W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

Working Group Decision on Tri-part choice requirement for user agents

From: Aleecia M. McDonald <aleecia@aleecia.com>
Date: Fri, 14 Sep 2012 14:49:12 -0700
Message-Id: <95ECA317-2FF0-46D8-B2F9-52F17CD5F9BA@aleecia.com>
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
The decision follows.  The chairs made an effort to explicitly address all arguments presented in response to the poll.

*** Question before the Working Group ***

Should we add a requirement that compliant user agents must provide functionality for sending DNT:0 as well as DNT:1 and unset, and require that all options be equally easy to exercise in the interface?

The questionnaire is available from https://www.w3.org/2002/09/wbs/49311/tripart/ and contains the context for the two options before the group:
	Option A: Silence
	(Keep just the existing text that MUST reflect the user's preference etc. User agents -- general purpose browsers or extensions -- do not have to provide a DNT:0 option that is equally easy to turn on as DNT:1.)

	Option B: A user agent MUST require equal effort to configure their agent to each of a minimum of three choices for a Do Not Track preference: 1, 0 or unset.
	(This would add to, not replace, existing requirements.)

Depending on the group's decision and later editorial choices, this text would appear either in the Tracking Preference Expression ("Determining User Preference") or in a corresponding section in Tracking Compliance and Scope (like "User Agent Compliance").

See responses from Working Group participants: https://www.w3.org/2002/09/wbs/49311/tripart/results

== Uncontested parts of the proposals:

At Bellevue we narrowed down to two options (one text and silence). This text would be *in addition to* the requirements on which we have already decided, namely that the DNT signal MUST reflect the user's preference (as opposed to some institution) and that general purpose user agents MUST send unset by default. 

== Detailed responses to major themes:

A.	Support of EU and other Compliance Regimes  
	Summary: Concern that users agents will be insufficient to express users’ consent to tracking in the EU.
	Consequence if not addressed: We cannot guarantee that all compliant user agents are usable to gather consent in the EU.
	Consequence if addressed: At least most major user agents are likely to be able to transmit EU consent

	• 	Input Received
		Anti silence: Roy argued [6] that in order to ensure that the clients are usable within EU context, a tri-state UI may be needed to enter DNT:0 with sufficient context.
		David Wainberg [16] argued that without 3-states, options and choices may be opaque and thus may not satisfy the requirements of informed consent.

		Anti tri-part text: John Simpson [53] argued that “Sending a global DNT:0 is probably meaningless. In the U.S. companies can track when there is no header. In Europe a global DNT: 0 would be an inadequate form of consent.”

	• 	Response
		Legal compliance is not an official goal of this WG,  though it may be important for some TPWG members. While user agents may aim for compliance (e.g., following guidance in our global considerations document), it is not a feature we need to mandate for all user agents.

B.	Incomplete Specification of User Agents 
	Summary: Without sufficient guidance, user agents may be under-specified and may implement DNT in undesirable ways. 
	Consequence if not addressed: User agents may often be implemented in undesirable ways while still being compliant.
	Consequence if addressed: A compliant user agent is unlikely to implement DNT in undesirable ways

	• 	Input Received
		Anti silence: Dave Wainberg [11] argued that without properly specifying the 3 states that a user agent needs to support, we leave undue discretion to user agents that makes undesirable outcomes (such as bias) more likely.

	• 	Response
		By charter, we do not specify user interface. As a consequence, we deem it acceptable to not fully specify the user agents. Furthermore, even with the 3-state text, user agents are still able to incorrectly implement the standard.

C.	Backward Compatibility  
	Summary: The decision should ensure that existing DNT:1 (client) implementations should remain compliant with the finally published standard. 
	Consequence if not addressed: Many existing user agents will no longer be able to claim the DNT standard.
	Consequence if addressed: Most existing user agents will continue to correctly implement the DNT protocol.

	• 	Input Received
		Anti tri-part text: Sid Stamm [38] indicated that mandating 3-state would prohibit all existing deployed DNT user agent implementations.

