W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Evolving Online Privacy - Advancing User Choice

From: Peter Cranstone <peter.cranstone@gmail.com>
Date: Thu, 21 Jun 2012 09:00:01 -0600
To: Kevin Kiley <kevin.kiley@3pmobile.com>, "public-tracking@w3.org" <public-tracking@w3.org>
CC: "wileys@yahoo-inc.com" <wileys@yahoo-inc.com>, "fielding@gbiv.com" <fielding@gbiv.com>, "rigo@w3.org" <rigo@w3.org>
Message-ID: <CC0891B4.3EF6%peter.cranstone@gmail.com>
I would like to add clarification to my example below.

Please note that it is an example only. There is already an Open issue (111)
in the spec that talks to using DNT:2 so the likelihood of my suggested use
of DNT:2 for signaling intent is already wrong and something else would be
required.

My opinion remains the same thought  something is required to indicate to
the server what the users intent is. However after reading the letter from
the EU Commission in all likelihood this whole approach is now moot.

Quote.

Third, it is not the Commission's understanding that user agents' factory or
default setting necessarily determine or distort owner choice. The
specification need not therefore seek to determine the factory setting and
should not do so, because to intervene on this point could distort the
market. 

Crucially, and as a different matter, the standard should foresee that at
the install or first use of the browser the owner should be informed of the
importance of their DNT choice, told of the default setting and prompted or
allowed to change that setting.


As I read this the intent is now not in question via the spec. All that is
required is a better marketing to inform the user.


Peter
___________________________________
Peter J. Cranstone
720.663.1752


From:  Peter Cranstone <peter.cranstone@gmail.com>
Date:  Thursday, June 21, 2012 8:25 AM
To:  Kevin Kiley <kevin.kiley@3pmobile.com>, W3 Tracking
<public-tracking@w3.org>
Cc:  "wileys@yahoo-inc.com" <wileys@yahoo-inc.com>, "fielding@gbiv.com"
<fielding@gbiv.com>, "rigo@w3.org" <rigo@w3.org>
Subject:  Re: Evolving Online Privacy - Advancing User Choice

