- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Mon, 2 Apr 2012 13:24:56 -0700
- To: Justin Brookman <jbrookman@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <63294A1959410048A33AEE161379C8023D1171CB46@SP2-EX07VS02.ds.corp.yahoo.com>
Justin, I’ve shared this example in the past as it goes to heart of the issues I see here: MyBlogLog “MyBlogLog” (now defunct) allowed blog owners and readers to past a widget on their blog and then future visitors to the blog would see who else had visited the blog (basically a “readers list”). The entire nature of the product was to recognize the user off of the Y! O&O and we expressed this to users during the registration process – (for example, “This product will do X, Y, Z” – all of which reinforced this recognition). We did not have a “check-box” for this tracking, as this was a requirement of the product and fundamental to its nature. If Yahoo! were to state support for the W3C DNT standard once its completed and MBL still existed, I would reiterate in the MyBlogLog privacy policy that this product is expressly for the purpose of recognizing them at blog sites that have the MBL widget and that we would not honor the DNT signal. We would similarly reply appropriately to in all header responses/well known URI where the request carried a DNT:1 that we were ignoring the user’s DNT signal due to an out-of-band consent (and hopefully be able to provide instructions to the user on how to log-out or remove support for MBL if they desired). Hopefully the header response/well-known URI in this context meets your “clear and prominent” bar. - Shane From: Justin Brookman [mailto:jbrookman@cdt.org] Sent: Monday, April 02, 2012 1:01 PM To: public-tracking@w3.org Subject: RE: ACTION-152 - Write up logged-in-means-out-of-band-consent I continue to think that logged-in state should be irrelevant, and that whoever wants to get permission to track despite a DNT signal should have to do so pursuant to clear and prominent notice. Shane, just so I understand your view of the logged-in/out-of-band consent exception, walk me through how it would apply to Yahoo! Yahoo! will publicly state that they are W3C/DNT compliant, but for people who register for Yahoo! mail, Yahoo! could reserve the right to ignore the header within a terms of service agreement for Yahoo! third-party ads. If that's your vision, it seems like a perverse result that would seriously compromise the value of the DNT setting, but perhaps I am misunderstanding you. If that's not your vision, please tell me how the spec would avoid such a scenario. Sent via mobile, please excuse curtness and typos -----Original message----- From: Shane Wiley <wileys@yahoo-inc.com> To: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org> Cc: David Singer <singer@apple.com> Sent: Mon, Apr 2, 2012 19:48:33 GMT+00:00 Subject: RE: ACTION-152 - Write up logged-in-means-out-of-band-consent Rigo, My "Yay" was for the minor victory - not the larger one. :-) That said, I'm finding more consensus here (I believe) as all of my comments to this point where with the expectation that either the response header and/or well-known URI were in place to provide further "clear and prominent" notice to the user where their DNT header is or is not being applied (prominence decided by the web browser vendors). If we agree that any party that believes it has out-of-band consent must state as such in either the response header or the well-known URI (approach to be decided upon) and that this meets the conditions of compliance with DNT - then I believe we're in a good place and this would allow us to avoid the longer debate around "appropriate consent" mechanisms. Thoughts? - Shane -----Original Message----- From: Rigo Wenning [mailto:rigo@w3.org] Sent: Monday, April 02, 2012 12:39 PM To: public-tracking@w3.org Cc: David Singer; Shane Wiley Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent On Monday 02 April 2012 11:30:15 David Singer wrote: > But we are left with the question of defining what the user needs to give > consent to, and how much consent may reasonably be bundled. That's a > description of our protocol. And that's why I believe the YAY of Shane was a bit early. And this exactly what JC was suggesting. David, the lack of precision of "give consent" is creating a pseudo consensus IMHO. We have to be more concrete. Shane said, the service would declare if it honors DNT even though the user is logged-in. This hints to the fact that we have to agree on the response headers. So if a service tracks because it believes it has an agreement (I heard Shane telling that story in Brussels) it can either say: DNT is off, you're logged-in/consented Or the service can say: We accept your DNT=1 and the compliance spec would specify what JC suggested for that case. But at least, there is no misunderstanding that people believe DNT=1 while Services send DNT=ack and track anyway because of some privacy policy meaning in section 178. It would also solve my use case with the forgotten login-cookie as the browser would recognize the tracking in the response header. So I think this is a viable way out. Shane? Rigo
Received on Monday, 2 April 2012 20:26:02 UTC