W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

Re: Proposal: all exemptions to be opt-out, and identity to be declared.

From: Nicholas Doty <npdoty@w3.org>
Date: Tue, 2 Oct 2012 13:46:24 +0200
Cc: Mike O'Neill <michael.oneill@baycloud.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <E7DF5FEB-2B6D-4455-96C4-C51782FD8240@w3.org>
To: Fred Andrews <fredandw@live.com>
Hi Fred and Mike,

It sounds like you're exploring the concept here of additional UA cookie management tools -- identifiers that are managed (or even generated) on the user agent and can then be controlled by users, per origin or however the user might prefer. That might be analogous, for example, to iOS new identifiers for advertising that can be controlled on the device. However, I think such tools may fall outside the scope of the TPWG charter; and in some cases, UA tools don't need standardization at all. You might also follow the ongoing discussions of identity management (for example, on the public-identity mailing list).

The idea of user-agent-managed profiles also sounds promising. I believe there have been some research projects along these lines, you might be interested in AdNostic or RePriv, for example. This also seems like an area that we wouldn't need to standardize within this group -- users who opt out of tracking (and thus forms of behavioral targeting) might be incentivized to use such tools, but I'm not sure a Web-wide standard is necessary, or within the scope of the Tracking Protection Working Group. (I would be interested in continuing these conversations within the Privacy Interest Group, however, where we have a little more latitude.) I believe there are already standards for communicating language preference in HTTP requests, one could imagine that extended to country of origin if it proved useful.

I also understand a suggestion to extend either the request header or response to qualify permitted uses. The current text does provide a tracking status qualifier value for servers to optionally respond indicating which permitted uses are claimed. You might consider writing up a proposal (Mike, as a formal participant, would have the IPR concerns squared away already) on extending such options to the UA. On the other hand, part of the motivation behind development of a Do Not Track option is to provide a simple, common and meaningful choice: I would suggest that we should maintain the simple end-user choice.

Also, to be clear, the current spec has a JavaScript API for potentially interactive user-granted exception handling; the DNT header (and any extensions that might be added to it) should function the same for users with JavaScript disabled.

Hope this helps,
Nick

On Sep 30, 2012, at 4:47 PM, Fred Andrews <fredandw@live.com> wrote:

> 
> Some online industries want to identify users for profiling, targeting ads, etc.  They can currently do so using the IP address, by covertly reading UA state, and by noting their online activity.  Giving them a defined ID to use instead at least gives the user the option of changing their ID to prevent tracking.  The UA is in control and can issue a separate ID for different origins.   DNT style flags could still be used to opt-out of particular uses of the ID and a returned header could confirm acceptance.
> 
> A JS API would probably not be acceptable because the solution would need to work with JS disabled.
> 
> cheers
> Fred
> 
> From: michael.oneill@baycloud.com
> To: fredandw@live.com; public-tracking@w3.org
> Date: Sun, 30 Sep 2012 13:05:35 +0100
> Subject: RE: Proposal: all exemptions to be opt-out, and identity to be declared.
> 
> Fred,
>  
> I like this one. The existing TPC is getting weighed down by endless qualifications to the point of being incomprehensible to anyone outside the group. The whole point of DNT is to put the decision (to allow themselves to be tracked) into the hands of users and this simple idea  does that.
>  
> The user supplied UID could be embellished a bit. It has the problem that clear ID on every request would be visible to anyone and would make UA fingerprinting a doddle, and also spoil the idea of a contract between the tracked and the tracker.
>  
> How about the UID (once enabled by the user) is generated as new on every request but is based on a concatenation of the user id with a continuously changing random value and encrypted using a key. The key could then be exchanged between the UA and a website using a JS API (gated by a UI). Then only the website given the key could track that user, and the user has absolute control over the process.
>  
> Mike
>  
>  
> From: Fred Andrews [mailto:fredandw@live.com] 
> Sent: 30 September 2012 00:41
> To: public-tracking@w3.org
> Subject: Proposal: all exemptions to be opt-out, and identity to be declared.
>  
> Many in the advertising industry have been pointing out a need to collect some identifiable information to meet reporting requirements.  For example, a need to be able to record the country that an ad is delivered to.   Such collection conflicts with the charter of this group.   I propose that this matter be resolved by adding a UA identifier to the DNT header or to a complementary header, and to include the declared country of the user in the header.   Advertisers would be permitted to both use this identifier to track users and target ads and to use it for reporting purposes.  Users that do not want to be tracked may change the identifier as they deem necessary.  Since it is under user control, advertisers would presumable not be held responsible in contracts for differences between the users declared country and their actual country and advertiser would have a record for proof.
> 
> Many in the advertising industry have expressed a need for exemptions to 'Do Not Track'.  Any exemption without user choice conflicts with the charter of this group.  I propose to resolve this matter by requiring that all exemptions be assigned a UA header flag and that websites only be permitted the exemption when allowed by an explicit flag.  Local laws and law enforcement needs override the DNT code of conduct anyway so there is no need to include this in the document.  The exemptions would include first party use, make a distinction between first party use before a user has explicitly identified themselves and after, and include the use of UA fingerprinting, etc.   The server would be required to return the flags it is complying with as confirmation, and if DNT were deemed as negotiable then the server would return the flags it is prepared to comply with.
> 
> Some users have expressed a desire to be tracked and profiled and to have targeted ads delivered to them.  With this proposal they can choose a unique identifier for themselves which they can share among their user agents, and can declare their country so that they get appropriate ads even when connecting via a tunnel or ipv6.  Further they can enable all uses of their information.
> 
> Some users have expressed a desire not to be tracked at all.  This proposal allows them to opt-out of being fingerprinted and to ensure that all servers they connect to agree not track them for any purpose at to change their identity as they deem necessary.  I would imagine that users would at least agree to tracking after they have explicitly identified themselves to a website, by signing in, but a UA may wish to negotiate even this to make sure the user has really explicitly consented.
> 
> I believe this proposal meets the charter of this group far better that the current proposals and call on the current proposals to be rewritten and renegotiated along these lines.
> 
> cheers
> Fred
> 
Received on Tuesday, 2 October 2012 11:47:37 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:35 UTC