> RE:
>> > Key to that notion of expression is that it must reflect the user's choice,
>> not the choice of some vendor, institution, or network-imposed
>> > mechanism outside the user's control. The basic principle is that a
>> tracking preference expression is only transmitted when it reflects a
>> > deliberate choice by the user. In the absence of user choice, there is no
>> tracking preference expressed.
> 
> 
> AndŠ
> 
> 
> <PROPOSED CHANGE>
> Normative: "... users MAY be given a choice during installation, update or
> first startup."
> 
> Non-normative:
> There are use cases, where a choice given on first startup would be the
> preferred choice mechanism.
> For example,
> - a device can have multiple user profiles per installation;
> - in cases where browsers are not installed by the user.
> </PROPOSED CHANGE>
> 
> 
> IF you want this Š Key to that notion of expression is that it must reflect
> the user's choice, not the choice of some vendor, institution, or
> network-imposed mechanism outside the user's control. Then the normative
> change needs to be a MUST. It cannot be anything else than that otherwise
> every corporate install/mandate/3rd party plugin will fail the test.
> 
> I'm starting to sound like a broken record here, but if the ONLY thing the
> server sees is DNT:1 then you have to honor it. Here's an example of what
> needs to take place.
> 
> Client sends:               DNT:1    <- As per the spec
>  
> Server sends back    DNT-QUERY: Confirm this is your choice <- ( Or whatever )
>  
> Client sends back:    DNT:2     <- Whatever W3 decide is an ACK signal.
> 
> 
> Now for that session it is perfectly clear what the intent of the real user
> (the person sitting in front of the keyboard/monitor) was.
> 
> 
> So what's wrong with the above?
>  
> 
> 
> Peter
> ___________________________________
> Peter J. Cranstone
> 720.663.1752
> 
> 
> From:  Kevin Kiley <kevin.kiley@3pmobile.com>
> Date:  Thursday, June 21, 2012 1:56 AM
> To:  W3 Tracking <public-tracking@w3.org>
> Cc:  "wileys@yahoo-inc.com" <wileys@yahoo-inc.com>, "fielding@gbiv.com"
> <fielding@gbiv.com>, "rigo@w3.org" <rigo@w3.org>, Kevin Kiley
> <kevin.kiley@3pmobile.com>
> Subject:  Re: Evolving Online Privacy - Advancing User Choice
> Resent-From:  W3 Tracking <public-tracking@w3.org>
> Resent-Date:  Thu, 21 Jun 2012 07:57:39 +0000
> 
>> Regarding the changes made today to section 3 of the TPE...
>>  
>> Comment are inline belowŠ
>>  
>>> > ** Current Editor's Draft ( As of 06/20/12. Not yet PUBLISHED )
>>> > 
>>> > http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
>>> > 
>>> > Tracking Preference Expression (DNT)
>>> > W3C Editor's Draft 20 June 2012
>>> > 
>>> > 3. Determining User Preference
>>> > 
>>> > The goal of this protocol is to allow a user to express their personal
>>> preference regarding tracking to each server and web application
>>> > that they communicate with via HTTP, thereby allowing each service to
>>> either adjust their behavior to meet the user's expectations or
>>> > reach a separate agreement with the user to satisfy all parties.
>>> > 
>>> > Key to that notion of expression is that it must reflect the user's
>>> choice, not the choice of some vendor, institution, or network-imposed
>>> > mechanism outside the user's control. The basic principle is that a
>>> tracking preference expression is only transmitted when it reflects a
>>> > deliberate choice by the user. In the absence of user choice, there is no
>>> tracking preference expressed.
>>> > 
>>> > A user agent must offer users a minimum of two alternative choices for a
>>> "Do Not Track" preference: unset or on. A user agent may offer a
>>> > third alternative choice: off. If the user's choice is on or off, the
>>> tracking preference is enabled; otherwise, the tracking preference is not
>>> enabled.
>>> > 
>>> > A user agent must have a default tracking preference of unset (not
>>> enabled) unless a specific tracking preference is implied by the decision to
>>> > use that agent. For example, use of a general-purpose browser would not
>>> imply a tracking preference when invoked normally as "SuperFred",
>>> > but might imply a preference if invoked as "SuperDoNotTrack" or
>>> "UltraPrivacyFred".
>>  
>> Seriously? 
>>  
>> So the essence of whether a User Agent is going to be able to specify a
>> default for DNT is going to based on what the NAME of the software might be?
>>  
>> If Mozilla releases a version of Firefox named 'SuperDoNotTrackFirefox', that
>> version is allowed to have a DNT default, but 'Firefox' isn't?
>>  
>> I think this all needs to be redone so it is MUCH clearer what the real
>> criteria is for a piece of software being able to have a DNT default.
>>  
>> What you have now is about as clear as MUD.
>>  
>>> > Likewise, a user agent extension or add-on must not alter
>>> > the tracking preference unless the act of installing and enabling that
>>> extension or add-on is an explicit choice by the user for that tracking
>>> preference.
>>> > 
>>> > We do not specify how tracking preference choices are offered to the user
>>> or how the preference is enabled: each implementation is responsible for
>>> > determining the user experience by which a tracking preference is enabled.
>>> For example, a user might select a check-box in their user agent's
>>> > configuration, install an extension or add-on that is specifically
>>> designed to add a tracking preference expression, or make a choice for
>>> privacy that
>>> > then implicitly includes a tracking preference (e.g., "Privacy settings:
>>> high"). Likewise, a user might install or configure a proxy to add the
>>> expression
>>> > to their own outgoing requests.
>>> > 
>>> > Although some controlled network environments, such as public access
>>> terminals or managed corporate intranets, might impose restrictions on
>>> > the use or configuration of installed user agents, such that a user might
>>> only have access to user agents with a predetermined preference enabled,
>>> > the user is at least able to choose whether to make use of those user
>>> agents. 
>>  
>> That's a false statement. The user MIGHT not 'have that choice'.
>>  
>> The included example (yours) of ''managed corporate intranets" automatically
>> includes "places of employment".
>>  
>> The only 'choice' the user might have in that case is whether or not to work
>> there ( anymore ).
>>  
>>> > In contrast, if a user brings their own Web-enabled device to a library
>>> > or cafe with wireless Internet access, the expectation will be that their
>>> chosen user agent and personal preferences regarding Web site behavior will
