W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Evolving Online Privacy - Advancing User Choice

From: Peter Cranstone <peter.cranstone@gmail.com>
Date: Thu, 21 Jun 2012 08:25:01 -0600
To: Kevin Kiley <kevin.kiley@3pmobile.com>, "public-tracking@w3.org" <public-tracking@w3.org>
CC: "wileys@yahoo-inc.com" <wileys@yahoo-inc.com>, "fielding@gbiv.com" <fielding@gbiv.com>, "rigo@w3.org" <rigo@w3.org>
Message-ID: <CC08874C.3EA4%peter.cranstone@gmail.com>
RE:
> Key to that notion of expression is that it must reflect the user's choice,
not the choice of some vendor, institution, or network-imposed
> mechanism outside the user's control. The basic principle is that a tracking
preference expression is only transmitted when it reflects a
> deliberate choice by the user. In the absence of user choice, there is no
tracking preference expressed.


AndŠ


<PROPOSED CHANGE>
Normative: "... users MAY be given a choice during installation, update or
first startup."

Non-normative:
There are use cases, where a choice given on first startup would be the
preferred choice mechanism.
For example,
- a device can have multiple user profiles per installation;
- in cases where browsers are not installed by the user.
</PROPOSED CHANGE>


IF you want this Š Key to that notion of expression is that it must reflect
the user's choice, not the choice of some vendor, institution, or
network-imposed mechanism outside the user's control. Then the normative
change needs to be a MUST. It cannot be anything else than that otherwise
every corporate install/mandate/3rd party plugin will fail the test.

I'm starting to sound like a broken record here, but if the ONLY thing the
server sees is DNT:1 then you have to honor it. Here's an example of what
needs to take place.

Client sends:               DNT:1    <- As per the spec
 
Server sends back    DNT-QUERY: Confirm this is your choice <- ( Or whatever
) 
 
Client sends back:    DNT:2     <- Whatever W3 decide is an ACK signal.


Now for that session it is perfectly clear what the intent of the real user
(the person sitting in front of the keyboard/monitor) was.


So what's wrong with the above?
 


Peter
___________________________________
Peter J. Cranstone
720.663.1752


From:  Kevin Kiley <kevin.kiley@3pmobile.com>
Date:  Thursday, June 21, 2012 1:56 AM
To:  W3 Tracking <public-tracking@w3.org>
Cc:  "wileys@yahoo-inc.com" <wileys@yahoo-inc.com>, "fielding@gbiv.com"
<fielding@gbiv.com>, "rigo@w3.org" <rigo@w3.org>, Kevin Kiley
<kevin.kiley@3pmobile.com>
Subject:  Re: Evolving Online Privacy - Advancing User Choice
Resent-From:  W3 Tracking <public-tracking@w3.org>
Resent-Date:  Thu, 21 Jun 2012 07:57:39 +0000

