- From: Peter Cranstone <peter.cranstone@gmail.com>
- Date: Thu, 21 Jun 2012 08:25:01 -0600
- To: Kevin Kiley <kevin.kiley@3pmobile.com>, "public-tracking@w3.org" <public-tracking@w3.org>
- CC: "wileys@yahoo-inc.com" <wileys@yahoo-inc.com>, "fielding@gbiv.com" <fielding@gbiv.com>, "rigo@w3.org" <rigo@w3.org>
- Message-ID: <CC08874C.3EA4%peter.cranstone@gmail.com>
RE: > Key to that notion of expression is that it must reflect the user's choice, not the choice of some vendor, institution, or network-imposed > mechanism outside the user's control. The basic principle is that a tracking preference expression is only transmitted when it reflects a > deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed. AndŠ <PROPOSED CHANGE> Normative: "... users MAY be given a choice during installation, update or first startup." Non-normative: There are use cases, where a choice given on first startup would be the preferred choice mechanism. For example, - a device can have multiple user profiles per installation; - in cases where browsers are not installed by the user. </PROPOSED CHANGE> IF you want this Š Key to that notion of expression is that it must reflect the user's choice, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control. Then the normative change needs to be a MUST. It cannot be anything else than that otherwise every corporate install/mandate/3rd party plugin will fail the test. I'm starting to sound like a broken record here, but if the ONLY thing the server sees is DNT:1 then you have to honor it. Here's an example of what needs to take place. Client sends: DNT:1 <- As per the spec Server sends back DNT-QUERY: Confirm this is your choice <- ( Or whatever ) Client sends back: DNT:2 <- Whatever W3 decide is an ACK signal. Now for that session it is perfectly clear what the intent of the real user (the person sitting in front of the keyboard/monitor) was. So what's wrong with the above? Peter ___________________________________ Peter J. Cranstone 720.663.1752 From: Kevin Kiley <kevin.kiley@3pmobile.com> Date: Thursday, June 21, 2012 1:56 AM To: W3 Tracking <public-tracking@w3.org> Cc: "wileys@yahoo-inc.com" <wileys@yahoo-inc.com>, "fielding@gbiv.com" <fielding@gbiv.com>, "rigo@w3.org" <rigo@w3.org>, Kevin Kiley <kevin.kiley@3pmobile.com> Subject: Re: Evolving Online Privacy - Advancing User Choice Resent-From: W3 Tracking <public-tracking@w3.org> Resent-Date: Thu, 21 Jun 2012 07:57:39 +0000 > Regarding the changes made today to section 3 of the TPE... > > Comment are inline belowŠ > >> > ** Current Editor's Draft ( As of 06/20/12. Not yet PUBLISHED ) >> > >> > http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html >> > >> > Tracking Preference Expression (DNT) >> > W3C Editor's Draft 20 June 2012 >> > >> > 3. Determining User Preference >> > >> > The goal of this protocol is to allow a user to express their personal >> preference regarding tracking to each server and web application >> > that they communicate with via HTTP, thereby allowing each service to >> either adjust their behavior to meet the user's expectations or >> > reach a separate agreement with the user to satisfy all parties. >> > >> > Key to that notion of expression is that it must reflect the user's choice, >> not the choice of some vendor, institution, or network-imposed >> > mechanism outside the user's control. The basic principle is that a >> tracking preference expression is only transmitted when it reflects a >> > deliberate choice by the user. In the absence of user choice, there is no >> tracking preference expressed. >> > >> > A user agent must offer users a minimum of two alternative choices for a >> "Do Not Track" preference: unset or on. A user agent may offer a >> > third alternative choice: off. If the user's choice is on or off, the >> tracking preference is enabled; otherwise, the tracking preference is not >> enabled. >> > >> > A user agent must have a default tracking preference of unset (not enabled) >> unless a specific tracking preference is implied by the decision to >> > use that agent. For example, use of a general-purpose browser would not >> imply a tracking preference when invoked normally as "SuperFred", >> > but might imply a preference if invoked as "SuperDoNotTrack" or >> "UltraPrivacyFred". > > Seriously? > > So the essence of whether a User Agent is going to be able to specify a > default for DNT is going to based on what the NAME of the software might be? > > If Mozilla releases a version of Firefox named 'SuperDoNotTrackFirefox', that > version is allowed to have a DNT default, but 'Firefox' isn't? > > I think this all needs to be redone so it is MUCH clearer what the real > criteria is for a piece of software being able to have a DNT default. > > What you have now is about as clear as MUD. > >> > Likewise, a user agent extension or add-on must not alter >> > the tracking preference unless the act of installing and enabling that >> extension or add-on is an explicit choice by the user for that tracking >> preference. >> > >> > We do not specify how tracking preference choices are offered to the user >> or how the preference is enabled: each implementation is responsible for >> > determining the user experience by which a tracking preference is enabled. >> For example, a user might select a check-box in their user agent's >> > configuration, install an extension or add-on that is specifically designed >> to add a tracking preference expression, or make a choice for privacy that >> > then implicitly includes a tracking preference (e.g., "Privacy settings: >> high"). Likewise, a user might install or configure a proxy to add the >> expression >> > to their own outgoing requests. >> > >> > Although some controlled network environments, such as public access >> terminals or managed corporate intranets, might impose restrictions on >> > the use or configuration of installed user agents, such that a user might >> only have access to user agents with a predetermined preference enabled, >> > the user is at least able to choose whether to make use of those user >> agents. > > That's a false statement. The user MIGHT not 'have that choice'. > > The included example (yours) of ''managed corporate intranets" automatically > includes "places of employment". > > The only 'choice' the user might have in that case is whether or not to work > there ( anymore ). > >> > In contrast, if a user brings their own Web-enabled device to a library >> > or cafe with wireless Internet access, the expectation will be that their >> chosen