	• 	Response
		At this point, there exists no DNT standard to be backward compatible with. As a consequence, we believe that the goal of this WG is to define the right initial standard that satisfies our requirements. If existing clients are then deemed non-compliant, one can argue that those clients also did not meet our requirements. Therefore, updates may be in order anyway.

D.	Ability to Validate Components against Spec 
	Summary: By introducing non-technical concepts, the spec testing is not automated and it may not be clear which user agents are compliant. 
	Consequence if not addressed: Many user agents will be able to claim compliance without testers being able to refute these claims as easily (due to the lack of clear criteria and/or technical tests).
	Consequence if addressed: Testing procedures can clearly differentiate whether components are compliant or not.

	• 	Input Received
		Anti tri-part text: Sid Stamm [39] argues that the current 3-state language adds “an ambiguous, untestable requirement that leaves the spec open to a wide variety of interpretations”. Similarly, he argues that is "equally easy to exercise" is hard to validate [40].
		Peter Eckersley [49] argues that “notions of symmetry or equality or neutrality seem weird in the UI context.”.

	• 	Response
		We believe that testability should be a goal of this working group. Both our specifications should aim for a specification that is testable, i.e., if a component claims compliance, there should be an efficient and effective procedure to decide whether this claim is true or not. Some of the compliance-related concepts do not necessarily lend themselves to automated tests, but in a general case, we should be able to expect enough clarity that most people would agree that a certain feature does or does not match the specification, even if it cannot be automated.

E.	Ability to Express Actual User Preference 
	Summary: This concern aims at ensuring that users can always express their preferences. This includes changing ones’ preferences over time.
	Consequence if not addressed: Certain user agents may not provide sufficient choices to guarantee that users can properly enter their preferences.
	Consequence if addressed: All user agents allow users to express their preferences.

	• 	Input Received
		Anti silence: Brooks Dobbs [4] stated that this goal “is not achieved where only one of the two fundamental choices is offered”. 
		Shane Wiley [2] argued that “DNT:0 must be available as an option/choice” while Jonathan Mayer states the opposite [57]: “There is no apparent use case for a universal "DNT: 0" signal.” And “Surveys have not demonstrated any sizable user demand for a universal "DNT: 0" signal.”

	• 	Response
		We are chartered “...to improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking...” As a consequence, we believe that the ability to express one’s preference is essential and of high importance. However, the input received does not argue why a 3-state UI is the only way to ensure that users can express preferences.  Prior discussions argued that installing/uninstalling an extension, is sufficient for some users to express their preferences. 

		We conclude that it is of very high importance that each user can find a way  to express his/her preferences. However, we do not conclude that all user agents must offer all preferences for all users as the only way to satisfy this requirement. Furthermore, the uncontested text already requires user agents to reflect users' choices.

F.	Simplicity, Innovation and Differentiation for User Agents 
	Summary: This concern expresses the need to keep user agents simple, while enabling them to innovate and differentiate based on this standard.
	Consequence if not addressed: The recommendation may provide a detailed specification of user agents that do not allow implementers to sufficiently innovate and differentiate based on their targeted customer segments and the corresponding overall user experience. Furthermore, this may unnecessarily complicate user agents.
	Consequence if addressed: The recommendation focuses on regulating the parts required for interoperability (such as a protocol) and mandates the requirements in a high-level way that does not unnecessarily encumber innovation and differentiation by user agents.

