RE: ACTION-152 - Write up logged-in-means-out-of-band-consent from Shane Wiley on 2012-04-02 (public-tracking@w3.org from April 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Mon, 2 Apr 2012 12:46:50 -0700
To: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
CC: David Singer <singer@apple.com>
Message-ID: <63294A1959410048A33AEE161379C8023D1171CB34@SP2-EX07VS02.ds.corp.yahoo.com>

Rigo,

My "Yay" was for the minor victory - not the larger one.  :-)

That said, I'm finding more consensus here (I believe) as all of my comments to this point where with the expectation that either the response header and/or well-known URI were in place to provide further "clear and prominent" notice to the user where their DNT header is or is not being applied (prominence decided by the web browser vendors).

If we agree that any party that believes it has out-of-band consent must state as such in either the response header or the well-known URI (approach to be decided upon) and that this meets the conditions of compliance with DNT - then I believe we're in a good place and this would allow us to avoid the longer debate around "appropriate consent" mechanisms.

Thoughts?

- Shane

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: Monday, April 02, 2012 12:39 PM
To: public-tracking@w3.org
Cc: David Singer; Shane Wiley
Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent

On Monday 02 April 2012 11:30:15 David Singer wrote:
> But we are left with the question of defining what the user needs to give
> consent to, and how much consent may reasonably be bundled. That's a
> description of our protocol.

And that's why I believe the YAY of Shane was a bit early. And this exactly 
what JC was suggesting. 

David, the lack of precision of "give consent" is creating a pseudo 
consensus IMHO. We have to be more concrete. Shane said, the service would 
declare if it honors DNT even though the user is logged-in. This hints to 
the fact that we have to agree on the response headers. So if a service 
tracks because it believes it has an agreement (I heard Shane telling that 
story in Brussels) it can either say: DNT is off, you're logged-in/consented 
Or the service can say: We accept your DNT=1 and the compliance spec would 
specify what JC suggested for that case. 

But at least, there is no misunderstanding that people believe DNT=1 while 
Services send DNT=ack and track anyway because of some privacy policy 
meaning in section 178. It would also solve my use case with the forgotten 
login-cookie as the browser would recognize the tracking in the response 
header. So I think this is a viable way out. Shane?

Rigo

Received on Monday, 2 April 2012 19:47:42 UTC