user agent and personal preferences regarding Web site behavior will >> > not be altered by the network environment, aside from blanket limitations >> on what resources can or cannot be accessed through that network. >> > Implementations of HTTP that are not under control of the user must not >> express a tracking preference on their behalf. > > This is also VERY confusing. > > It contradicts itself even within the same paragraph and doesn't jive at all > with the previous paragraphs. > > Needs CLARITY. > > Regards > Kevin > > END OF EDITOR'S DRAFT DATED 06/2012 > > The complete Section 3 from both the 'Current Editor's Draft' ( as of today ) > and the previous ( currently published ) > 'Working Draft' ( as of March 13 2012 ) are included below ( without comment ) > for reference... > > ** Current Editor's Draft ( As of today... not yet PUBLISHED ) > > http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html > > Tracking Preference Expression (DNT) > W3C Editor's Draft 20 June 2012 > > 3. Determining User Preference > > The goal of this protocol is to allow a user to express their personal > preference regarding tracking to each server and web application > that they communicate with via HTTP, thereby allowing each service to either > adjust their behavior to meet the user's expectations or > reach a separate agreement with the user to satisfy all parties. > > Key to that notion of expression is that it must reflect the user's choice, > not the choice of some vendor, institution, or network-imposed > mechanism outside the user's control. The basic principle is that a tracking > preference expression is only transmitted when it reflects a > deliberate choice by the user. In the absence of user choice, there is no > tracking preference expressed. > > A user agent must offer users a minimum of two alternative choices for a "Do > Not Track" preference: unset or on. A user agent may offer a > third alternative choice: off. If the user's choice is on or off, the tracking > preference is enabled; otherwise, the tracking preference is not enabled. > > A user agent must have a default tracking preference of unset (not enabled) > unless a specific tracking preference is implied by the decision to > use that agent. For example, use of a general-purpose browser would not imply > a tracking preference when invoked normally as "SuperFred", > but might imply a preference if invoked as "SuperDoNotTrack" or > "UltraPrivacyFred". Likewise, a user agent extension or add-on must not alter > the tracking preference unless the act of installing and enabling that > extension or add-on is an explicit choice by the user for that tracking > preference. > > We do not specify how tracking preference choices are offered to the user or > how the preference is enabled: each implementation is responsible for > determining the user experience by which a tracking preference is enabled. For > example, a user might select a check-box in their user agent's > configuration, install an extension or add-on that is specifically designed to > add a tracking preference expression, or make a choice for privacy that > then implicitly includes a tracking preference (e.g., "Privacy settings: > high"). Likewise, a user might install or configure a proxy to add the > expression > to their own outgoing requests. > > Although some controlled network environments, such as public access terminals > or managed corporate intranets, might impose restrictions on > the use or configuration of installed user agents, such that a user might only > have access to user agents with a predetermined preference enabled, > the user is at least able to choose whether to make use of those user agents. > In contrast, if a user brings their own Web-enabled device to a library > or cafe with wireless Internet access, the expectation will be that their > chosen user agent and personal preferences regarding Web site behavior will > not be altered by the network environment, aside from blanket limitations on > what resources can or cannot be accessed through that network. > Implementations of HTTP that are not under control of the user must not > express a tracking preference on their behalf. > > > ** Previous Working Draft ( Current PUBLISHED version )... > > http://www.w3.org/TR/2012/WD-tracking-dnt-20120313/ > > Tracking Preference Expression (DNT) > W3C Working Draft 13 March 2012 > > 3. Determining User Preference > > The goal of this protocol is to allow a user to express their personal > preference regarding tracking to each server and web application > that they communicate with via HTTP, thereby allowing each service to either > adjust their behavior to meet the user's expectations or > reach a separate agreement with the user to satisfy all parties. > > Key to that notion of expression is that it must reflect the user's > preference, not the preference of some institutional or network-imposed > mechanism outside the user's control. Although some controlled network > environments, such as public access terminals or managed > corporate intranets, might impose restrictions on the use or configuration of > installed user agents, such that a user might only have access > to user agents with a predetermined preference enabled, the user is at least > able to choose whether to make use of those user agents. > In contrast, if a user brings their own Web-enabled device to a library or > cafe with wireless Internet access, the expectation will be that > their chosen user agent and personal preferences regarding Web site behavior > will not be altered by the network environment, aside from > blanket limitations on what sites can or cannot be accessed through that > network. > > The remainder of this specification defines the protocol in terms of whether a > tracking preference is enabled or not enabled. We do not specify > how that preference is enabled: each implementation is responsible for > determining the user experience by which this preference is enabled. > > For example, a user might select a check-box in their user agent's > configuration, install a plug-in or extension that is specifically designed > to add a tracking preference expression, or make a choice for privacy that > then implicitly includes a tracking preference (e.g., "Privacy settings: > high"). > Likewise, a user might install or configure a proxy to add the expression to > their own outgoing requests. For each of these cases, we say that a > tracking preference is enabled. >
Received on Thursday, 21 June 2012 14:25:52 UTC