W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance]

From: イアンフェッティ <ifette@google.com>
Date: Thu, 31 May 2012 16:48:00 -0700
Message-ID: <CAF4kx8fu0n4GudNjpA_X4RmCFCc50ZuAEbo_zRPZ07QgMWTSBw@mail.gmail.com>
To: Manu Mukerji <manu16m@gmail.com>
Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>, Lauren Gelman <gelman@blurryedge.com>, Heather West <heatherwest@google.com>, Justin Brookman <justin@cdt.org>, Shane Wiley <wileys@yahoo-inc.com>, "Aleecia M. McDonald" <aleecia@aleecia.com>
It would make life easier but is technically impossible :-) (at least, not
for http. For https it depends on how aggressive software like avg wants to
be. At the end of the day, many of these software programs like avg install
as administrator and run with higher privileges than chrome.)
On May 31, 2012 6:07 PM, "Manu Mukerji" <manu16m@gmail.com> wrote:

> Wouldn't it make life easier to ask the browsers not to expose the ability
> to control the DNT setting from outside the browser.
>
> -Manu
>
> On Thu, May 31, 2012 at 3:59 PM, Heather West <heatherwest@google.com>wrote:
>
>> I think that these developments - and the resulting surprise from many -
>> make it pretty clear that we should take some time and outline what we
>> expect of user agents. I definitely think we should add a section for that.
>>
>>
>> On Thu, May 31, 2012 at 6:31 PM, Aleecia M. McDonald <aleecia@aleecia.com
>> > wrote:
>>
>>> Some very quick points:
>>>
>>> - Until we have a published recommendation, there is nothing to comply
>>> with.
>>> - I see this as a reason to push for a recommendation sooner rather than
>>> later: this is the sort of thing that happens in the days before a
>>> recommendation, with companies interpreting and implementing as they like
>>> on all sides.
>>>
>>> I've had calmer days, how about all of you?
>>>
>>> On the call yesterday I suggested we add a new section on what user
>>> agents either must or should do to be in compliance with the spec. As
>>> written, there are currently no requirements on browsers. This seems like
>>> an area for further discussion. If a user agent claims to be compliant and
>>> is not, they have the FTC to answer to in the US. If a user agent is not
>>> compliant, they have press questions to answer. This is what I had in mind
>>> when we started the conversation yesterday.
>>>
>>> Of note: I did not know about MSFT's upcoming announcement prior to the
>>> call yesterday.
>>>
>>> Aleecia
>>>
>>> On May 31, 2012, at 2:25 PM, Shane Wiley wrote:
>>>
>>> This is an invalid use case as the draft compliance document already
>>> states a user must actively turn on DNT and this cannot be turned on by
>>> default.  IE10 is already out of DNT compliance.****
>>> ** **
>>> - Shane****
>>> ** **
>>>  *From:* Lauren Gelman [mailto:gelman@blurryedge.com]
>>> *Sent:* Thursday, May 31, 2012 2:21 PM
>>> *To:* ifette@google.com
>>> *Cc:* Shane Wiley; Justin Brookman; public-tracking@w3.org
>>> *Subject:* Re: tracking-ISSUE-150: DNT conflicts from multiple user
>>> agents [Tracking Definitions and Compliance]****
>>> ** **
>>> ** **
>>> I just saw this, so in fairness I am revisiting Shane's question: ****
>>>
>>> http://www.microsoft.com/en-us/news/Press/2012/May12/05-31Windows8RPPR.aspx
>>> ****
>>> ** **
>>> If a browser ships DNT:0 by default and a user turns it to DNT:1, then
>>> "informed, explicit" consent is needed for a publisher to cookie the user.