>>> > not be altered by the network environment, aside from blanket limitations
>>> on what resources can or cannot be accessed through that network.
>>> > Implementations of HTTP that are not under control of the user must not
>>> express a tracking preference on their behalf.
>>  
>> This is also VERY confusing.
>>  
>> It contradicts itself even within the same paragraph and doesn't jive at all
>> with the previous paragraphs.
>>  
>> Needs CLARITY.
>>  
>> Regards
>> Kevin
>>  
>> END OF EDITOR'S DRAFT DATED 06/2012
>>  
>> The complete Section 3 from both the 'Current Editor's Draft' ( as of today )
>> and the previous ( currently published )
>> 'Working Draft' ( as of March 13 2012 ) are included below ( without comment
>> ) for reference...
>>  
>> ** Current Editor's Draft ( As of today... not yet PUBLISHED )
>>  
>> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
>>  
>> Tracking Preference Expression (DNT)
>> W3C Editor's Draft 20 June 2012
>>  
>> 3. Determining User Preference
>>  
>> The goal of this protocol is to allow a user to express their personal
>> preference regarding tracking to each server and web application
>> that they communicate with via HTTP, thereby allowing each service to either
>> adjust their behavior to meet the user's expectations or
>> reach a separate agreement with the user to satisfy all parties.
>>  
>> Key to that notion of expression is that it must reflect the user's choice,
>> not the choice of some vendor, institution, or network-imposed
>> mechanism outside the user's control. The basic principle is that a tracking
>> preference expression is only transmitted when it reflects a
>> deliberate choice by the user. In the absence of user choice, there is no
>> tracking preference expressed.
>>  
>> A user agent must offer users a minimum of two alternative choices for a "Do
>> Not Track" preference: unset or on. A user agent may offer a
>> third alternative choice: off. If the user's choice is on or off, the
>> tracking preference is enabled; otherwise, the tracking preference is not
>> enabled.
>>  
>> A user agent must have a default tracking preference of unset (not enabled)
>> unless a specific tracking preference is implied by the decision to
>> use that agent. For example, use of a general-purpose browser would not imply
>> a tracking preference when invoked normally as "SuperFred",
>> but might imply a preference if invoked as "SuperDoNotTrack" or
>> "UltraPrivacyFred". Likewise, a user agent extension or add-on must not alter
>> the tracking preference unless the act of installing and enabling that
>> extension or add-on is an explicit choice by the user for that tracking
>> preference.
>>  
>> We do not specify how tracking preference choices are offered to the user or
>> how the preference is enabled: each implementation is responsible for
>> determining the user experience by which a tracking preference is enabled.
>> For example, a user might select a check-box in their user agent's
>> configuration, install an extension or add-on that is specifically designed
>> to add a tracking preference expression, or make a choice for privacy that
>> then implicitly includes a tracking preference (e.g., "Privacy settings:
>> high"). Likewise, a user might install or configure a proxy to add the
>> expression 
>> to their own outgoing requests.
>>  
>> Although some controlled network environments, such as public access
>> terminals or managed corporate intranets, might impose restrictions on
>> the use or configuration of installed user agents, such that a user might
>> only have access to user agents with a predetermined preference enabled,
>> the user is at least able to choose whether to make use of those user agents.
>> In contrast, if a user brings their own Web-enabled device to a library
>> or cafe with wireless Internet access, the expectation will be that their
>> chosen user agent and personal preferences regarding Web site behavior will
>> not be altered by the network environment, aside from blanket limitations on
>> what resources can or cannot be accessed through that network.
>> Implementations of HTTP that are not under control of the user must not
>> express a tracking preference on their behalf.
>>  
>>  
>> ** Previous Working Draft ( Current PUBLISHED version )...
>>  
>> http://www.w3.org/TR/2012/WD-tracking-dnt-20120313/
>>  
>> Tracking Preference Expression (DNT)
>> W3C Working Draft 13 March 2012
>>  
>> 3. Determining User Preference
>>  
>> The goal of this protocol is to allow a user to express their personal
>> preference regarding tracking to each server and web application
>> that they communicate with via HTTP, thereby allowing each service to either
>> adjust their behavior to meet the user's expectations or
>> reach a separate agreement with the user to satisfy all parties.
>>  
>> Key to that notion of expression is that it must reflect the user's
>> preference, not the preference of some institutional or network-imposed
>> mechanism outside the user's control. Although some controlled network
>> environments, such as public access terminals or managed
>> corporate intranets, might impose restrictions on the use or configuration of
>> installed user agents, such that a user might only have access
>> to user agents with a predetermined preference enabled, the user is at least
>> able to choose whether to make use of those user agents.
>> In contrast, if a user brings their own Web-enabled device to a library or
>> cafe with wireless Internet access, the expectation will be that
>> their chosen user agent and personal preferences regarding Web site behavior
>> will not be altered by the network environment, aside from
>> blanket limitations on what sites can or cannot be accessed through that
>> network.
>>  
>> The remainder of this specification defines the protocol in terms of whether
>> a tracking preference is enabled or not enabled. We do not specify
>> how that preference is enabled: each implementation is responsible for
>> determining the user experience by which this preference is enabled.
>>  
>> For example, a user might select a check-box in their user agent's
>> configuration, install a plug-in or extension that is specifically designed
>> to add a tracking preference expression, or make a choice for privacy that
>> then implicitly includes a tracking preference (e.g., "Privacy settings:
>> high"). 
>> Likewise, a user might install or configure a proxy to add the expression to
>> their own outgoing requests. For each of these cases, we say that a
>> tracking preference is enabled.
>>  
Received on Thursday, 21 June 2012 15:00:45 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:31 UTC