W3C home > Mailing lists > Public > public-tracking@w3.org > August 2012

Re: action-231, issue-153 requirements on other software that sets DNT headers

From: Grimmelmann, James <James.Grimmelmann@nyls.edu>
Date: Wed, 22 Aug 2012 02:43:50 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: Tamir Israel <tisrael@cippic.ca>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <E3DB6875-B0A9-4B1A-9D5F-840710AFEB11@nyls.edu>
I disagree; this is far from a "clear" case.  Here is the coming IE 10 setup process as described by Microsoft (cutting and pasting a bit):

----
In the Windows 8 set-up experience, customers will be asked to choose between two ways of configuring a number of settings: “Express Settings” or “Customize.”

Customers will receive prominent notice that their selection of Express Settings turns DNT “on.” In addition, by using the Customize approach, users will be able to independently turn “on” and “off” a number of settings, including the setting for the DNT signal.  A “Learn More” link with detailed information about each recommended setting will help customers decide whether to select Express Settings or Customize.
----

And here is the language from the August 14 TPE draft:

----
The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. ...

A user agent must have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent. ...

We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent's configuration, install an extension or add-on that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., Privacy settings: high). The user-agent might ask the user for their preference during startup, perhaps on first use or after an update adds the tracking protection feature.
----

There is a plausible argument that selecting Express Settings after being given prominent notice that this will turn DNT on is both a "deliberate choice by the user" and "a choice for privacy that then implicitly includes a tracking preference" that the user-agent "ask[s] the user for ... during startup."  And because the user chooses to use Express Settings, there is also a plausible argument that IE 10 will "have a default tracking preference of unset."

There are also some plausible counterarguments.  For example, it is possible that Microsoft's explanation of the effect of choosing Express Settings will not be clear and prominent enough to make selecting it a "choice for privacy."  It is also unclear what the default state of the DNT checkbox will be in "Customize."

I'm sure that this is not what many others on the list *intend* the TPE draft to mean, but based on what the draft currently *says*, IE 10's compliance is open to serious debate.

James

--------------------------------------------------
James Grimmelmann              Professor of Law
New York Law School                 (212) 431-2864
185 West Broadway       james.grimmelmann@nyls.edu<mailto:james.grimmelmann@nyls.edu>
New York, NY 10013    http://james.grimmelmann.net

On Aug 21, 2012, at 9:35 PM, Roy T. Fielding <fielding@gbiv.com<mailto:fielding@gbiv.com>> wrote:

On Aug 21, 2012, at 6:01 PM, Tamir Israel wrote:

Roy your apache example, as I understood it, applies in clear cases of non-compliance. I don't think there's ever going to be such a clear case as in reality implementations are going to be quite varied and browser sniffing of the kind you're suggesting will lead to browser wars. Case in point:

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/do-not-track-in-the-windows-8-set-up-experience.aspx

Which is a clear case of non-compliance.  If pre-selecting an
option in a dialog box is not sufficient to gain prior consent,
then it certainly isn't sufficient to satisfy:

  "The basic principle is that a tracking preference expression
   is only transmitted when it reflects a deliberate choice by
   the user. In the absence of user choice, there is no tracking
   preference expressed."

Browser wars is not a problem I have in HTTP, because of the
Apache principle regarding open standards.  If you want to change
the standard, feel free to make proposals to that effect within
the process defined by this WG.  Please do not continue this
argument about honoring deliberately broken UAs; you are wasting
our time, as this WG has even less ability to change Apache's principles
than it does to impose implementation of a voluntary standard.

....Roy
Received on Wednesday, 22 August 2012 02:44:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:54 UTC