- From: Alan Chapell <achapell@chapellassociates.com>
- Date: Wed, 22 Aug 2012 11:46:39 -0400
- To: "Grimmelmann, James" <James.Grimmelmann@nyls.edu>, "Dobbs, Brooks" <Brooks.Dobbs@kbmg.com>
- CC: "Roy T. Fielding" <fielding@gbiv.com>, Tamir Israel <tisrael@cippic.ca>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
James - Judging by the email thread over the past couple of days, it seems like that phrase is creating some confusion - even amongst the working group. Perhaps we can find a better term for our documents so as not to confuse the marketplace. Perhaps "deliberate choice for the DNT signal"? Cheers, Alan Chapell Chapell & Associates 917 318 8440 On 8/22/12 10:40 AM, "Grimmelmann, James" <James.Grimmelmann@nyls.edu> wrote: >Brooks, > >The language "choice for privacy" has been in the TPE working drafts >since last year. It is there as a way to describe certain kinds of user >actions in configuring a user-agent that can reasonably be understood to >include a "deliberate choice by the user" about a tracking preference. >This reflects the real-world fact that many users who choose to enable >the DNT: 1 header will do so out of a desire for privacy. Thus, a user >agent or extension could offer a more general-purpose privacy setting >"that then implicitly includes a tracking preference." > >Don't worry: I'm not (and I don't think anyone else is) asking the group >to take an official stance on whether widespread DNT use will be good for >privacy or bad for privacy. That's highly contested and highly >subjective. The language shows up in the context of "Determining User >Preference" and that's how I'm reading it: to address the question of >whether IE 10's DNT: 1 signals will reflect deliberate choices by users >about tracking. > >James > >On Aug 22, 2012, at 9:41 AM, "Dobbs, Brooks" <Brooks.Dobbs@kbmg.com> >wrote: > >> James and all, >> >> I think we are moving down the road of making some very dangerous >> assumptions here. We are getting in the habit of referring to sending >>the >> signal DNT: 1 as "a choice for privacy". This is a highly subjective >> statement and not necessarily true. >> >> Choosing DNT: 1 is a signal to an origin server that it must follow the >> rules as established by the compliance doc with all the resulting >> treatments to the UA. This may result in initial outcomes that many >>users >> will see as privacy enhancing. However, it may also channel UAs to >> different website payment schemes (non-ad supported) or move people >> towards advertising tools run by parties with a PII relationship to the >> user who are able to get out of band exceptions; neither would likely to >> be called "a choice for privacy". This is not hypothetical at all. If >>a >> website needs N million dollars a year to provide content and service >>and >> that funding is cut to a third by DNT, they will seek one of those two >> roads, neither of which makes a lot of sense to call "a choice for >> privacy". >> >> Let's keep this conversation where it should be. A "preference" means a >> user's desire for his/her transaction to be processed by the recipient >> server in accordance with the rules established for that signal by the >> compliance doc. If an individual user, with individual use patterns, at >> any given time finds that to be "a choice for privacy" then so it is - >>for >> her. I doubt that the person asked for a credit card or to identify >> himself for an out of band exception to view a previously ad supported >> site will be as cavalier with the word choice. >> >> -Brooks >> >> >> -- >> >> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the >> Wunderman Network >> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com >> brooks.dobbs@kbmg.com >> >> >> >> This email ¡© including attachments ¡© may contain confidential >>information. >> If you are not the intended recipient, >> do not copy, distribute or act on it. Instead, notify the sender >> immediately and delete the message. >> >> >> >> On 8/21/12 10:43 PM, "Grimmelmann, James" <James.Grimmelmann@nyls.edu> >> wrote: >> >>> I disagree; this is far from a "clear" case. Here is the coming IE 10 >>> setup process as described by Microsoft (cutting and pasting a bit): >>> >>> ---- >>> In the Windows 8 set-up experience, customers will be asked to choose >>> between two ways of configuring a number of settings: ©øExpress >>>Settings©÷ >>> or ©øCustomize.©÷ >>> >>> Customers will receive prominent notice that their selection of Express >>> Settings turns DNT ©øon.