RE: Concerns regarding "store"-style DNT exceptions Re: Batch closing of issues ISSUE-144 from Mike O'Neill on 2013-02-02 (public-tracking@w3.org from February 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sat, 2 Feb 2013 11:43:29 -0000
To: "David Singer" <singer@apple.com>, "Jonathan Mayer" <jmayer@stanford.edu>
Cc: "'Walter van Holst'" <walter.van.holst@xs4all.nl>, <public-tracking@w3.org>, <wileys@yahoo-inc.com>, "Ed Felten" <ed@felten.com>
Message-ID: <074001ce013a$860e7b30$922b7190$@baycloud.com>
One more point on this, short of knowing which issue  to thread it on.

 

In the mobile app space the trend is for platforms to ask for explicit permission for location reports and now contact data upload i.e. http://www.theverge.com/2012/2/15/2800338/ios-explicit-permission-address-book-update. Apple have also introduced identifier management with the Advertiser Identifier http://oleb.net/blog/2012/09/udid-apis-in-ios-6/ 

 

The Safari browser now ensure that HTTP POSTS to third-parties must be in an onclick handler context to accept set-cookies headers by default, helping to ensure that the user has explicitly agreed. This latter change was probably a consequence of the recent high profile case involving a large respectable Silicon Valley company, not usually perceived as a “bad actor”.

 

Similarly storeTrackingException  for web-wide exceptions could be constrained to only work if executed within a user click context. 

 

BTW This recent FTC report, mentioned in a post on the W3C Public Privacy list, welcomes innovation in this area and also says some important things about DNT (page 21). 

 

http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf

 

Cheers

 

Mike

 

From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
Sent: 31 January 2013 18:45
To: Shane Wiley
Cc: Walter van Holst; public-tracking@w3.org
Subject: Re: Concerns regarding "store"-style DNT exceptions Re: Batch closing of issues ISSUE-144

 

The objections that Walter, Nick, and I have raised do not turn on "good" or "bad" motives.  They're about consumer trust and economic incentives to provide informed and meaningful choice.

 

I don't see any need for further quarrel on ISSUE-144 (and related).  There have been sustained and "substantiated" objections.  The issues should not be CLOSED.

 

Jonathan

On Thursday, January 31, 2013 at 8:23 AM, Shane Wiley wrote:

Walter,

 

We have a Server status response on EACH page load that reconfirms the Sites perspective.  For example, if the UA sends DNT:1, the Server can respond with a status that it has prior consent from the user.  It’s because of this per page status model, that I feel strongly front loading the exception process is the wrong path for the standard.

 

Both in the exception setting process and in the per page status response everyone will have the opportunity to “catch bad actors”.  Let’s not drag down the standard for good actors since checks and balances are already in place.

 

- Shane

 

From: Walter van Holst [mailto:walter.van.holst@xs4all.nl] 
Sent: Thursday, January 31, 2013 8:40 AM
To: public-tracking@w3.org
Subject: Re: Concerns regarding "store"-style DNT exceptions Re: Batch closing of issues ISSUE-144

 

On 1/31/13 4:30 PM, Shane Wiley wrote:

 

Thank you for the thoughtful exploration of incentives for allowing exception setting from Servers.  I thought we as a working group had originally agreed that if a Site has collected out-of-band (OOB) consent from a user, that they could proactively store this in the UA for appropriate relay on subsequent interactions.  Weren’t you supportive of that position?  If so, I’m curious how this process changes that?  

 

There is little incentive for Sites to adopt DNT if direct consent mechanisms are second questioned by the UA as they will not be able to relay the context and value exchange messaging in which the consent was originally captured (basically, a Site would be opening up its direct consent with users to a UA confirmation).  As each exception transaction is recorded, it is readily available for advocates and regulators to interrogate for appropriate processing and informed consent.  This continues to be an exercise in burdening the rest of the ecosystem to attempt to weed out bad actors that will likely not implement DNT in the first place.  The edge cases you’ve explored are just that – edge cases – and we should avoid developing remedies to those situations at the cost of the entire standard.

 

There is a chain of dependencies within the Site, UA, and User ecosystem to develop trust in DNT.  The first step is that each party desire implementing the standard in the first place.  If very few Sites implement DNT in the first place, then User trust will not develop.  I believe we’ll see self-regulation step up globally to wipe out the edge-cases you’ve outlined.

 

I would ask the working group to continue to avoid overburdening and disintermediating Sites from their Users in this standard.  The current proposal for allowing Sites to register user granted exceptions in the UA is the right course, is supported by many/most in the working group, and will drive higher adoption of the DNT standard – the first step needed to drive User trust in the utility and confidence in DNT.

 



Let's agree that user trust is paramount. Users will not trust DNT if a site can claim OOB consent without the browser at least indicating such claim. I am not asking for additonal dialogs, merely that the UA indicates the level of trust granted to the various parties.

And yes, I am aware that DNT is based on trust on the good faith of servers. I do not think that trust is nurtured by a standard that requires no indication to users of discrepancies between their browser settings and actual behaviour, even in good faith, of a server, where it can be reasonably detected by the UA. I concur with Nick that this would cast doubt on the meaning of the signal.

Regards,

 Walter
Received on Saturday, 2 February 2013 11:44:01 UTC