>>> ****
>>> ** **
>>> If a browser ships DNT:1 by default, and a user turns it to DNT:0 then
>>> "informed, explicit" consent would be needed for a publisher to not collect
>>> cookies from the user.****
>>> ** **
>>> So it still seems to be a matter of requiring heightened awareness based
>>> on a PROCESS-- when someone who has changed their default setting is asked
>>> to override that default and not SUBSTANCE-- whether the change is turning
>>> on or off DNT.****
>>> ** **
>>> Lauren Gelman
>>> BlurryEdge Strategies
>>> 415-627-8512****
>>> ** **
>>> On May 30, 2012, at 9:31 PM, Ian Fette (イアンフェッティ) wrote:****
>>>
>>>
>>> ****
>>>
>>> It's also to note that over time, things have tended to shift, e.g. some
>>> browsers are now blocking third party cookies by default...****
>>> On Wed, May 30, 2012 at 4:44 PM, Lauren Gelman <gelman@blurryedge.com>
>>> wrote:****
>>> ** **
>>> Of course-- but realistically, majority default DNT is not the world
>>> this standard will exist in.  DNT is going to be a 10% solution.****
>>> ** **
>>> Frankly, having done privacy for almost 20 years, the idea that millions
>>> of users are going to turn on any privacy setting such that they
>>> unknowingly stop sharing their data in a way that actually has any impact
>>> on any businesses bottom line is unrealistic at best.  (Can anyone point to
>>> any internet business, ever, where this has happened??) I've heard of spam,
>>> spyware, fishing, spear fishing, etc.  I've never heard of a massive
>>> pro-privacy viral campaign that worked.   There's lots of $ behind
>>> companies trying to get users to turn off DNT and no $ to try to get them
>>> to turn it on, so I think this is really orthogonal to what this group is
>>> working on.****
>>> ** **
>>> Lauren Gelman
>>> BlurryEdge Strategies
>>> 415-627-8512****
>>> ** **
>>> On May 30, 2012, at 4:05 PM, Ian Fette (イアンフェッティ) wrote:****
>>>
>>>
>>> ****
>>> I think the desire though is that DNT is a representation of a user's
>>> explicit preference. If a browser set it by default, for instance, would a
>>> site be obligated to respect it?****
>>> ** **
>>>
>>> -Ian****
>>> On Wed, May 30, 2012 at 3:33 PM, Lauren Gelman <gelman@blurryedge.com>
>>> wrote:****
>>> ** **
>>> I don't see the parity here. One is a user's affirmative action being
>>> overruled by another entity.  The other is the user opting to change a
>>> default setting.   ****
>>> ** **
>>> Lauren Gelman
>>> BlurryEdge Strategies
>>> 415-627-8512****
>>> ** **
>>> On May 30, 2012, at 3:22 PM, Shane Wiley wrote:****
>>>
>>>
>>> ****
>>> Justin,****
>>>  ****
>>> If companies are expected to achieve “informed and explicit” consent to
>>> turn off DNT, then it is only fair that User Agents also achieve “informed
>>> and explicit” consent to turn on DNT.  Do you disagree?****
>>>  ****
>>> - Shane****
>>>  ****
>>>  *From:* Justin Brookman [mailto:justin@cdt.org]
>>> *Sent:* Wednesday, May 30, 2012 3:17 PM
>>> *To:* public-tracking@w3.org
>>> *Subject:* Re: tracking-ISSUE-150: DNT conflicts from multiple user
>>> agents [Tracking Definitions and Compliance]****
>>>  ****
>>>
>>> What problem?  You honor the header by doing what the spec says.  There
>>> is no need for you to try to discern user intent, and indeed, no way for
>>> you to do so.  Ad networks cannot be and are not expected to be responsible
>>> for every UI or every possible bit of misinformation someone saw in a
>>> comment thread on Reddit to get them to turn on DNT in the first place.
>>>
>>> Today, if someone sets their browser to block third-party cookies, you
>>> don't try to circumvent that on the theory that someone maybe didn't
>>> understand what cookies did in the first place.  Nor do we dictate to the
>>> user agents how and when to surface and describe those capabilities.
