Re: ACTION-212: Draft text on how user agents must obtain consent to turn on a DNT signal from Justin Brookman on 2012-11-14 (public-tracking@w3.org from November 2012)

From: Justin Brookman <justin@cdt.org>
Date: Wed, 14 Nov 2012 12:31:03 -0500
To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <50A3D557.3020601@cdt.org>
“The User Agent MUST make available explanatory text to provide more 
detailed information about DNT functionality within easy and direct 
access for the particular environment prior to DNT being enabled.”

Ah, thanks for the update.

Justin Brookman
Director, Consumer Privacy
Center for Democracy & Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman

On 11/14/2012 12:23 PM, Shane Wiley wrote:
>
> Justin,
>
>
> The updated text submitted 2 weeks ago removed the “link” reference 
> and instead speaks to “informing users” more broadly prior to the 
> activation of DNT (DNT:1).
>
> - Shane
>
> *From:*Justin Brookman [mailto:justin@cdt.org]
> *Sent:* Wednesday, November 14, 2012 9:20 AM
> *To:* public-tracking@w3.org Group WG
> *Subject:* Re: ACTION-212: Draft text on how user agents must obtain 
> consent to turn on a DNT signal
>
> Obviously, a browser cannot misrepresent what the setting does.  If I 
> order the Thundercats shirt from Etsy and get a Jem and the Holograms 
> tank top instead, I have a right to be upset.  I also have a fairly 
> bulletproof argument that Etsy deceived me and must give me my money 
> back.  If a browser turns on DNT upon the prompt, "click here to make 
> all your privacy problems go away," they will be under significant 
> pressure to change this language. Isn't this what happened with 
> browsers' private browsing mode?  People complained quite loudly that 
> the setting overpromised, and the browsers responded by including 
> detailed disclosures about what the setting does and doesn't do.
>
> Shane's proposed language already requires a link to disclosure about 
> what DNT does; again, this itself seems fairly prescriptive and I'm 
> not aware of any other privacy setting where detailed explanatory 
> information is required by a technical standard.  But I can live with 
> it.  I would have thought that the browsers would not want to be told 
> precisely how to present information to their users about Do Not Track 
> (or any other feature), but if you're fine providing a link to NAI's 
> arguments against DNT when DNT is turned on, and a link to Jeff 
> Chester's arguments against tracking whenever a site requests a DNT 
> exception, perhaps my concern is miscalibrated :)
>
> I know that's not what you're looking for, but what is the 
> alternative?  I could easily nitpick the language that Chrome provides 
> to users when they turn on DNT --- is the answer an W3C-mandated user 
> interface or specific list of data points to message to the user?
>
> Justin Brookman
> Director, Consumer Privacy
> Center for Democracy & Technology
> 1634 I Street NW, Suite 1100
> Washington, DC 20006
> tel 202.407.8812
> fax 202.637.0969
> justin@cdt.org  <mailto:justin@cdt.org>
> http://www.cdt.org
> @CenDemTech
> @JustinBrookman
>
> On 11/13/2012 11:23 PM, Ian Fette (イアンフェッティ) wrote:
>
>     I have to say that this has been one of my favorite emails this
>     week w.r.t. the Thundercats t-shirt. That said, being serious for
>     a moment, I think part of it is that we still haven't settled on
>     what the thing should be called. It's currently DNT but I believe
>     we agreed that it was a placeholder and would re-visit the name
>     once we had figured out what we managed to actually build.
>
>     Saying "Click here to turn on Do Not Track" is a lot like saying
>     "Click here to get a free pony and see puppies." It sounds great
>     and I can't imagine why any user wouldn't say "yes" given the
>     text. The problem is that the user isn't really getting ponies,
>     puppies, or a world in which their web browsing behaviour is
>     magically kept private by re-inventing the way the Internet works.
>     Even if we applied DNT to all first parties as well, there's still
>     exceptions such as security, financial reporting etc that will
>     result in their browsing history being kept by third parties,
>     which is probably not what I would expect if you told me that I
>     was "not being tracked."
>
>     I don't think it's unreasonable to ask that if websites are being
>     told "the user has a preference for X" that we at least do
>     some diligence to explore ways to make sure that what the sites
>     are being told is the user's preference actually matches a
>     decision the user would make. Asking the user "Do you want a pony"
>     and then telling the website "The user wants you to mail them a
>     Thundercats t-shirt" makes about as much sense as asking a user
>     "Do you want to send a Do-Not-Track header to websites you visit"
>     and expecting websites to believe the user made any sort of
>     informed decision about the issues touched on in the spec.
>
>     My $0.024
>
>     On Tue, Nov 13, 2012 at 2:34 PM, Justin Brookman <justin@cdt.org
>     <mailto:justin@cdt.org>> wrote:
>
>     The working group has been using the term explicit and informed
>     consent
>     <http://www.w3.org/2011/tracking-protection/track/issues/143> to
>     ensure that a user understands that they are performing a certain
>     action (e.g., turning on DNT, or granting an exception to DNT),
>     not to mandate a description of all the potential consequences of
>     this action.  If I give my explicit and informed consent to Etsy
>     to spend $500 on a one-of-a-kind Thundercats t-shirt, that should
>     not require that Etsy provide me with information about the need
>     to save for retirement or the fact that a Thundercats t-shirt may
>     decrease my odds of attracting a suitable mate.
>
>     Would you support a parallel requirement that any request for a
>     user-granted exception be accompanied by a link to a list of the
>     parade of horribles that privacy advocates could generate about
>     why they are concerned about third-party data collection? 
>     Remember, the group previously agreed that we are going to be
>     equally prescriptive when it comes to specifying how "explicit and
>     informed" consent must be for both turning on DNT and granting
>     exceptions to the signal.  That agreement was designed in part as
>     a buffering mechanism against these sorts of impractical and heavy
>     handed requirements.
>
>
>
>     Justin Brookman
>
>     Director, Consumer Privacy
>
>     Center for Democracy & Technology
>
>     1634 I Street NW, Suite 1100
>
>     Washington, DC 20006
>
>     tel202.407.8812  <tel:202.407.8812>
>
>     fax202.637.0969  <tel:202.637.0969>
>
>     justin@cdt.org  <mailto:justin@cdt.org>
>
>     http://www.cdt.org
>
>     @CenDemTech
>
>     @JustinBrookman
>
>     On 11/13/2012 4:46 PM, David Wainberg wrote:
>
>         Hi Justin,
>
>         On 11/13/12 2:06 PM, Justin Brookman wrote:
>
>         but requiring disclosure about an unproven parade of horribles
>         in advance is not something that a technical standards setting
>         body should be contemplating.
>
>         I believe we've already agreed that the DNT signal should
>         reflect the user's explicit and informed consent. Doesn't the
>         informed piece of that equation require explanation of the
>         effects of DNT? But I can see that if you do not believe that
>         provisions in this spec will have negative effects for the
>         internet and internet users, then you wouldn't see the need
>         for informing users of such negative effects. So, what do we
>         need to do to convince you? Once we're on common ground about
>         that, then maybe we can have a more productive conversation
>         about how best to inform users.
>
>         -David
>
Received on Wednesday, 14 November 2012 17:31:31 UTC