	• 	Input Received
		Anti tri-part text:  Sid Stamm argued that “[3-state] reduces the ability for UAs to design a UI in ways that benefits our users.” [35] and that “we must be able to change our UI if we find that we can design a better way” [36]. He also indicates by mandating tri-state, the standard “excludes simple single-purpose tools that have no (or limited) UI” [37] 
		Justin Brookman [55] argued that “Requiring […] equally weighted choices […] is unduly prescriptive and would impose needless burdens on user agents[…].”
		David Singer argued that “the availability of DNT:0 as a general option (e.g. to avoid prompting the user for exception on many web sites) should be a question of product differentiation” [31] and that “[tri-state] mandates a significant complication in the user-interface” [27].
		Adrian Bateman argued that “browsers and web sites should be free to innovate” [44] and that “Requiring three options adds complexity” [43].
		Justin Brookman stated [56] that “It seems facially absurd to mandate that the maker of any privacy tool must also offer an equally weighted "publicness" tool”.
		John Simpson said that “Should a particular UA opt to offer the ability to send DNT 0, that's fine, they MAY do it. It MUST NOT be a requirement” [51] and that it should be possible to build a “UA that simply offers the ability to send a persistent DNT:1 when enabled” [54].
		Jonathan Mayer stated that mandating a 3-way user interface may mandate bad user-interface design “The proposed language gerrymanders a particular - and bad - user interface.” [57]

	• 	Response
		Specifying a user interface is out of scope by our charter. As a consequence, if we need to put constraints on user agents at all, these requirements should be as lightweight as possible. 

G.	Unbiased Representation 
	Summary: This section addresses the requirements that user agents should not be biased in either way. In particular for general purpose browsers, a substantial concern raised is that user agents may be pro-privacy or pro-advertising, i.e., to bias the representation of preferences to encourage the user to express the preferred choice of the creator of the user agent.
	Consequence if not addressed: If this concern is not addressed, the user agents may unduly influence the preference of the user. As a consequence, the data entered no longer represents the actual preference of the user.  This raises concerns in both directions: By biasing user agents towards advertising (DNT:0), privacy is reduced and compliance problems may occur. By biasing user agents towards privacy (DNT:1), commerce and revenue is stifled and thus web-sites may no longer be able to offer today’s content.
	Consequence if addressed: In the evolving ecosystem, users can freely and adequately express their preferences. Once entered, the collected data represents the actual preferences of a given user.         

	• 	Input Received
		Anti-silence:  Shane Wiley requires “fair balance in marketplace [by] providing all possible options" [1].

		Brendan Riordan-Butterworth states “By not requiring that DNT:0 option that is equally easy to turn on as DNT:1, a user behavior that limits commerce is promoted” [21]. Similarly Brendan states that our standard should focus on technical mechanism and not “specific human behavior (IE, that the user select DNT:1 and not select DNT:0).” [22]

	• 	Response
		We are chartered to express user choice, not the choices of user agents. We also have uncontested text to that effect already. We agree that fairness is important. But we have not seen evidence as to why requiring all three options with equal effort satisfies the goal of fairness.


== Decision and Rationale

Our task was to consider the received input to identify the option that drew the least strong objections.  Both proposals drew valid concerns. We tried to derive potential mitigations of concerns that were not addressed by the decision.

Based on the inputs at hand and our analysis in this document, we conclude that silence, i.e., not mandating a 3-state user interface, drew the least strong substantive objections from the Working Group. This decision is based on the following arguments that are derived from the submitted data.

	• Biased User Agents: We understand the substantial concern that user agents may be biased and we believe that mitigating this concern is very important. However, we believe that mandating a 3-state user interface does not address the concerns unless a full UI is specified, which we cannot do by charter. Even with 3 options, these options may still be misrepresented and may lead to a biased UI. 

	• UA Differentiation and Innovation: The ability for user agents to innovate and differentiate is a major component in identifying the least strong objection for several reasons:
		Privacy advocates as well as advertisers will benefit from UI innovations and from differentiations. As a consequence, we expect manufacturers of user agents to build the best possible and unbiased tools for collecting user preferences.
		Minimizing the restrictions on implementers will enable more and simpler user agent implementations.
		We aim for segmentation of the market and targeting of user agents. I.e., depending on the preferences of a particular user, the user may choose the right user agent.
		User agents are in the best position to understand how best to gather a user’s preference.

