Re: action-231, issue-153 requirements on other software that sets DNT headers

James - 

Judging by the email thread over the past couple of days, it seems like
that phrase is creating some confusion - even amongst the working group.
Perhaps we can find a better term for our documents so as not to confuse
the marketplace.

Perhaps "deliberate choice for the DNT signal"?


Alan Chapell
Chapell & Associates
917 318 8440

On 8/22/12 10:40 AM, "Grimmelmann, James" <>

>The language "choice for privacy" has been in the TPE working drafts
>since last year.  It is there as a way to describe certain kinds of user
>actions in configuring a user-agent that can reasonably be understood to
>include a "deliberate choice by the user" about a tracking preference.
>This reflects the real-world fact that many users who choose to enable
>the DNT: 1 header will do so out of a desire for privacy.  Thus, a user
>agent or extension could offer a more general-purpose privacy setting
>"that then implicitly includes a tracking preference."
>Don't worry: I'm not (and I don't think anyone else is) asking the group
>to take an official stance on whether widespread DNT use will be good for
>privacy or bad for privacy.  That's highly contested and highly
>subjective.  The language shows up in the context of "Determining User
>Preference" and that's how I'm reading it: to address the question of
>whether IE 10's DNT: 1 signals will reflect deliberate choices by users
>about tracking.
>On Aug 22, 2012, at 9:41 AM, "Dobbs, Brooks" <>
>> James and all,
>> I think we are moving down the road of making some very dangerous
>> assumptions here.  We are getting in the habit of referring to sending
>> signal DNT: 1 as "a choice for privacy".  This is a highly subjective
>> statement and not necessarily true.
>> Choosing DNT: 1 is a signal to an origin server that it must follow the
>> rules as established by the compliance doc with all the resulting
>> treatments to the UA.  This may result in initial outcomes that many
>> will see as privacy enhancing.  However, it may also channel UAs to
>> different website payment schemes (non-ad supported) or move people
>> towards advertising tools run by parties with a PII relationship to the
>> user who are able to get out of band exceptions; neither would likely to
>> be called "a choice for privacy".  This is not hypothetical at all.  If
>> website needs N million dollars a year to provide content and service
>> that funding is cut to a third by DNT, they will seek one of those two
>> roads, neither of which makes a lot of sense to call "a choice for
>> privacy".  
>> Let's keep this conversation where it should be.  A "preference" means a
>> user's desire for his/her transaction to be processed by the recipient
>> server in accordance with the rules established for that signal by the
>> compliance doc.  If an individual user, with individual use patterns, at
>> any given time finds that to be "a choice for privacy" then so it is -
>> her.  I doubt that the person asked for a credit card or to identify
>> himself for an out of band exception to view a previously ad supported
>> site will be as cavalier with the word choice.
>> -Brooks    
>> -- 
>> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
>> Wunderman Network
>> (Tel) 678 580 2683 | (Mob) 678 492 1662 |
>> This email ¡© including attachments ¡© may contain confidential
>> If you are not the intended recipient,
>> do not copy, distribute or act on it. Instead, notify the sender
>> immediately and delete the message.
>> On 8/21/12 10:43 PM, "Grimmelmann, James" <>
>> wrote:
>>> I disagree; this is far from a "clear" case.  Here is the coming IE 10
>>> setup process as described by Microsoft (cutting and pasting a bit):
>>> ----
>>> In the Windows 8 set-up experience, customers will be asked to choose
>>> between two ways of configuring a number of settings: ©øExpress
>>> or ©øCustomize.©÷
>>> Customers will receive prominent notice that their selection of Express
>>> Settings turns DNT ©øon.©÷ In addition, by using the Customize approach,
>>> users will be able to independently turn ©øon©÷ and ©øoff©÷ a number of
>>> settings, including the setting for the DNT signal.  A ©øLearn More©÷
>>> with detailed information about each recommended setting will help
>>> customers decide whether to select Express Settings or Customize.
>>> ----
>>> And here is the language from the August 14 TPE draft:
>>> ----
>>> The basic principle is that a tracking preference expression is only
>>> transmitted when it reflects a deliberate choice by the user. ...
>>> A user agent must have a default tracking preference of unset (not
>>> enabled) unless a specific tracking preference is implied by the
>>> to use that agent. ...
>>> We do not specify how tracking preference choices are offered to the
>>> or how the preference is enabled: each implementation is responsible
>>> determining the user experience by which a tracking preference is
>>> enabled. For example, a user might select a check-box in their user
>>> agent's configuration, install an extension or add-on that is
>>> specifically designed to add a tracking preference expression, or make
>>> choice for privacy that then implicitly includes a tracking preference
>>> (e.g., Privacy settings: high). The user-agent might ask the user for
>>> their preference during startup, perhaps on first use or after an
>>> adds the tracking protection feature.
>>> ----
>>> There is a plausible argument that selecting Express Settings after
>>> given prominent notice that this will turn DNT on is both a "deliberate
>>> choice by the user" and "a choice for privacy that then implicitly
>>> includes a tracking preference" that the user-agent "ask[s] the user
>>> ... during startup."  And because the user chooses to use Express
>>> Settings, there is also a plausible argument that IE 10 will "have a
>>> default tracking preference of unset."
>>> There are also some plausible counterarguments.  For example, it is
>>> possible that Microsoft's explanation of the effect of choosing Express
>>> Settings will not be clear and prominent enough to make selecting it a
>>> "choice for privacy."  It is also unclear what the default state of the
>>> DNT checkbox will be in "Customize."
>>> I'm sure that this is not what many others on the list *intend* the TPE
>>> draft to mean, but based on what the draft currently *says*, IE 10's
>>> compliance is open to serious debate.
>>> James
>>> --------------------------------------------------
>>> James Grimmelmann              Professor of Law
>>> New York Law School                 (212) 431-2864
>>> 185 West Broadway
>>> New York, NY 10013
>>> On Aug 21, 2012, at 9:35 PM, Roy T. Fielding
>>> <<>> wrote:
>>> On Aug 21, 2012, at 6:01 PM, Tamir Israel wrote:
>>> Roy your apache example, as I understood it, applies in clear cases of
>>> non-compliance. I don't think there's ever going to be such a clear
>>> as in reality implementations are going to be quite varied and browser
>>> sniffing of the kind you're suggesting will lead to browser wars. Case
>>> point:
>>> ot-track-in-the-windows-8-set-up-experience.aspx
>>> Which is a clear case of non-compliance.  If pre-selecting an
>>> option in a dialog box is not sufficient to gain prior consent,
>>> then it certainly isn't sufficient to satisfy:
>>> "The basic principle is that a tracking preference expression
>>>  is only transmitted when it reflects a deliberate choice by
>>>  the user. In the absence of user choice, there is no tracking
>>>  preference expressed."
>>> Browser wars is not a problem I have in HTTP, because of the
>>> Apache principle regarding open standards.  If you want to change
>>> the standard, feel free to make proposals to that effect within
>>> the process defined by this WG.  Please do not continue this
>>> argument about honoring deliberately broken UAs; you are wasting
>>> our time, as this WG has even less ability to change Apache's
>>> than it does to impose implementation of a voluntary standard.
>>> ....Roy

Received on Wednesday, 22 August 2012 15:47:21 UTC