-enabled device to a library
> or cafe with wireless Internet access, the expectation will be that their chosen user agent and personal preferences regarding Web site behavior will
> not be altered by the network environment, aside from blanket limitations on what resources can or cannot be accessed through that network.
> Implementations of HTTP that are not under control of the user must not express a tracking preference on their behalf.

This is also VERY confusing.

It contradicts itself even within the same paragraph and doesn't jive at all with the previous paragraphs.

Needs CLARITY.

Regards
Kevin

END OF EDITOR'S DRAFT DATED 06/2012

The complete Section 3 from both the 'Current Editor's Draft' ( as of today ) and the previous ( currently published )
'Working Draft' ( as of March 13 2012 ) are included below ( without comment ) for reference...

** Current Editor's Draft ( As of today... not yet PUBLISHED )

http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html

Tracking Preference Expression (DNT)
W3C Editor's Draft 20 June 2012

3. Determining User Preference

The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application
that they communicate with via HTTP, thereby allowing each service to either adjust their behavior to meet the user's expectations or
reach a separate agreement with the user to satisfy all parties.

Key to that notion of expression is that it must reflect the user's choice, not the choice of some vendor, institution, or network-imposed
mechanism outside the user's control. The basic principle is that a tracking preference expression is only transmitted when it reflects a
deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed.

A user agent must offer users a minimum of two alternative choices for a "Do Not Track" preference: unset or on. A user agent may offer a
third alternative choice: off. If the user's choice is on or off, the tracking preference is enabled; otherwise, the tracking preference is not enabled.

A user agent must have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to
use that agent. For example, use of a general-purpose browser would not imply a tracking preference when invoked normally as "SuperFred",
but might imply a preference if invoked as "SuperDoNotTrack" or "UltraPrivacyFred". Likewise, a user agent extension or add-on must not alter
the tracking preference unless the act of installing and enabling that extension or add-on is an explicit choice by the user for that tracking preference.

We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for
determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent's
configuration, install an extension or add-on that is specifically designed to add a tracking preference expression, or make a choice for privacy that
then implicitly includes a tracking preference (e.g., "Privacy settings: high"). Likewise, a user might install or configure a proxy to add the expression
to their own outgoing requests.

Although some controlled network environments, such as public access terminals or managed corporate intranets, might impose restrictions on
the use or configuration of installed user agents, such that a user might only have access to user agents with a predetermined preference enabled,
the user is at least able to choose whether to make use of those user agents. In contrast, if a user brings their own Web-enabled device to a library
or cafe with wireless Internet access, the expectation will be that their chosen user agent and personal preferences regarding Web site behavior will
not be altered by the network environment, aside from blanket limitations on what resources can or cannot be accessed through that network.
Implementations of HTTP that are not under control of the user must not express a tracking preference on their behalf.


** Previous Working Draft ( Current PUBLISHED version )...

http://www.w3.org/TR/2012/WD-tracking-dnt-20120313/

Tracking Preference Expression (DNT)
W3C Working Draft 13 March 2012

3. Determining User Preference

The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application
that they communicate with via HTTP, thereby allowing each service to either adjust their behavior to meet the user's expectations or
reach a separate agreement with the user to satisfy all parties.

Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed
mechanism outside the user's control. Although some controlled network environments, such as public access terminals or managed
corporate intranets, might impose restrictions on the use or configuration of installed user agents, such that a user might only have access
to user agents with a predetermined preference enabled, the user is at least able to choose whether to make use of those user agents.
In contrast, if a user brings their own Web-enabled device to a library or cafe with wireless Internet access, the expectation will be that
their chosen user agent and personal preferences regarding Web site behavior will not be altered by the network environment, aside from
blanket limitations on what sites can or cannot be accessed through that network.

The remainder of this specification defines the protocol in terms of whether a tracking preference is enabled or not enabled. We do not specify
how that preference is enabled: each implementation is responsible for determining the user experience by which this preference is enabled.

For example, a user might select a check-box in their user agent's configuration, install a plug-in or extension that is specifically designed
to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., "Privacy settings: high").
Likewise, a user might install or configure a proxy to add the expression to their own outgoing requests. For each of these cases, we say that a
tracking preference is enabled.
Received on Thursday, 21 June 2012 07:57:30 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:31 UTC