> Regarding the changes made today to section 3 of the TPE...
>  
> Comment are inline belowŠ
>  
>> > ** Current Editor's Draft ( As of 06/20/12. Not yet PUBLISHED )
>> > 
>> > http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
>> > 
>> > Tracking Preference Expression (DNT)
>> > W3C Editor's Draft 20 June 2012
>> > 
>> > 3. Determining User Preference
>> > 
>> > The goal of this protocol is to allow a user to express their personal
>> preference regarding tracking to each server and web application
>> > that they communicate with via HTTP, thereby allowing each service to
>> either adjust their behavior to meet the user's expectations or
>> > reach a separate agreement with the user to satisfy all parties.
>> > 
>> > Key to that notion of expression is that it must reflect the user's choice,
>> not the choice of some vendor, institution, or network-imposed
>> > mechanism outside the user's control. The basic principle is that a
>> tracking preference expression is only transmitted when it reflects a
>> > deliberate choice by the user. In the absence of user choice, there is no
>> tracking preference expressed.
>> > 
>> > A user agent must offer users a minimum of two alternative choices for a
>> "Do Not Track" preference: unset or on. A user agent may offer a
>> > third alternative choice: off. If the user's choice is on or off, the
>> tracking preference is enabled; otherwise, the tracking preference is not
>> enabled.
>> > 
>> > A user agent must have a default tracking preference of unset (not enabled)
>> unless a specific tracking preference is implied by the decision to
>> > use that agent. For example, use of a general-purpose browser would not
>> imply a tracking preference when invoked normally as "SuperFred",
>> > but might imply a preference if invoked as "SuperDoNotTrack" or
>> "UltraPrivacyFred".
>  
> Seriously? 
>  
> So the essence of whether a User Agent is going to be able to specify a
> default for DNT is going to based on what the NAME of the software might be?
>  
> If Mozilla releases a version of Firefox named 'SuperDoNotTrackFirefox', that
> version is allowed to have a DNT default, but 'Firefox' isn't?
>  
> I think this all needs to be redone so it is MUCH clearer what the real
> criteria is for a piece of software being able to have a DNT default.
>  
> What you have now is about as clear as MUD.
>  
>> > Likewise, a user agent extension or add-on must not alter
>> > the tracking preference unless the act of installing and enabling that
>> extension or add-on is an explicit choice by the user for that tracking
>> preference.
>> > 
>> > We do not specify how tracking preference choices are offered to the user
>> or how the preference is enabled: each implementation is responsible for
>> > determining the user experience by which a tracking preference is enabled.
>> For example, a user might select a check-box in their user agent's
>> > configuration, install an extension or add-on that is specifically designed
>> to add a tracking preference expression, or make a choice for privacy that
>> > then implicitly includes a tracking preference (e.g., "Privacy settings:
>> high"). Likewise, a user might install or configure a proxy to add the
>> expression
>> > to their own outgoing requests.
>> > 
>> > Although some controlled network environments, such as public access
>> terminals or managed corporate intranets, might impose restrictions on
>> > the use or configuration of installed user agents, such that a user might
>> only have access to user agents with a predetermined preference enabled,
>> > the user is at least able to choose whether to make use of those user
>> agents. 
>  
> That's a false statement. The user MIGHT not 'have that choice'.
>  
> The included example (yours) of ''managed corporate intranets" automatically
> includes "places of employment".
>  
> The only 'choice' the user might have in that case is whether or not to work
> there ( anymore ).
>  
>> > In contrast, if a user brings their own Web-enabled device to a library
>> > or cafe with wireless Internet access, the expectation will be that their
>> chosen user agent and personal preferences regarding Web site behavior will
>> > not be altered by the network environment, aside from blanket limitations
>> on what resources can or cannot be accessed through that network.
>> > Implementations of HTTP that are not under control of the user must not
>> express a tracking preference on their behalf.
>  
> This is also VERY confusing.
>  
> It contradicts itself even within the same paragraph and doesn't jive at all
> with the previous paragraphs.
>  
> Needs CLARITY.
>  
> Regards
> Kevin
>  
> END OF EDITOR'S DRAFT DATED 06/2012
>  
> The complete Section 3 from both the 'Current Editor's Draft' ( as of today )
> and the previous ( currently published )
> 'Working Draft' ( as of March 13 2012 ) are included below ( without comment )
> for reference...
>  
> ** Current Editor's Draft ( As of today... not yet PUBLISHED )
>  
> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
>  
> Tracking Preference Expression (DNT)
> W3C Editor's Draft 20 June 2012
>  
> 3. Determining User Preference
>  
> The goal of this protocol is to allow a user to express their personal
> preference regarding tracking to each server and web application
> that they communicate with via HTTP, thereby allowing each service to either
