- From: Eyal Sela (ISOC-IL) <eyal@isoc.org.il>
- Date: Wed, 29 Feb 2012 11:13:35 +0200
- To: "Aleecia M. McDonald" <aleecia@aleecia.com>
- Cc: public-privacy@w3.org
- Message-ID: <CAMb6=s3+0uEy7=q7UOyykPHtDp2exTxe19fsnChnca=YWNd0bQ@mail.gmail.com>
Thanks a lot! I asked because I had been asked that questions a few times, and also because I'm writing about DNT on the Israeli W3C website. Best regards, אייל סלע | מנהל פרויקטים, הועדה הטכנולוגית ומשרד ה-W3C הישראלי | איגוד האינטרנט הישראלי | www.isoc.org.il | www.w3c.org.il Eyal Sela | Project Manager, Technology Committee & the Israeli W3C office | Israel Internet Association (ISOC-IL) | www.isoc.org.il | www.w3c.org.il *עדכונים שוטפים על כל פעילויות האיגוד: באתר הפעילויות <http://j.mp/zKPrrF> או ב-RSS <http://j.mp/wsxWwa> On Tue, Feb 28, 2012 at 19:05, Aleecia M. McDonald <aleecia@aleecia.com>wrote: > Hi Eyal (and all), > > A great question. When DNT is nailed down, that would make a very nice > paper. For the moment, let me just hit a few highlights: > > - DNT is not finished, but it has a few parts that should remain stable. > - Sending DNT:1 from a user agent (Firefox, IE, Safari, soon Opera & > Chrome) is a user request for privacy. It is, first and foremost, a > communications signal about user intent. This is the big difference between > DNT and anything else, and the hardest one for users and others to get. DNT > does not block cookies, delete cookies, or prevent advertising. > - Any service that responds to a DNT signal (either by replying with > another HTTP header, or a response in a well-known location) is attesting > that they follow at least the minimum privacy protections set out in the > W3C specification. These could look something like third parties do no data > collection or use, except as to support fraud prevention and billing for > ads. [Real life will be more complicated; I'm trying to give the direction > simply.] In some cases, companies may stop setting cookies, delete their > cookies, or show different types of ads (contextual not behavioral, for > example.) See > http://blog.mozilla.com/privacy/2011/09/08/mozilla-publishes-developer-guide-on-dnt-releases-dnt-adoption-numbers/ for > the developer guide, which details how some of the early (pre-standard) DNT > implementations work in practice today. > - DNT requires users to trust companies. As we've seen, that can go > wrong. On the other hand, companies can no longer say "oh, we thought we > were helping when we restored HTTP cookies by duplicating them in LSOs and > restoring them." -- users are going on record that they affirmatively want > privacy, rather than the benefits of personalization. The FTC has announced > they will enforce DNT, so there are teeth there in the US. > - Right this minute, DNT is all or nothing for all sites. That's > changing, so users can say "DNT for everyone else, but I trust W3C, it's ok > for them." > > - P3P is a machine-readable representation of a company's privacy policy, > encoded in XML. When a company creates a P3P policy, they attest that they > follow the practices they publish. It is highly expressive, and does a good > job of capturing the sorts of statements companies typically make in their > privacy policies. It is also extensible if companies want to assert things > that were not envisioned in the original P3P schema. P3P policies and human > readable privacy policies should contain the same content. See > http://www.w3.org/TR/P3P11/ for the P3P specification. > - Back in the day of dial up modems and the "browser wars," when > dinosaurs roamed the earth, Microsoft was concerned that parsing a page of > XML would slow page loads down. Enter Compact Policies (CPs.) CPs are a > subset of full P3P policies and pertain just to the company's cookie > practices. Companies set half a dozen three- or four-letter tokens that > encode their cookie policies. > - Internet Explorer lets users block entirely or limit the lifespan of > cookies based on companies CPs. If users don't care for a site's practices, > they can automagically reject cookies. With preferences in Internet > Explorer, users can set what they do and do not want to accept for CP > policies. > - P3P CPs do not require users' trust. However, they also are not a > statement of user intent. Right now we see companies skirting CPs by > creating nonsense policies (for a while Facebook sent the token "HONK" > which most assuredly has nothing to do with valid CP tokens) which are not > blocked. My early guess is that it will be easier for companies to do bad > things under DNT, but far harder on them once they get caught at it. > > If you're asking out of personal curiosity, I hope this is adequate. If > for some other use, please let me know what you are looking for and I'll > try to help. You might (or might not) also be interested in Tracking > Protection Lists. > > Aleecia > (co-chair of DNT spec; PhD advisor was Lorrie Faith Cranor who chaired the > P3P spec; speaking only for myself and not Mozilla, Stanford, or W3C) > > > On Feb 28, 2012, at 4:36 AM, Eyal Sela (ISOC-IL) wrote: > > What are the main differences and so on? > > Thanks, > > Eyal. > > > >
Received on Wednesday, 29 February 2012 09:14:41 UTC