©÷ In addition, by using the Customize approach, >>> users will be able to independently turn ©øon©÷ and ©øoff©÷ a number of >>> settings, including the setting for the DNT signal. A ©øLearn More©÷ >>>link >>> with detailed information about each recommended setting will help >>> customers decide whether to select Express Settings or Customize. >>> ---- >>> >>> And here is the language from the August 14 TPE draft: >>> >>> ---- >>> The basic principle is that a tracking preference expression is only >>> transmitted when it reflects a deliberate choice by the user. ... >>> >>> A user agent must have a default tracking preference of unset (not >>> enabled) unless a specific tracking preference is implied by the >>>decision >>> to use that agent. ... >>> >>> We do not specify how tracking preference choices are offered to the >>>user >>> or how the preference is enabled: each implementation is responsible >>>for >>> determining the user experience by which a tracking preference is >>> enabled. For example, a user might select a check-box in their user >>> agent's configuration, install an extension or add-on that is >>> specifically designed to add a tracking preference expression, or make >>>a >>> choice for privacy that then implicitly includes a tracking preference >>> (e.g., Privacy settings: high). The user-agent might ask the user for >>> their preference during startup, perhaps on first use or after an >>>update >>> adds the tracking protection feature. >>> ---- >>> >>> There is a plausible argument that selecting Express Settings after >>>being >>> given prominent notice that this will turn DNT on is both a "deliberate >>> choice by the user" and "a choice for privacy that then implicitly >>> includes a tracking preference" that the user-agent "ask[s] the user >>>for >>> ... during startup." And because the user chooses to use Express >>> Settings, there is also a plausible argument that IE 10 will "have a >>> default tracking preference of unset." >>> >>> There are also some plausible counterarguments. For example, it is >>> possible that Microsoft's explanation of the effect of choosing Express >>> Settings will not be clear and prominent enough to make selecting it a >>> "choice for privacy." It is also unclear what the default state of the >>> DNT checkbox will be in "Customize." >>> >>> I'm sure that this is not what many others on the list *intend* the TPE >>> draft to mean, but based on what the draft currently *says*, IE 10's >>> compliance is open to serious debate. >>> >>> James >>> >>> -------------------------------------------------- >>> James Grimmelmann Professor of Law >>> New York Law School (212) 431-2864 >>> 185 West Broadway >>> james.grimmelmann@nyls.edu<mailto:james.grimmelmann@nyls.edu> >>> New York, NY 10013 http://james.grimmelmann.net >>> >>> On Aug 21, 2012, at 9:35 PM, Roy T. Fielding >>> <fielding@gbiv.com<mailto:fielding@gbiv.com>> wrote: >>> >>> On Aug 21, 2012, at 6:01 PM, Tamir Israel wrote: >>> >>> Roy your apache example, as I understood it, applies in clear cases of >>> non-compliance. I don't think there's ever going to be such a clear >>>case >>> as in reality implementations are going to be quite varied and browser >>> sniffing of the kind you're suggesting will lead to browser wars. Case >>>in >>> point: >>> >>> >>>http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/do >>>-n >>> ot-track-in-the-windows-8-set-up-experience.aspx >>> >>> Which is a clear case of non-compliance. If pre-selecting an >>> option in a dialog box is not sufficient to gain prior consent, >>> then it certainly isn't sufficient to satisfy: >>> >>> "The basic principle is that a tracking preference expression >>> is only transmitted when it reflects a deliberate choice by >>> the user. In the absence of user choice, there is no tracking >>> preference expressed." >>> >>> Browser wars is not a problem I have in HTTP, because of the >>> Apache principle regarding open standards. If you want to change >>> the standard, feel free to make proposals to that effect within >>> the process defined by this WG. Please do not continue this >>> argument about honoring deliberately broken UAs; you are wasting >>> our time, as this WG has even less ability to change Apache's >>>principles >>> than it does to impose implementation of a voluntary standard. >>> >>> ....Roy >>> >>> >> > > >
Received on Wednesday, 22 August 2012 15:47:21 UTC