>>>
>>> If there are conflicting headers, that's a different issue, and Ian and
>>> Jonathan are putting together draft text on that issue.****
>>>
>>>
>>> Justin Brookman****
>>>
>>> Director, Consumer Privacy****
>>>
>>>
>>> Center for Democracy & Technology****
>>>
>>> 1634 I Street NW, Suite 1100****
>>>
>>> Washington, DC 20006****
>>>
>>>
>>> tel 202.407.8812****
>>>
>>>
>>> fax 202.637.0969****
>>>
>>> justin@cdt.org****
>>>
>>> http://www.cdt.org****
>>>
>>>
>>> @CenDemTech****
>>>
>>> @JustinBrookman****
>>>
>>>
>>> On 5/30/2012 3:34 PM, Chris Mejia wrote:****
>>> I believe new Issue-150 is closely related to open Issue-143. If the
>>> user's intent in turning on/off DNT is not clear (especially in cases where
>>> the user doesn't even know they are specifically sending a DNT:1 header),
>>> there is no way for publishers to understand how to accurately "honor" any
>>> consumer's DNT header flag— *it's a fundamental flaw with this scope of
>>> this proceeding*.  I laid out the concern in some detail in my previous
>>> email to the group ("In Support of Issue-143"); so I'll just give the brief
>>> version here: if publishers do not understand the context of the user's DNT
>>> expression (was the user properly informed about what setting does/means,
>>> before it was set) how are publishers to determine what the user actually
>>> intended, or if they user is even aware that a DNT flag is being sent?  If
>>> any question/statement in any UI can lead to the sending of DNT:1 or DNT:0,
>>> where is the integrity of the system/solution?  ****
>>>  ****
>>> To give just one example (there are many) of how a DNT mechanism that
>>> lacks a uniform informed consent requirement might be abused, consider the
>>> theoretical yet plausible scenario where an email is sent to (millions of)
>>> users informing the users that they should "*click here to prevent evil
>>> doers from knowing who you are*" or even worse, "*click here if you
>>> think blue is a pretty color*" (replace with a variety of malware
>>> tactics), the user's click leading to a programatic setting of DNT, without
>>> the user's informed consent under uniform compliance rules.  When that
>>> happens (some zealot decides to abuse the system), I'm sure we'll
>>> eventually learn about it, after some amount of damage being done. ****
>>>  ****
>>> *When it becomes known that users were deceived into sending a DNT
>>> expression (no uniform informed consent), here's what the end-game of
>>> publishers might be: * without a way of discerning how DNT was set
>>> (which program; who owns the program; being able to inspect the program),
>>> and under which auspices it was set (what did the user agree to when they
>>> clicked?), when learning of a set of users who were deceived into setting
>>> DNT, publishers may be forced to consider if they should honor any DNT
>>> header requests at all, in an effort to protect the web experience of all
>>> users.  Under this scenario, publishers may be compelled to issue public
>>> statements outlining the fatal flaws of this W3C DNT mechanism, citing the
>>> specific abuses, and walking away from compliance on the grounds that being
>>> "compliant" with such a system would be harmful to the majority of its
>>> users.****
>>>  ****
>>> Is that really the result that this working group is looking for?  If
>>> not, I strongly suggest that we all get on board with defining a system
>>> where the actual intent of the user is absolutely clear— the only way I can
>>> think to accomplish this is to require compliance with a uniform
>>> requirement to properly educate/inform the user about their choice, at the
>>> point user choice is made.  Of course I'm open to hearing other suggestions
>>> for solving this problem, but I feel that "*it's out of scope/Charter
>>> for this project*" is not an acceptable solution— that answer does not
>>> solve the problem described here and in open Issue-143.  Please, let's
>>> solve the actual problem.****
>>>  ****
>>> Chris Mejia, IAB/DAA****
>>>  ****
>>>  ****
>>> On 5/30/12 1:35 PM, "Tracking Protection Working Group Issue Tracker" <
>>> sysbot+tracker@w3.org> wrote:****
>>>  ****
>>>
>>> tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking
>>> Definitions and Compliance]****
>>>  ****
>>> http://www.w3.org/2011/tracking-protection/track/issues/150****
>>>  ****
>>> Raised by: Aleecia McDonald****
>>> On product: Tracking Definitions and Compliance****
>>>  ****
>>> Due to multiple addons that support Do Not Track, there could be
>>> conflicts. For example, a user could turn off DNT (not unset, actually off,
>>> sending DNT:0) in Firefox, yet install Abine's "Do Not Track Plus" addon
>>> (which sends DNT:1). More fun, users could have three different addons,
>>> each with a different value. Do we have either best practices or
>>> requirements for user agents here?****
>>>  ****
>>> Created from original issue-148, with actions taken by ifette and jmayer
>>> to write proposals.****
>>>  ****
>>>  ****
>>>  ****
>>>  ****
>>>
>>> ** **
>>> ** **
>>> ** **
>>> ** **
>>> ** **
>>>
>>>
>>>
>>
>>
>> --
>>
>> Heather West | Google Policy | heatherwest@google.com | 202-643-6381
>>
>
>
Received on Thursday, 31 May 2012 23:48:30 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC