W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

Re: Intermediaries interfering with DNT decision making

From: Grimmelmann, James <James.Grimmelmann@nyls.edu>
Date: Wed, 12 Sep 2012 19:35:13 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: "Grimmelmann, James" <James.Grimmelmann@nyls.edu>, "public-tracking@w3.org protection wg" <public-tracking@w3.org>
Message-ID: <2B28E2D5-1790-4090-9CA2-A196F1C45DA7@nyls.edu>
I agree with more of this than I disagree with.  But the points of disagreement are significant: 

On Sep 12, 2012, at 2:56 PM, Roy T. Fielding <fielding@gbiv.com> wrote:

> On Sep 12, 2012, at 7:47 AM, Grimmelmann, James wrote:
>> The text is ambiguous because the decision is ambiguous.  There never was consensus on whether this UI is permissible, only consensus on an ambiguous text that resolved simpler cases, but not this one.
> 
> Our charter forbids us from specifying UI requirements.  That does not
> mean any of the following excerpts are ambiguous:

The specification is trying to satisfy three properties:
(1) To require that DNT be set only when it reflects a "deliberate choice"
(2) Not to specify UI
(3) To be unambiguous

It can satisfy any two of the three, but not all three at once.  Whether the user has made a "deliberate choice" is fact-specific; it depends on the details of what information the user is given knows and the actions the user takes, both of which are UI factors.  Either the standard can specify those factors up front, violating (2), or it can leave them up to later interpretation, violating (3), or it can give up on deliberate choice, violating (1).

> MSIE is a general purpose browser installed by default and required
> for Windows update -- no choice is made by the user, let alone a
> choice for higher privacy.
> 
> The express settings are not a choice for privacy, as is clear from
> the other defaults under express settings.

The fact that the other defaults include non-privacy-related settings does not make it not ALSO a choice for privacy.  Take UltraPrivacyFred: the choice to launch that browser is a choice for "Privacy" and a choice for the other features of "Fred."  If IE 10 is noncompliant, it is for a reason that involves something more than just that other settings are part of the choice as well.  Perhaps it's based on an all-things-considered overall assessment of the dialog box -- but that's exactly what I mean when I say that the language is ambiguous.  Someone else could look at the choices and conclude that "Express" is a choice for privacy.

> If the user clicks through without reading the text in either express
> or custom settings, the configuration is set "on" and results in sending
> DNT:1.  In other words, the user has not made a deliberate choice and
> the UA is violating two MUST requirements of the specification, in
> addition to the recorded consensus on ISSUE-4 from Santa Clara,
> detailed in Aleecia's message to the mailing list which was approved
> by the entire working group (Jonathan abstained in the interest of
> making progress, IIRC), and the subject of countless messages to the
> group from industry that they will simply not implement DNT voluntarily
> unless it reflects a user's deliberate choice.

This just pushes the ambiguity up a level.  It's there, too.  Some people could look at the IE install sequence and conclude that this is a "deliberate choice."  This process would be sufficient to form a binding contract between the profferer of the dialog box and the user, after all.

> Finally, these options that you claim are compliant are given to the
> INSTALLER of IE/Win8 -- the first user created on the machine --- and
> then applied to all users created thereafter.  It is not a dialog
> presented to the USER on first use and does not match the suggestion
> of an acceptable user choice in the last excerpt above.  In enterprise
> environments, the installer and first user is usually not the same
> individual as the "user" defined by compliance for later interactions
> that send DNT:1.

This is hard to square with the statement that "Although some controlled network environments, such as public access terminals or managed corporate intranets, might impose restrictions on the use or configuration of installed user agents, such that a user might only have access to user agents with a predetermined preference enabled, the user is at least able to choose whether to make use of those user agents."  That describes the relationship between installer and user to a T; the only difference is that in the controlled environment the installer also prohibits the user from using other user agents or modifying the setting.  This surely does not _increase_ the user's degree of "deliberate choice."

<substantial snip>

>> (Yes, this would require the regulator to reach a different conclusion than you have about IE 10's compliance or about a server's obligations in dealing with a noncompliant UA, but given the disagreements here, this is hardly out of the question.)
> 
> In any regional context that has privacy laws, those laws still
> apply with or without the signal.
> 
> Maybe Ed Felten could answer the question for the FTC?  If the FTC
> wants to provide any official guidance on this issue, I'll be happy
> to forward it to the Apache PMC and conduct another vote.  The guidance
> can be in private, if desired, but Apache dev votes must be public.

I doubt that Ed, or anyone else, will be able to provide official guidance on behalf the 50 state attorney generals. And no one can provide official guidance on behalf of the federal courts: advisory opinions are unconstitutional.  The standard will necessarily have to go forth into a world of legal uncertainty.

James

--------------------------------------------------
James Grimmelmann   	          Professor of Law
New York Law School                 (212) 431-2864
185 West Broadway       james.grimmelmann@nyls.edu
New York, NY 10013    http://james.grimmelmann.net
Received on Wednesday, 12 September 2012 19:35:41 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:34 UTC