	• Ability to Express Preferences: Our standard aims at expressing user preferences, which makes this a high concern. While this was used as an argument for 3-state agents, the evidence did not establish that a single approach to user agents (as compared to an ecosystem of targeted user agents for different segments) is the right and only way forward. As a consequence, we believe that it is likely that users will partially express their preference by selecting the “right” user agent for their needs. 

	• Testability against spec: We should aim for a testable recommendation as much as possible, and consider this of medium importance. While the existence (or lack there of) of a 3-state user interface is easily testable, participants stated that statements such as an unbiased presentation or “similar effort” are difficult to test. 


*** Decision of the Working Group ***

Therefore, the Tracking Protection Working Group hereby adopts the "silence" proposal. Of the two proposals before us, this one has drawn the weaker objections.

== Mitigating the Potential Drawbacks

We understand by not mandating 3-state user agents, we create certain risks that could still be mitigated. As a consequence, we believe that the group should consider creating corresponding issues based on the suggestions and concerns raised in the received input. For example, while we are settled on normative text (saying nothing,) the group may wish to discuss other ways to reduce bias, such as non-normative text with best practices and examples. We welcome a discussion of other approaches to reducing the risk that user agents do not reflect their users’ choice. For users who select a plugin designed for privacy, there is no problem with a user agent that does not offer all three choices, but a general purpose user agent likely ought not behave the same way. We expect market forces to create a variety of approaches. Do we as a group have suggestions on how to help user agent authors avoid a user experience that unfairly steers users toward one outcome or another?

== Irrelevant Comments ==

In general, comments we did not find relevant fell into one of these categories:

	• 	Duplicative statements. We tried to cite unique elements out of the input and highlight key reasoning. Authors are strongly urged to read prior submissions and avoid repeating the same points.
	• 	Did not provide support for an assertion. We need to understand your logic or evidence. For example, stating that one option will not help users does not establish this beyond the author’s opinion.
	• 	Stated a preference in favor of an option. We are looking to find the option that draws the least strong substantive objection, not the option that has the most support. Comments of the form “I like this option because...” are examples. 
	• 	Did not reflect understanding of the decision at hand. For example, not understanding that DNT being unset will likely be handled differently in the EU and the US.
	• 	Did not have anything to do with what option the participant could not live with. For example, speculation as to other WG members’ motivations has no relevance whatsoever. 

== Next Steps ==

1. We will create and close a new issue. 
2. We will add a pointer to the new issue with a note regarding this outcome to issue-149, which is a superset of this issue and will remain open.
3. Editors have no text to modify.
4. We will be happy to hear volunteers for action items that attempt to mitigate the downsides to this decision, while still respecting the decision itself. 

== Appealing this Decision ==

If anyone strongly disagrees with the content of the decision and would like to raise a Formal Objection, they may do so at this time. Formal
Objections are reviewed by the Director in consultation with the Team. Ordinarily, Formal Objections are only reviewed as part of a transition request.

== Revisiting this Issue ==

This issue may be reopened if new information and a concrete proposal are presented.







== References, all from comments on https://www.w3.org/2002/09/wbs/49311/tripart/results ==

[1] Shane Wiley: To provide a fair balance in the marketplace consumers should be provided all possible options  when activating DNT.

[2, 3] Shane Wiley: By limiting the options and not providing DNT:0 as a clear choice,  the resulting standard is biased towards the activation of DNT and doesn't give equal weight to exceptions .

[4] Brooks Dobbs: Quite simply, this goal [of ability to express preferences] is not achieved where only one of the two fundamental choices is offered.

[5] Roy Fielding: If none of the major browser implementers indicate a willingness to implement such an option, then I would consider that a stronger objection.

[6, 7] Roy Fielding: If we had a definition of DNT:0 that would be effective for compliance with EU law (enables consent for a specific set of purposes), then I would object to Option A for general-purpose browsers because being able to provide such consent is exactly what the EC requested as a solution to the ePrivacy Directive for citizens that do not want to be annoyed by consent dialogs at every site. However, I consider this objection to be weak because UAs are under no obligation to be useful within the EU and, if the option is useful to their users, then I would expect the UAs implement it voluntarily.

