W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

Re: ISSUE-45 ACTION-246 Clarified proposal on compliance statements

From: Ed Felten <ed@felten.com>
Date: Tue, 9 Oct 2012 17:19:13 +0200
Message-ID: <CANZBoGi6L4uq0orRjOHe2LArYNxzoG-eY=h9tUme8Q9w_-2PGg@mail.gmail.com>
To: David Wainberg <david@networkadvertising.org>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>
On Tue, Oct 9, 2012 at 4:25 PM, David Wainberg <david@networkadvertising.org
> wrote:

>  Hi Ed,
>
> Thanks for the questions.
>
> On 10/9/12 10:01 AM, Ed Felten wrote:
>
>
>  First, why include only one compliance token?   If there are multiple
> compliance regimes, a company might be following any subset of them.   Why
> not allow a server to provide multiple compliance tokens?
>
>  I suppose it could be allowed, though I'm not sure of the utility. Is
> there a use case you had in mind?
>
>  A company that collected only minimal information would presumably be in
compliance with all, or almost all, of the compliance regimes in existence.
 If I were that company, I wouldn't want to miss out on the benefits of
claiming any compliance regime that a particular user or browser might be
looking for.

In general, there would a number of regimes, and a server might be in
compliance with various subsets of them.  Again, servers won't want to miss
out on the benefits of claiming any compliance regime that a particular
user or browser might be looking for.

>  Second, do you envision some body that decides which compliance tokens
> are valid?   If so, who might that be?   If not, how do you prevent people
> from making up their own new compliance tokens?
>
> I would expect it to be unusual to do this, and it might be a
> self-correcting problem in the small number of cases. Given that the tokens
> companies use will be transparent, advocates and regulators will be able to
> investigate non-standard tokens. A non-standard token will be a red flag
> that says, "hey, we're doing something unusual."
>
> If there is no body or procedure deciding which tokens are allowed, then
there cannot be "non-standard" tokens.  There can only be unusual tokens.
 I still don't see what would stop a company, or small group of companies,
from just creating their own compliance rules and sending the resulting
token.  Either there is somebody or something deciding which tokens are
valid; or all tokens are valid.

> On Tue, Oct 9, 2012 at 3:22 PM, David Wainberg <
> david@networkadvertising.org> wrote:
>
>>  ACTION-246 (http://www.w3.org/2011/tracking-protection/track/actions/246),
>> which relates to ISSUE-45 (
>> http://www.w3.org/2011/tracking-protection/track/issues/45).
>>
>> Hello all,
>>
>> This is a clarification of my previous proposal (
>> http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0012.html).
>> I'm launching it on a fresh thread, because the previous one got a bit wild
>> and off-topic.
>>
>> Recall that this arose out of the problem of how or where parties may or
>> must make statements regarding their DNT compliance. One proposal, which
>> many of us strongly objected to, was to make provision of the tracking
>> status resource in and of itself an assertion of compliance with the DNT
>> spec. That proposal was a replacement for an initial proposal to require a
>> public statement of compliance, but without specifying where or how that
>> statement must be made.
>>
>> The problems with these proposals are that the one is overly strict, does
>> not provide any flexibility, and sets up a legal landmine that companies
>> will avoid by not providing the WKL, and the other is too loose; it allows
>> for potentially unlimited variation in how companies honor DNT and where
>> and how they make their commitments to do so.
>>
>> This proposal solves these problems by requiring a statement in the
>> status resource regarding compliance with *one of a limited set of DNT
>> variations*. Although I understand the desire for and attractiveness of
>> a single universal specification for DNT compliance, the reality is that we
>> will have to accommodate some variation based on, e.g., business model,
>> geography, etc. Examples of this problem arose during the Amsterdam
>> meeting. If we want to ensure wide adoption and enforceability of DNT, this
>> is the way to do it.
>>
>> The proposal is the following:
>>
>> Add a required "compliance" field to the tracking status resource in the
>> TPE, where the value indicates the compliance regime under which the server
>> is honoring the DNT signal. In 5.5.3 of the TPE:
>>
>> *    A status-object MUST have a member named **compliance** that
>> contains a single compliance mode token**.*
>>
>> From here, I look to the group for discussion regarding how and where to
>> define compliance mode tokens. My initial version of this proposal
>> suggested looking to IANA to manage a limited set of tokens to prevent
>> collisions. I think there was some misunderstanding and concern about how
>> this would work. No -- companies should not just create their own arbitrary
>> values. My view is that each token must have a well-defined and
>> widely-accepted meaning. How's this:
>>
>>     *Compliance mode tokens **must be associated with a legislative or
>> regulatory regime in a relevant jurisdiction, or with a relevant and
>> established self-regulatory regime.*
>>
>> I'm open to other ideas for this.
>>
>> Cheers,
>>
>> David
>>
>>
>
>
Received on Tuesday, 9 October 2012 15:19:59 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:36 UTC