> adjust their behavior to meet the user's expectations or
> reach a separate agreement with the user to satisfy all parties.
>  
> Key to that notion of expression is that it must reflect the user's choice,
> not the choice of some vendor, institution, or network-imposed
> mechanism outside the user's control. The basic principle is that a tracking
> preference expression is only transmitted when it reflects a
> deliberate choice by the user. In the absence of user choice, there is no
> tracking preference expressed.
>  
> A user agent must offer users a minimum of two alternative choices for a "Do
> Not Track" preference: unset or on. A user agent may offer a
> third alternative choice: off. If the user's choice is on or off, the tracking
> preference is enabled; otherwise, the tracking preference is not enabled.
>  
> A user agent must have a default tracking preference of unset (not enabled)
> unless a specific tracking preference is implied by the decision to
> use that agent. For example, use of a general-purpose browser would not imply
> a tracking preference when invoked normally as "SuperFred",
> but might imply a preference if invoked as "SuperDoNotTrack" or
> "UltraPrivacyFred". Likewise, a user agent extension or add-on must not alter
> the tracking preference unless the act of installing and enabling that
> extension or add-on is an explicit choice by the user for that tracking
> preference.
>  
> We do not specify how tracking preference choices are offered to the user or
> how the preference is enabled: each implementation is responsible for
> determining the user experience by which a tracking preference is enabled. For
> example, a user might select a check-box in their user agent's
> configuration, install an extension or add-on that is specifically designed to
> add a tracking preference expression, or make a choice for privacy that
> then implicitly includes a tracking preference (e.g., "Privacy settings:
> high"). Likewise, a user might install or configure a proxy to add the
> expression 
> to their own outgoing requests.
>  
> Although some controlled network environments, such as public access terminals
> or managed corporate intranets, might impose restrictions on
> the use or configuration of installed user agents, such that a user might only
> have access to user agents with a predetermined preference enabled,
> the user is at least able to choose whether to make use of those user agents.
> In contrast, if a user brings their own Web-enabled device to a library
> or cafe with wireless Internet access, the expectation will be that their
> chosen user agent and personal preferences regarding Web site behavior will
> not be altered by the network environment, aside from blanket limitations on
> what resources can or cannot be accessed through that network.
> Implementations of HTTP that are not under control of the user must not
> express a tracking preference on their behalf.
>  
>  
> ** Previous Working Draft ( Current PUBLISHED version )...
>  
> http://www.w3.org/TR/2012/WD-tracking-dnt-20120313/
>  
> Tracking Preference Expression (DNT)
> W3C Working Draft 13 March 2012
>  
> 3. Determining User Preference
>  
> The goal of this protocol is to allow a user to express their personal
> preference regarding tracking to each server and web application
> that they communicate with via HTTP, thereby allowing each service to either
> adjust their behavior to meet the user's expectations or
> reach a separate agreement with the user to satisfy all parties.
>  
> Key to that notion of expression is that it must reflect the user's
> preference, not the preference of some institutional or network-imposed
> mechanism outside the user's control. Although some controlled network
> environments, such as public access terminals or managed
> corporate intranets, might impose restrictions on the use or configuration of
> installed user agents, such that a user might only have access
> to user agents with a predetermined preference enabled, the user is at least
> able to choose whether to make use of those user agents.
> In contrast, if a user brings their own Web-enabled device to a library or
> cafe with wireless Internet access, the expectation will be that
> their chosen user agent and personal preferences regarding Web site behavior
> will not be altered by the network environment, aside from
> blanket limitations on what sites can or cannot be accessed through that
> network.
>  
> The remainder of this specification defines the protocol in terms of whether a
> tracking preference is enabled or not enabled. We do not specify
> how that preference is enabled: each implementation is responsible for
> determining the user experience by which this preference is enabled.
>  
> For example, a user might select a check-box in their user agent's
> configuration, install a plug-in or extension that is specifically designed
> to add a tracking preference expression, or make a choice for privacy that
> then implicitly includes a tracking preference (e.g., "Privacy settings:
> high"). 
> Likewise, a user might install or configure a proxy to add the expression to
> their own outgoing requests. For each of these cases, we say that a
> tracking preference is enabled.
>  
Received on Thursday, 21 June 2012 14:25:52 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:31 UTC