[8] Ian Fette: I believe that keeping the existing text is insufficient. In particular, I believe that we need to make it clear that user agents must provide functionality for DNT to be "on" or "off". The notion of a distinction between "unset" and "off" is a nice one, but is one that no browser has successfully come up with UI for.

[9-15] David Wainberg: If the objective of DNT is to allow a user to express their preference about data collection and use, then only option B is effective and consistent with our objectives. While Option B does not alleviate concerns that users may not be able to understand DNT, Option A -- silence -- seems to ensure that users can't understand the alleged choices they are being directed to make.

Silence also seems to leave too much discretion for user agents, a serious concern for most commercial stakeholders in the online ecosystem. UA's should not be allowed to limit, discourage, or inhibit user's choices. We should ensure that UA's are not limiting information about or access to some of the options, and thereby discouraging users from making informed choices. We can do this by requiring, as in Option B, that UA's provide equal access to all of the DNT options. 

[16] David Wainberg: Finally, in contrast to Option A, I can see no downside to presenting users with more transparency and more choice in this case.

[17] Alan Chapell: This option does not give enough granularity of choice to the User.

[18] Brendan Riordan-Butterworth: This means that the tri-part choice requirement only applies to tools like the web browser, and not to plug-ins that simply modify existing HTTP requests.

[19, 20] Brendan Riordan-Butterworth: While Section 6 (http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#exceptions) “User-Granted Exceptions” enables the selective allowing of blocked elements, it is not an “exceedingly straightforward way for users to gain transparency and control over data usage and the personalization of content and advertising on the web” (Section 2 (http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#scope-and-goals) “Scope and Goals”, Substantial Outcome #2) – specifically, in those jurisdictions where opt-in is required, a user would need to enabled DNT:1 and then also configure exceptions for all visited sites.

This means that Option A creates a situation where compliancy of user agents means implementations that do not meet the goals laid out in the working groups Charter and in the Tracking Compliance and Scope specification.

[21, 22] Brendan Riordan-Butterworth: By not requiring that DNT:0 option that is equally easy to turn on as DNT:1, a user behavior that limits commerce is promoted, which is counter to the W3C principle with regards to commerce. Additionally, the deliverables of the Tracking Protection working group (http://www.w3.org/2011/tracking-protection/charter.html#deliverables) are to create a specification that promotes specific technical behavior (“defines the technical mechanisms”), and not specific human behavior (IE, that the user select DNT:1 and not select DNT:0).

[23] John Simpson: Consumer Watchdog strongly supports the Option A: Silence

[24] Brooks Dobbs: While I "favor" this option, I believe that it is not phrased correctly. 

[25] Brooks Dobbs: With respect to the "effort" required to set 1 vs. 0, I would argue that this will be very difficult to address without getting into UA design, but with that said the question really isn't about the physical mechanism that denotes choice but rather the underlying requirement that either choice (1 or 0) must reflect a user's preference relative to the manner that "allow[s] each service to either adjust their behavior to meet the user's expectations or reach a separate agreement with the user to satisfy all parties".

[26] Roy Fielding: This is not necessarily a tri-part option; it is two binary options: unset/set and then (if set) 0/1. That is common in all UA configs and not a burden to implement.

[27] David Singer: We object; we believe that this option mandates a significant complication in the user-interface, and do not see a matching compelling reason to compel all UAs to offer this choice.

[28] David Singer: Tri-state UIs are more complex both to offer and explain.

[29-31] David Singer: We also believe that the specification should be defining a protocol, and not designing either user agents, or web sites, and that this kind of mandate would represent a significant expansion of scope, which, if adopted, should also place in scope mandating the behavior of sites with respect to users.

DNT:0 was introduced in order to satisfy the exception mechanism; though it may serve as a general user-preference there is no need to mandate it. Even in hypothetical jurisdictions where 'unset' means some kind of 'less tracking', the availability of DNT:0 as a general option (e.g. to avoid prompting the user for exception on many web sites) should be a question of product differentiation, not specification mandate.

