Re: ACTION-390: alternative UA affordances for DNT choice

On 4/26/13 1:19 PM, "Rigo Wenning" <rigo@w3.org> wrote:

>On Friday 26 April 2013 09:44:05 Alan Chapell wrote:
>> I'm not looking to establish liability.
>
>ok, in talking liability, I made two steps in one move. I meant
>accountability plus false claims of conformance.

Yes - I think you're jumping the gun worrying about false claims of
conformance here. Its a voluntary standard after all.

> 
>
>> 
>> No - I want to understand who is responsible for ensuring that DNT
>> functionality is clearly described in line with privacy by design
>> concepts.
>
>The legal entity making, have made or distribute the piece of code that
>creates the effect that HTTP headers contain an additional DNT header.

Ok by me, but then we need to define this entity within the spec. I was
initially under the impression that this was the user agent - if not, then
we should figure out what to call it here so that those reading the
document understand the idea that "if you turn on DNT, you are responsible
for meeting the disclosure guidelines" If we don't have that type of
clarity, then we will have an ineffective standard.

> 
>
>> 
>> >My software is
>> >conformant to the the Tracking Protection Standard.
>> 
>> I'm sorry Rigo, but I'm just not understanding. Who here is the
>> implementer here?
>
>The person legally responsible for the software generating the DNT
>header. This is the person that distributes or sells the software to the
>end user. But this could also be an intermediary (e.g. in a mobile
>context like in opera-mini)
>> 
>> >So talking about the "user" instead of the "user agent" actually does
>> >the trick. 
> 
>> I think we're in agreement re: the User must be informed.
>
>Yes, the tricky part is to find the right wording to cover those we want
>to be responsible. "user agent" is "the wrong tree" as Roy would say. We
>should formulate our expectation on the user's experience (this is in
>the center of our interest) and leave the determination of the
>responsible person to the legal system.

I strongly disagree with that approach.
> 
>
>By having those requirements on user experience also linked in the
>section on conformance, claims of conformance (e.g. I implement W3C DNT)
>will only be true if the user is informed as required. False claims of
>conformance carry the risk of being qualified as deceptive.
>
>> We can word
>> the requirement from the pov of the User if you'd like, but I don't
>> think that changes the fact that SOME 'thing' sends a DNT header.
>
>There is always someone who provided that software unless the user has
>programmed it herself.
>
>> That thing may be a browser or other User agent, a piece of software,
>> a refrigerator, a carrier pigeon, etc?
>
>You don't need to mention what software not to exclude things. Just
>mention the requirements what the user should see.
>
>> The spec needs to have some
>> requirement that those things that turn on DNT have a responsibility
>> to meet some baseline standard of informed consent.
>
>Again my remark that informed consent cuts both ways, as a requirement
>before turning DNT:1 on, but also as requirement on the website before
>turning on the DNT:0 signal via the javascript API.
> 
>
>> Otherwise, we
>> don't have a standard that is meaningful for anyone.
>
>This is why I complain about the lacking reaction on the feedback
>mechanism by the browser. While I understand that browsers are reluctant
>to commit to everything directly, things that are excluded from
>implementation up front shouldn't be in the standard. If nobody wants
>the feedback mechanism, throw it out. Without browser implementation it
>doesn't make sense as it will not replace the human readable Privacy
>Policy.


I'm not advocating for any kind of a feedback mechanism. I hope this is
not an attempt at a back door argument for a feedback mechanism. I would
encourage you to make that argument to Roy and others on the separate
thread. 

> 
>
> --Rigo
>

Received on Friday, 26 April 2013 17:52:23 UTC