Re: Summary of compliance issues raised from Tom Lowenthal on 2011-10-27 (public-tracking@w3.org from October 2011)

From: Tom Lowenthal <tom@mozilla.com>
Date: Thu, 27 Oct 2011 12:25:37 -0700
To: public-tracking@w3.org
Message-ID: <4EA9B031.6030501@mozilla.com>
Yesterday on the call, I agreed to explain my offhand comment against
Bjoern's complaint that the current definition makes users third
parties. My suggestion would look something like this:

- Section 3.1 is unchanged.
- A new section 3.2 reads:

> The user, and the direct agents they use to access the web, are the
second party.

- The current 3.2 becomes a new 3.3, and the first sentence of 3.3 is
changed to read:

> A third party is anyone other than a first or second party as defined
above.

On 10/26/2011 01:14 AM, Aleecia M. McDonald wrote:
> Greetings,
> 
> Here is what I have seen on the mailing list for the compliance spec so far as of 1 am pacific, ordered by section number. I will take these as the starting point for discussion on the call tomorrow. Feel free to continue discussions on the mailing list -- I'm just trying to keep it all organized so we can go through sensibly. 
> 
> 	- Global
> 	   Thread name: "Comments on tracking-compliance.html"
> 		Bjoern Hoehrmann strongly dislikes "consumer" and prefers "citizen" 
> 		Roy Fielding disagrees but prefers "user"
> 		Aleecia McDonald notes there are cultural elements
> 
> 	   Thread name: "Comments on tracking-compliance.html"
> 		Bjoern Hoehrmann finds the phrase "behavioral tracking" redundent 
> 		Justin Brookman points to the definition in section 3.4
> 		Bjoern is unmoved and finds all tracking to be behavioral tracking
> 
> 	- Section 2.1
> 	  Thread name: "Comments on tracking-compliance.html"
> 		Bjoern Hoehrmann questions if the Internet does require the exchange of data across servers and gives counter-examples. 
> 		Bjoern also does not think the section addresses what people are concerned about / afraid of.
> 
> 	- Section 3.2
> 	  Thread name: "Comments on tracking-compliance.html"
> 		Bjoern Hoehrmann notes that if a third party is anyone but a first party, that makes users third parties too.
> 		
> 		Bjoern suggests we not attempt to define consent, since there are varied legal definitions.
> 		Justin Brookman finds the legal definitions are often too vague for implementation, but perhaps we need a different phrase like "affirmative informed consent" so as not to collide with the legal phrase.
> 		Bjoern essentially seems to think we shall do no better than the versions of "consent" already in law, so we should not get into it  /* Quite a bit of simplification here */
> 
> 	- Section 4.2
> 	  Thread name: "Comments on tracking-compliance.html"
> 		Bjoern Hoehrmann raises the concern that stating only users can set DNT header status might suggest other HTTP headers may be modified by other parties, which he disagrees with. Instead, he proposes "intermediary compliance"
> 
> 	- Section 6.1
> 	  Thread name: "Propose to drop from the strawman: ISSUE-93"
> 		David Wainberg suggests that the question of "Should 1st parties be able to degrade a user experience or charge money for content based on DNT" is out of scope, joined by Karl Dubost and Amy Colando.
> 		Jules Polonetsky offered use cases of different services that might benefit users, not harm them.
> 		Jonathan Mayer is fine with an outcome that first parties can degrade service, but ok with deciding on the basis that the discussion is out of scope, which he thinks it is not.
> 		Nick thinks it is in scope and ties to issue-59 and the history of issue-93.
> 		Aleecia notes we do not need to resolve the scope issue, but can document it and move on for now.
> 
> 	- Section 6.2
> 	  Thread name: "Comments on tracking-compliance.html"
> 		Bjoern Hoehrmann prefers saying DNT does not affect other mechanisms, or that interaction with other mechanisms is out of scope, to his reading that this section says people must comply with their promises.
> 		
> 	- Section 6.4
> 	  Thread name: "Propose to drop from the strawman: requirement for privacy policy  disclosure"
> 		David Wainberg believes we should not call for assertions of DNT compliance in privacy policies, as out of scope and beyond our authority
> 		Björn Höhrmann does not see privacy policy requirements as being beyond our authority to request
> 		Justin Brookman thinks verifiability and standardized user communication are important but might perhaps happen via header response
Received on Thursday, 27 October 2011 19:27:00 UTC