- From: Rigo Wenning <rigo@w3.org>
- Date: Fri, 26 Apr 2013 19:19:29 +0200
- To: Alan Chapell <achapell@chapellassociates.com>
- Cc: public-tracking@w3.org, David Singer <singer@apple.com>, "Edward W. Felten" <felten@cs.princeton.edu>
On Friday 26 April 2013 09:44:05 Alan Chapell wrote: > I'm not looking to establish liability. ok, in talking liability, I made two steps in one move. I meant accountability plus false claims of conformance. > > No - I want to understand who is responsible for ensuring that DNT > functionality is clearly described in line with privacy by design > concepts. The legal entity making, have made or distribute the piece of code that creates the effect that HTTP headers contain an additional DNT header. > > >My software is > >conformant to the the Tracking Protection Standard. > > I'm sorry Rigo, but I'm just not understanding. Who here is the > implementer here? The person legally responsible for the software generating the DNT header. This is the person that distributes or sells the software to the end user. But this could also be an intermediary (e.g. in a mobile context like in opera-mini) > > >So talking about the "user" instead of the "user agent" actually does > >the trick. > I think we're in agreement re: the User must be informed. Yes, the tricky part is to find the right wording to cover those we want to be responsible. "user agent" is "the wrong tree" as Roy would say. We should formulate our expectation on the user's experience (this is in the center of our interest) and leave the determination of the responsible person to the legal system. By having those requirements on user experience also linked in the section on conformance, claims of conformance (e.g. I implement W3C DNT) will only be true if the user is informed as required. False claims of conformance carry the risk of being qualified as deceptive. > We can word > the requirement from the pov of the User if you'd like, but I don't > think that changes the fact that SOME 'thing' sends a DNT header. There is always someone who provided that software unless the user has programmed it herself. > That thing may be a browser or other User agent, a piece of software, > a refrigerator, a carrier pigeon, etcŠ You don't need to mention what software not to exclude things. Just mention the requirements what the user should see. > The spec needs to have some > requirement that those things that turn on DNT have a responsibility > to meet some baseline standard of informed consent. Again my remark that informed consent cuts both ways, as a requirement before turning DNT:1 on, but also as requirement on the website before turning on the DNT:0 signal via the javascript API. > Otherwise, we > don't have a standard that is meaningful for anyone. This is why I complain about the lacking reaction on the feedback mechanism by the browser. While I understand that browsers are reluctant to commit to everything directly, things that are excluded from implementation up front shouldn't be in the standard. If nobody wants the feedback mechanism, throw it out. Without browser implementation it doesn't make sense as it will not replace the human readable Privacy Policy. --Rigo
Received on Friday, 26 April 2013 17:20:01 UTC