RE: DNT: Agenda for April 10 call

It seems to me that the proposed text is a little ambiguous, especially because it only talks about User Agent compliance. In fact, the group has already agreed that some of the control of the preference goes to web sites when setting exceptions (or recording out of band exceptions). We should have one place in the spec that describes interactions with users applying to user agents and web sites.

The list of UI guidelines can be shortened recognising that #1 repeats the point that the spec doesn't define how to present the UI and that #2 and #3 essentially request that sites describe the effect of the preference. I do not believe that "via a link in explanatory text" is UI independent enough. For example, why a link and not a button, why not inline in a scrollable text area, etc. etc. At Microsoft, we also think #3 should be described using a SHOULD (i.e. MUST except when there is a good reason not to). For example, a first run experience on a mobile phone might ask a clear and accurate question about DNT but not have network connectivity at that point to be able to link to a site with more information.

In the spirit of the current draft, we believe that the normative text should stand alone. If someone wants to write an informative primer following common W3C practice as a separate document then we have no objection to that. We therefore offer no comments on the non-normative language and don't believe it needs to be included.

I want to emphasise that we still support Option 2 (http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#def-consent-silence) leaving the definition of consent to local laws.

I offer the following text for consideration as an alternative to Alan's proposal:

5. User Preferences
User agents and web sites MUST obtain express and informed consent when setting controls that affect the tracking preference expression. The controls MUST communicate the user's preference in accordance with the [TRACKING-DNT<http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT>] recommendation.

User agents and web sites offering tracking preference choices to users MUST follow the following user interface guidelines:

1.     User agents and web sites are responsible for determining the user experience by which a tracking preference is controlled;

2.      User agents and web sites MUST ensure that tracking preference choices are communicated to users clearly and accurately and shown at the time and place the tracking preference choice is made available to a user;

3.      User agents and web sites SHOULD ensure that the tracking preference choices describe the parties to whom DNT applies and SHOULD make available explanatory text to provide more detailed information about DNT functionality.



From: Justin Brookman [mailto:justin@cdt.org]
Sent: Tuesday, April 9, 2013 2:26 PM
To: public-tracking@w3.org
Subject: Re: DNT: Agenda for April 10 call

Who is presenting the language on user interface?  The group had previously agreed that the degree of specificity on user agent presentation of DNT options should also be mirrored in presentation requirements for exception requests.  So if we're requiring "clear and conspicuous" presentation and an explanatory link for turning DNT on in the first place, we're also going to have to require the same for parties seeking to get permission to ignore a DNT:1 signal.


Justin Brookman

Director, Consumer Privacy

Center for Democracy & Technology

tel 202.407.8812

justin@cdt.org<mailto:justin@cdt.org>

http://www.cdt.org

@JustinBrookman

@CenDemTech
On 4/9/2013 4:59 PM, Peter Swire wrote:
(Very roughly, first half on compliance spec and second half on TPE spec.)

---------------------------
Administrative
---------------------------

1. Confirmation of scribe - glad to accept volunteer  -- no volunteer thus far.

2. Offline-caller-identification:
If you intend to join the phone call, youmusteither associate your phone number with your IRC username once you've joined the call (command: "Zakim, [ID] is [name]" e.g., "Zakim, ??P19 is schunter" in my case), or let Nick know your phone number ahead of  time. If you are not comfortable with the Zakim IRC syntax for associating your phone number, please email your name and phone number to npdoty@w3.org<mailto:npdoty@w3.org>. We want to reduce (in fact, eliminate) the time spent on the call identifying phone numbers. Note that if your number is not identified and you do not respond to off-the-phone reminders via IRC, you will be dropped from the call.

---------------------------
Compliance Spec - Peter Swire
---------------------------

3.   User education/ User interface.

Proposed Text:
5. User Agent Compliance
A user agent MUST offer a control to express a tracking preference to third parties. The control MUST communicate the user's preference in accordance with the [TRACKING-DNT<http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT>] recommendation and otherwise comply with that recommendation. A user agent MUST NOT express a tracking preference for a user unless the user has given express and informed consent to indicate a tracking preference.

While we do not specify how tracking preference choices are offered to the user or how the preference is enabled, each implementation MUST follow the following user interface guidelines:
1.     The User Agent is responsible for determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent's configuration, or install an extension or add-on that is specifically designed to add a tracking preference expression so long as the checkbox, extension or add-on otherwise follows these user interface guidelines;
2.     The User Agent MUST ensure that the tracking preference choices are communicated to users clearly and conspicuously, and shown at the time and place the tracking preference choice is made available to auser;
3.     The User Agent MUST ensure that the tracking preference choices accurately describe DNT, including the parties to whom DNT applies, and MUST make available via a link in explanatory text where DNT is enabled to provide more detailed information about DNT functionality.

