Re: Intermediaries interfering with DNT decision making

Hi Mike,

we have had extensive discussions - and diverging opinions, whether an explicit consent is required. The only certain thing all agree is that requirements across the EU vary, as the EU law only rovides a framework to which countries have to respond (apologies for simplification).
We would have legal issues, if the EU - or any Member State were to mandate this - or any standard.

Kind regards,
Kimon

Kimon Zorbas
Vice President IAB Europe

IAB Europe - The Egg –Rue Barastraat 175 –1070 Brussels - Belgium
Phone +32 (0)2 5265 568
Mob +32 494 34 91 68
Fax +32 2 526 55 60
vp@iabeurope.eu
Twitter: @kimon_zorbas

www.iabeurope.eu and www.interactcongress. eu

IAB Europe supports the .eu domain name www.eurid.eu

IAB Europe is supported by:

Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Romania, Russia, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine and United Kingdom representing their 5.000 members. The IAB network represents over 90% of European digital revenues and is acting as voice for the industry at National and European level.

IAB Europe is powered by:

Adconion Media Group, Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising Europe, AudienceScience, BBC Advertising, CNN, CoAdvertise, comScore Europe, CPX Interactive, Creafi Online Media, Criteo, Deutsche Post, eBay International Advertising, Evidon, Expedia Inc, Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, Hi-Media, Koan, Microsoft Europe, Millward Brown, News Corporation, nugg.ad, Nielsen Online, OMD, Orange Advertising Network, PHD, Prisa, Publicitas Europe, Quisma, Sanoma Digital, Selligent, TradeDoubler, Triton Digital, United Internet Media, ValueClick, Verisign, Viacom International Media Networks, Webtrekk, White & Case, Yahoo! and zanox.

IAB Europe is associated with:
Advance International Media, Banner, ePrivacyConsult, Emediate, NextPerformance, Right Media, Tribal Fusion and Turn Europe

----- Reply message -----
From: "Mike O&apos;Neill" <michael.oneill@baycloud.com>
To: "public-tracking@w3.org" <public-tracking@w3.org>
Subject: Intermediaries interfering with DNT decision making
Date: Thu, Sep 13, 2012 1:08 pm




The exception API could be amended slightly to make the UA pop up a UI if
DNT is unset. In jurisdictions needing explicit consent (like EU),
publishers could be required by regulators to use that form of the API (i.e.
if DNT is unset then ask the user how they want to handle it, e.g. leave it
unset or specify 1 or 0).

This would give EU regulators the ability to use DNT as a consent mechanism
(which could even be page specific) which would be very helpful for
publishers here, and may give Microsoft a way to defuse the argument. As
part of their install the default homepage could implement the (amended)
exception API.

Mike


-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com]
Sent: 13 September 2012 00:19
To: rob@blaeu.com
Cc: public-tracking@w3.org
Subject: Re: Intermediaries interfering with DNT decision making

On Sep 12, 2012, at 2:03 PM, Rob van Eijk wrote:

> From an EU perspective, the legal analysis of the express flow of IE-10 at
install/update is not part of the scope of the DNT standard. If the express
flow meets the criteria of consent in the EU, it will be a valid expression
of user's consent, likewise if it does not meet the criteria of consent in
the EU, it won't.

The criteria for consent in the EU is pretty clear that a user never
informed of the choice has never given consent.  Would you disagree?
It is also pretty clear, at least by the WP statements, that the consent has
to be explicit.

> It is not up to a server to do it's own legal assertion of the validity of
a user's whishes. My conclusion is, that based on the DNT standard alone, it
is impossible to claim that IE-10 is a non-comliant UA, stemming from a DNT
setting that is on by default.

Then why do we have any requirements in the specification?  If it is WG
opinion that a user agent can do whatever it likes and the server just has
to accept it as fact, then we are done here.  DNT is DOA.

> The current text was indeed intended for user agents. No disagreement
there. I propose to extend it to servers as well. In a dialogue there are
two roles: senders and receivers. User agents and servers switch these roles
frequently in a dialoque. I do not see a possibility for a meaningful DNT
dialogue between user agent and server if the server that claims to be DNT
compliant can drop a DNT signal at will.

I agree with that.

> An HTTP endpoint must also be held accountable to the DNT signal. I think
it is important to not loose sight of an important function of DNT, which is
that DNT is an important technical buildingblock for a meaningful DNT dialog
between user agent and server. That dialogue starts with the expression of a
user's personal preference and includes the respons on a server without
discriminating user agents able to talk DNT.

I agree with that also.  It depends on the user's personal preference, and
servers will not indicate compliance with a standard that allows user agents
to lie about the user's preference.  The goal here, naturally, is to find a
way for servers to comply that doesn't require further legislation.

> Bottom line is that in my opinion a server must respect the DNT signal, if
it stems from a user agent capable of talking DNT. Asserting IE-10's legal
validity of a valid expression of the user's whishes is irrelevant.

A general purpose user agent that has not asked the user for their
preference is not capable of talking DNT.  HTTP semantics are important, and
the only way to ensure that user agents respect them is if the server has
the ability to say "no, you'll have to indicate preferences via some other
means because your UA is broken".
Otherwise, every UA will be broken in short order.

....Roy

Received on Thursday, 13 September 2012 11:21:24 UTC