[32, 33] David Singer: We are currently mostly silent on what both sites and user-agents must offer to or tell users, and we believe strongly that this is correct; define the protocol and what it means, not the user experience.

Finally, the charter only envisages "guidelines that define the user experience or user interface", not mandates.

[34] Jeffrey Chester: This proposal does not help users at all.

[35-39] Sid Stamm: First, it reduces the ability for UAs to design a UI in ways that benefits our users. We want to be able to implement the TPE specification and need flexibility in UI design to do this -- we must be able to change our UI if we find that we can design a better way to elicit our users' preferences.

Second, this requirement excludes simple single-purpose tools that have no (or limited) UI, and moreover would prohibit all existing deployed DNT implementations -- even those being embraced by Web users today.

Third, the language as written adds an ambiguous, untestable requirement that leaves the spec open to a wide variety of interpretations; this could result in some groups claiming an implementation is compliant and others claiming the same implementation non-compliant.

[40] Sid Stamm: In particular, we do not understand how to measure if something is "equally easy to exercise" short of standardizing UI implementation details, which is out of scope for the working group, and which we would strongly oppose, for reasons stated above.

[41] Sid Stamm: This does not include representation to users; it is a protocol specification and should only describe the structure of communication between user agents and web servers.

[42] Ian Fette: I believe that keeping the existing text is insufficient. In particular, I believe that we need to make it clear that user agents must provide functionality for DNT to be "on" or "off".

[43] Adrian Bateman: Requiring three options adds complexity to the way options are presented to users in the UI.

[44, 45] Adrian Bateman: Both browsers and web sites should be free to innovate in how to obtain consent without being tied to a particular set of options by the specification. Being this prescriptive about both user agents and web sites strays too far into dictating user experience, which we expect may be refined and improved over time.

[46] Ninja Marnau: The wording "equal effort to configure" does not reflect that the UA provider has considerable more effort to explain to the user the meaning and outcome of DNT:0 compared to DNT:1.

[47-49] Peter Eckersley: We don't like Option B. We're OK with Mozilla using 3-state (anyone can under the current approach) but it's not obvious why it needs to be in the standard and why every browser other than Mozilla should be out of compliance because it doesn't do 3 states. In the US no DNT header effectively = DNT:0. In the EU, user-agents need to be able to send DNT:0 to allow tracking, and they will. 

Also, notions of symmetry or equality or neutrality seem weird in the UI context.

[50] John Simpson: Since Do Not Track discussions began the goal was always about how the user through the UA would simply convey the user's preference not to be tracked.

[51] John Simpson: Should a particular UA opt to offer the ability to send DNT 0, that's fine, they MAY do it. It MUST NOT be a requirement.

[52, 53] John Simpson: DNT: 0 as I understand it, is designed to facilitate particular exceptions.

Sending a global DNT:0 is probably meaningless. In the U.S. companies can track when there is no header. In Europe a global DNT: 0 would be an inadequate form of consent.

[54] John Simpson: In sum a UA that simply offers the ability to send a persistent DNT:1 when enabled -- and is not enabled by default -- is all that the specification MUST require.

[55] Justin Brookman: Requiring that user agents offer equally weighted choices for Do Not Track is unduly prescriptive and would impose needless burdens on user agents to present an option to users that they are unlikely to want.

[56] Justin Brookman: It seems facially absurd to mandate that the maker of any privacy tool must also offer an equally weighted "publicness" tool or setting that would convey to the world a preference to be tracked. Such a requirement would impose unnecessary costs on developers and deter the development of privacy tools.

[57] Jonathan Mayer: There is no apparent use case for a universal "DNT: 0" signal and Surveys have not demonstrated any sizable user demand for a universal "DNT: 0" signal.

[58] Jonathan Mayer: The proposed language gerrymanders a particular - and bad - user interface.
Received on Friday, 14 September 2012 21:49:42 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:34 UTC