Non-Normative:

The User Agent plays a key role in enacting the DNT functionality. As a result, it is appropriate for the User Agent to play an equally key role in describing DNT functionality and educating users about DNT in order for this standard to be meaningful.

While the user interface guidelines do not specify the exact presentation to the user, they are intended to help ensure that users understand their choices with respect to DNT. For example, outlining the parties (e.g., First Parties, Service Providers, Third Parties) to whomDNTapplies and using language that a reasonable user is likely to understand is critical for ensuring that users are in position to provide their informed consent to a tracking preference.

Moreover, as DNT functionality is complex, it is important that User Agents educate users about DNT, including but not limited to offering a clearly described link that takes the user to additional information about DNT functionality. For example, given that some parties may chose not to comply with DNT, it would be helpful for browsers to educate users about how to check the response header and/or tokens to see if a server is responding with a "public commitment" of compliance.

Finally, recognizing that DNT settings may be set by non-browser User Agents acting in violation of the user interface guidelines, the browsers should take reasonable steps to ensure that DNT settings are valid.

4. ACTION-373: Append.  Text proposed by John Simpson and Alan Chapell, with concurrence by Jeff Chester. Clarifications to list in emails by John Simpson April 8 and Peter Swire April 9.  Peter Swire circulated a background memo on April 9.

Normative:
When DNT:1 is received:
-- A 1st Party MUST NOT combine or otherwise use identifiable data received from another party with data it has collected while a 1st Party.
-- A 1st Party MUST NOT shareidentifiable data with another party unless the data was provided voluntarily by the user and is necessary to complete a business transaction with the user.
-- A Party MUST NOT usedata gathered while a 1st Party when operating as a 3rd Party.
Non-Normative:
When DNT:1 is received, a 1st Party retains the ability to customize content, services, and advertising only within thecontext of the first party experience. A 1st party takes the user interaction outside of the 1st party experience if it receives identifiabledata from another party and uses that data for customization of content, services, oradvertising.
When DNT:1 is received the 1st Party maycontinue to utilize user provided data in order to complete or fulfill a user initiated business transaction such as fulfilling an order for goods or a subscription.
When DNT:1 is received and a Party has become a 3rd Party it is interacting with the user outside of the 1st Party experience.  Using data gathered while a 1st party is incompatible with interaction as a third party.

Chris Pedigo gave five examples on data append in September, 2012, which are useful to consider in light of the proposed language:
http://www.w3.org/2011/tracking-protection/track/actions/229

---------------------------
TPE Spec - Matthias Schunter
---------------------------
5. Restructuring the response indicators. We currently discuss thefollowing three fields:

- Optional Prefix "!" (I do not conform and I do not claim that whatever letters follow this sign are correct)
- Tracking Status
   1, 3, ...
- Permitted uses:
   C(onsent), ...

6.  ISSUE-187 Discuss Site Requirements Consent
One general concern related to exceptions in general was that sites register exceptions while neither the browser (in the old model) nor the site (in the new model) gather consent in a reliable way. Our current TPE spec states in Section 6.3.1:
The call to store an exception MUST reflect the user's intention to grant an exception, at the time of the call. This intention MUST be determined by the site prior to each call to store an exception, at the time of the call. (This allows the user to change their mind, and delete a stored exception, which might then trigger the site to explain, and ask for, the exception again). It is the responsibility solely of the site making the call to determine that a call to record an exception reflects the user's informed consent at the time of the call.

Jonathan proposed these three requirements that refine this language and that I would like to gather feedback on:
1) Actual presentation: The choice mechanism MUST be actually presented to the user.  It MUST NOT be on a linked page, such as a terms of service or privacy policy.

2) Independent choice: The choice mechanism MUST be presented independent of other choices.  It MUST NOT be bundled with other user preferences.

3) No default permission: The choice mechanism MUST NOT have the user permission preference selected by default.

(From http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0004.html )

7. Steps towards the next working draft.

Discuss what needs to be updated before publishing our next TPE working draft.

I have previously preferred distinguishing "who I am" from "how I am operating", and I feel that have C and ! as 'status' indicators rather than qualifiers means that I can no longer tell whether I am interacting with someone who adheres to 1st or 3rdparty constraints.  So I agree, rather than C or ! as the first character, I think that

1C -- content produced under first party rules with consent
3C -- third party under 3rd party rules with consent

8. Announce next meeting & adjourn


================ Infrastructure =================

Zakim teleconference bridge:
VoIP:    sip:zakim@voip.w3.org<file:///\\localhost\sip\zakim@voip.w3.org>
Phone +1.617.761.6200 passcode TRACK (87225)
IRC Chat: irc.w3.org<http://irc.w3.org/>, port 6665, #dnt

*****


Professor Peter P. Swire
C. William O'Neill Professor of Law
    Ohio State University
240.994.4142
www.peterswire.net<http://www.peterswire.net>