W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

RE: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance]

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 30 May 2012 22:18:36 -0400
To: public-tracking@w3.org
Message-ID: <20120531021836.5e75c31d@mail.maclaboratory.net>
There is a significant difference between (1) a decision to set a default on a browser setting  and (2) a decision to override a browser setting that you have affirmatively stated that you will honor.  Browsers and other user agents set defaults all the time, including on privacy.  On the other hand, a third-party website's overriding a browser setting should intuitively require a higher level of user permission, and as you may recall, I seemed to have lost the fight previously to require higher-than-legally-required permission around user-granted exceptions.  I believe Shane's last word on the subject was "I'm beginning to agree with Roy that leaving this to current legal realities is probably the best route," and others seemed more adamant.  I still think there is a strong argument that the standard could require compliant third parties to obtain affirmative, express consent to ignore DNT while being silent on when DNT should be turned on, but if it's silent on what level of consent is needed for complaint entities to ignore, than a fortiori we shouldn't require extra-super-special consent to turn on DNT in the first place for the signal to be operative.

As far as the current legal realities go, if a company (let's call them PrivacySuite, Inc.) turns on DNT for all browsers along with anti-virus protection and a host of other privacy and security features upon install, you could I suppose make the legal argument that they are committing a deceptive business practice by failing to clearly and conspicuously disclose they're turning on DNT, or you could try to make a tortious interference with business relationship claims.  I think it would be tough legal argument to make --- far tougher than an argument that a company was committing a deceptive practice by averring permission to track in a privacy policy despite the DNT signal they claim to be honoring.  But that aligns with my argument that setting defaults and getting permission to ignore browser settings are very different situations.

I also have a practical question about what the value of requiring a specific user interaction before DNT is turned on would actually accomplish.  If PrivacySuite turned on DNT in all browsers . . . would a website at the other end of a web request who received the DNT signal be able to tell how the DNT setting was set?  PrivacySuite is under no pressure, I presume, to implement or pay attention to this standard, or assert compliance.  Certainly, the 4Chan prankster who creates the "Click here if you like blue" malware program that benevolently (to his mind) turns on DNT will not care.  So whether or not UI is "in scope" for this group, I worry that the standard won't bind the entities you're worried about, and the only solution might be existing law.  The PrivacySuites of the world today can delete cookies and LSOs or try to obscure the user agent against fingerprinting; I have not heard the argument that tracking companies can attempt to circumvent these measures because they are not sure that PrivacySuite's customers have affirmatively opted in to every feature.
  _____  

From: Shane Wiley [mailto:wileys@yahoo-inc.com]
To: Justin Brookman [mailto:justin@cdt.org], public-tracking@w3.org [mailto:public-tracking@w3.org]
Sent: Wed, 30 May 2012 18:22:10 -0400
Subject: RE: tracking-ISSUE-150: DNT conflicts from multiple user agents   [Tracking Definitions and Compliance]




Justin,

 

If companies are expected to achieve “informed and explicit” consent to turn off DNT, then it is only fair that User Agents also achieve “informed and explicit” consent to turn on DNT.  Do you disagree?

 

- Shane

 



From: Justin Brookman [mailto:justin@cdt.org] 
Sent: Wednesday, May 30, 2012 3:17 PM
To: public-tracking@w3.org
Subject: Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance]

 

What problem?  You honor the header by doing what the spec says.  There is no need for you to try to discern user intent, and indeed, no way for you to do so.  Ad networks cannot be and are not expected to be responsible for every UI or every possible bit of misinformation someone saw in a comment thread on Reddit to get them to turn on DNT in the first place.

Today, if someone sets their browser to block third-party cookies, you don't try to circumvent that on the theory that someone maybe didn't understand what cookies did in the first place.  Nor do we dictate to the user agents how and when to surface and describe those capabilities.

If there are conflicting headers, that's a different issue, and Ian and Jonathan are putting together draft text on that issue.



Justin Brookman

Director, Consumer Privacy

Center for Democracy & Technology

1634 I Street NW, Suite 1100

Washington, DC 20006

tel 202.407.8812

fax 202.637.0969

justin@cdt.org

http://www.cdt.org

@CenDemTech

@JustinBrookman


On 5/30/2012 3:34 PM, Chris Mejia wrote: 



I believe new Issue-150 is closely related to open Issue-143. If the user's intent in turning on/off DNT is not clear (especially in cases where the user doesn't even know they are specifically sending a DNT:1 header), there is no way for publishers to understand how to accurately "honor" any consumer's DNT header flag— it's a fundamental flaw with this scope of this proceeding.  I laid out the concern in some detail in my previous email to the group ("In Support of Issue-143"); so I'll just give the brief version here: if publishers do not understand the context of the user's DNT expression (was the user properly informed about what setting does/means, before it was set) how are publishers to determine what the user actually intended, or if they user is even aware that a DNT flag is being sent?  If any question/statement in any UI can lead to the sending of DNT:1 or DNT:0, where is the integrity of the system/solution?  


 


To give just one example (there are many) of how a DNT mechanism that lacks a uniform informed consent requirement might be abused, consider the theoretical yet plausible scenario where an email is sent to (millions of) users informing the users that they should "click here to prevent evil doers from knowing who you are" or even worse, "click here if you think blue is a pretty color" (replace with a variety of malware tactics), the user's click leading to a programatic setting of DNT, without the user's informed consent under uniform compliance rules.  When that happens (some zealot decides to abuse the system), I'm sure we'll eventually learn about it, after some amount of damage being done. 


 


When it becomes known that users were deceived into sending a DNT expression (no uniform informed consent), here's what the end-game of publishers might be:  without a way of discerning how DNT was set (which program; who owns the program; being able to inspect the program), and under which auspices it was set (what did the user agree to when they clicked?), when learning of a set of users who were deceived into setting DNT, publishers may be forced to consider if they should honor any DNT header requests at all, in an effort to protect the web experience of all users.  Under this scenario, publishers may be compelled to issue public statements outlining the fatal flaws of this W3C DNT mechanism, citing the specific abuses, and walking away from compliance on the grounds that being "compliant" with such a system would be harmful to the majority of its users.


 


Is that really the result that this working group is looking for?  If not, I strongly suggest that we all get on board with defining a system where the actual intent of the user is absolutely clear— the only way I can think to accomplish this is to require compliance with a uniform requirement to properly educate/inform the user about their choice, at the point user choice is made.  Of course I'm open to hearing other suggestions for solving this problem, but I feel that "it's out of scope/Charter for this project" is not an acceptable solution— that answer does not solve the problem described here and in open Issue-143.  Please, let's solve the actual problem.


 


Chris Mejia, IAB/DAA


 


 


On 5/30/12 1:35 PM, "Tracking Protection Working Group Issue Tracker" <sysbot+tracker@w3.org> wrote:


 


tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance]


 


http://www.w3.org/2011/tracking-protection/track/issues/150


 


Raised by: Aleecia McDonald


On product: Tracking Definitions and Compliance


 


Due to multiple addons that support Do Not Track, there could be conflicts. For example, a user could turn off DNT (not unset, actually off, sending DNT:0) in Firefox, yet install Abine's "Do Not Track Plus" addon (which sends DNT:1). More fun, users could have three different addons, each with a different value. Do we have either best practices or requirements for user agents here?


 


Created from original issue-148, with actions taken by ifette and jmayer to write proposals.


 


 


 


   
Received on Thursday, 31 May 2012 02:19:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC