Re: Issue-4

Catching up late:

I agree that this is one of the few areas where the working group can write
a DNT spec without deciding the policy question (or what Aleecia termed a
political question) ­ should DNT be the default?

>From a policy perspective I would argue that DNT should be the default
setting. Clearly many others disagree. However, saying DNT CANNOT be the
default could stand in the way of innovations we hope to see with companies
beginning to compete more on privacy.

On the question of whether a user is choosing DNT by using a browser that
sets DNT as the default - I have no doubt that any browser that set a DNT
default would make it a marketing point, not a secret setting by a software
developer that consumers would not know they were choosing. Were there a
browser that advertised DNT as the default I would switch to it - and
consider that an affirmative choice for DNT.


On 11/8/11 2:43 AM, "Aleecia M. McDonald" <> wrote:

> [I'm reviving a thread that I dropped out of during the preparation before the
> Santa Clara meeting. It may help to review via
> ]
> Hi Jonathan,
> My read is that most people are more comfortable without intermediaries
> modifying DNT signals. As such, I think we're looking for a three-part state
> of on / off / unset. Your clarifying point is well taken, and I see you are
> not arguing for the five states.
> Is there anyone who wants to make the case for five states? If so, let's talk
> it through: I will want to understand what use case or purpose it serves that
> is compelling enough to add complexity. If I see nothing on the mailing list
> and hear nothing on the Wednesday call, I will continue to think that we're
> looking at three-part state.
> Aleecia
> On Oct 26, 2011, at 12:12 PM, Jonathan Mayer wrote:
>> A quick technical clarifying point on this - the DNT protocol could trivially
>> encode whether an option is explicit or implicit.  We could (not saying we
>> should) have five states.
>> User has expressed no preference and no intermediary has added a preference
>> User has explicitly opted into tracking
>> User has explicitly opted out of tracking
>> User has expressed no preference, but an intermediary has added a preference
>> indicating opt in to tracking
>> User has expressed no preference, but an intermediary has added a preference
>> indicating opt out of tracking
>> Likewise, we could (not saying we should) have corresponding policy for each
>> of the states.  (It appears there's near-consensus that no preferences =
>> governing law trumps, and I suspect there's near-consensus that there should
>> be a very high bar to implicit opt in.)
>> On Oct 26, 2011, at 11:44 AM, Aleecia M. McDonald wrote:
>>> Based on what we discussed in Boston, plus the conference call today, here
>>> is where I think we are for Issue-4:
>>> It is out of scope for the TPWG to decide to make DNT opt-in or opt-out.
>>> That is a purely political question that may be country-by-country. However,
>>> as Roy notes, we need a technical specification that is clear to implement.
>>> What we are trying to support is the idea that DNT decisions may be
>>> implicit. For example, installing a proxy or a specialized
>>> privacy-protective browser is, itself, a user decision for privacy even in
>>> the absence of explicitly understanding that DNT happens to be one of the
>>> mechanisms used. What we are trying to avoid is a case where an ISP tells
>>> advertisers "I'm turning on DNT for all of my users, regardless of their
>>> actual privacy preferences, unless you give me a cut of advertising
>>> revenue." The basic concept here is that DNT is the user's voice, and must
>>> be the user's preference.
>>> Proposed text to react to:
>>> A compliant user agent must offer users a minimum of two choices: on, and
>>> off. When DNT is on, the user agent sends an HTTP header of ³DNT: 1². When
>>> DNT is off, the user agent sends an HTTP header of ³DNT: 0². If the user has
>>> not expressed a privacy preference, neither the user agent nor any service
>>> may send a DNT header on the user¹s behalf. For example, neither a browser
>>> nor an ISP may inject ³DNT: 1² on behalf of all of their users who have not
>>> selected a choice corresponding to ³DNT: 0². However, a user may make a
>>> choice for privacy that then implicitly includes a DNT setting. For example,
>>> a user choosing something like ³Privacy settings: high² in a user agent
>>> might include a bundle of responses, including turning on DNT. That is
>>> acceptable. Similarly, users installing a browser plugin that advertises
>>> itself as protecting privacy could also have DNT turned on. Users need not
>>> understand the technical mechanisms for DNT and we do not address user
>>> interface presentation. The basic principle here is that DNT reliably
>>> expresses users¹ choices.
>>> DNT should only and exactly send a signal of a user's preference. In the
>>> absence of user choice, there must be no DNT signal sent. In some cases
>>> users will not have DNT preferences, including while using older user agents
>>> that do not support DNT. Consequently, services (websites and others) would
>>> be wise to assume some users will not send a DNT expression. In the absence
>>> of regulatory, legal, or other requirements, services are free to interpret
>>> lack of DNT header as they find most appropriate for their users,
>>> particularly in light of users¹ privacy expectations and cultural
>>> circumstances.
>>> Aleecia

Carmen Balber
Washington Director
Consumer Watchdog
413 E. Capitol St. SE, 1st Floor
Washington, D.C  20003
p:(202) 629-3043

Received on Tuesday, 8 November 2011 19:58:26 UTC