- From: Rob van Eijk <rob@blaeu.com>
- Date: Wed, 22 Aug 2012 23:01:06 +0200
- To: <public-tracking@w3.org>
Dobbs, I follow your conclusion that the question is not IF, but HOW to continue the online ad ecosystem. It underlines the disbalance. If only the current web functioned in such a way that a casual user would even have a choice to prevent being tagged by not visiting a donut shop. With innovating services like real time bidding and e-scoring gaining momentum, it doesn't matter where a user goes online for shopping. The casual user will often get the same unique tags anyway. Circling back to the requirements on other software that sets DNT headers, I would like to table an additional text proposal. Proposal (changes in CAPITAL): Change the existing paragraph in the TPE spec to: A user agent MAY EITHER have a default tracking preference of unset (not enabled) OR MAY HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED). IN CASE OF A DEFAULT OF SET (ENABLED), IT IS UP TO THE USER AGENT TO ACCURATELY REFLECT THE USER'S INTENT DURING INSTALLATION AND UPDATE. A USER AGENT MUST THEREFOR NOT HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED) WITHOUT CONSULTING THE USER. A user agent extension or add-on must not alter the tracking preference unless the act of installing and enabling that extension or add-on is an explicit choice by the user for that tracking preference. IT IS UP TO THE USER AGENT EXTENSION OR ADD-ON TO ACCURATELY REFLECT THE USER'S INTENT DURING INSTALLATION AND UPDATE. A USER AGENT EXTENSION OR ADD-ON MUST THEREFOR NOT HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED) WITHOUT CONSULTING THE USER. Rob Dobbs, Brooks schreef op 2012-08-22 20:58: > Tamir, > > I again note that DNT: 1 is NOT a preference FOR privacy. It is a > preference that a recipient server will process data in accordance > with > the compliance spec as required by the signal. The net impact of the > server's behavior may or may not on the whole be more or less privacy > protective for the individual concerned. A user may reasonably > conclude > that DNT: 0 or unset is likely to have a better net impact on > privacy. > Being asked for OOB exception or a micropayment for content may not, > in > many reasonable minds, be privacy enhancing. > > I am not being pedantic here. We must be conscious that we aren't > discussing IF ad supported websites will continue to be funded but > HOW. > If a donut store offers you "free" donuts for giving their > advertising > sponsors your IP address and cookie as you wait in line but then is > required by protocol not to collect those things, you may expect the > shop > will ask you for a credit card when you get to the register (or > they'll > close). > > > > -Brooks > > > -- > > Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the > Wunderman Network > (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com > brooks.dobbs@kbmg.com > > > > This email including attachments may contain confidential > information. > If you are not the intended recipient, > do not copy, distribute or act on it. Instead, notify the sender > immediately and delete the message. > > > > On 8/22/12 2:09 PM, "Tamir Israel" <tisrael@cippic.ca> wrote: > >>I don't think the terminology is inappropriate. Within the context of >>'expressing an individual's choice', an individual selection of DNT-1 >> is >>expressive of that individual's preference for privacy, not of any >>broader social impact on global privacy that may or may not result >> from >>that choice. >> >>This seems right to me. >> >>Best, >>Tamir >> >>On 8/22/2012 11:46 AM, Alan Chapell wrote: >>> James - >>> >>> Judging by the email thread over the past couple of days, it seems >>> like >>> that phrase is creating some confusion - even amongst the working >>> group. >>> Perhaps we can find a better term for our documents so as not to >>> confuse >>> the marketplace. >>> >>> Perhaps "deliberate choice for the DNT signal"? >>> >>> >>> Cheers, >>> >>> Alan Chapell >>> Chapell & Associates >>> 917 318 8440 >>> >>> >>> >>> >>> >>> >>> On 8/22/12 10:40 AM, "Grimmelmann, James" >>> <James.Grimmelmann@nyls.edu> >>> wrote: >>> >>>> Brooks, >>>> >>>> The language "choice for privacy" has been in the TPE working >>>> drafts >>>> since last year. It is there as a way to describe certain kinds >>>> of >>>>user >>>> actions in configuring a user-agent that can reasonably be >>>> understood >>>>to >>>> include a "deliberate choice by the user" about a tracking >>>> preference. >>>> This reflects the real-world fact that many users who choose to >>>> enable >>>> the DNT: 1 header will do so out of a desire for privacy. Thus, a >>>> user >>>> agent or extension could offer a more general-purpose privacy >>>> setting >>>> "that then implicitly includes a tracking preference." >>>> >>>> Don't worry: I'm not (and I don't think anyone else is) asking the >>>>group >>>> to take an official stance on whether widespread DNT use will be >>>> good >>>>for >>>> privacy or bad for privacy. That's highly contested and highly >>>> subjective. The language shows up in the context of "Determining >>>> User >>>> Preference" and that's how I'm reading it: to address the question >>>> of >>>> whether IE 10's DNT: 1 signals will reflect deliberate choices by >>>> users >>>> about tracking. >>>> >>>> James >>>> >>>> On Aug 22, 2012, at 9:41 AM, "Dobbs, Brooks" >>>> <Brooks.Dobbs@kbmg.com> >>>> wrote: >>>> >>>>> James and all, >>>>> >>>>> I think we are moving down the road of making some very dangerous >>>>> assumptions here. We are getting in the habit of referring to >>>>> sending >>>>> the >>>>> signal DNT: 1 as "a choice for privacy". This is a highly >>>>> subjective >>>>> statement and not necessarily true. >>>>> >>>>> Choosing DNT: 1 is a signal to an origin server that it must >>>>> follow >>>>>the >>>>> rules as established by the compliance doc with all the resulting >>>>> treatments to the UA. This may result in initial outcomes that >>>>> many >>>>> users >>>>> will see as privacy enhancing. However, it may also channel UAs >>>>> to >>>>> different website payment schemes (non-ad supported) or move >>>>> people >>>>> towards advertising tools run by parties with a PII relationship >>>>> to >>>>>the >>>>> user who are able to get out of band exceptions; neither would >>>>> likely >>>>>to >>>>> be called "a choice for privacy". This is not hypothetical at >>>>> all. >>>>>If >>>>> a >>>>> website needs N million dollars a year to provide content and >>>>> service >>>>> and >>>>> that funding is cut to a third by DNT, they will seek one of >>>>> those two >>>>> roads, neither of which makes a lot of sense to call "a choice >>>>> for >>>>> privacy". >>>>> >>>>> Let's keep this conversation where it should be. A "preference" >>>>>means a >>>>> user's desire for his/her transaction to be processed by the >>>>> recipient >>>>> server in accordance with the rules established for that signal >>>>> by the >>>>> compliance doc. If an individual user, with individual use >>>>> patterns, >>>>>at >>>>> any given time finds that to be "a choice for privacy" then so it >>>>> is - >>>>> for >>>>> her. I doubt that the person asked for a credit card or to >>>>> identify >>>>> himself for an out of band exception to view a previously ad >>>>> supported >>>>> site will be as cavalier with the word choice. >>>>> >>>>> -Brooks >>>>> >>>>> >>>>> -- >>>>> >>>>> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of >>>>> the >>>>> Wunderman Network >>>>> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com >>>>> brooks.dobbs@kbmg.com >>>>> >>>>> >>>>> >>>>> This email including attachments may contain confidential >>>>> information. >>>>> If you are not the intended recipient, >>>>> do not copy, distribute or act on it. Instead, notify the sender >>>>> immediately and delete the message. >>>>> >>>>> >>>>> >>>>> On 8/21/12 10:43 PM, "Grimmelmann, James" >>>>> <James.Grimmelmann@nyls.edu> >>>>> wrote: >>>>> >>>>>> I disagree; this is far from a "clear" case. Here is the coming >>>>>> IE >>>>>>10 >>>>>> setup process as described by Microsoft (cutting and pasting a >>>>>> bit): >>>>>> >>>>>> ---- >>>>>> In the Windows 8 set-up experience, customers will be asked to >>>>>> choose >>>>>> between two ways of configuring a number of settings: ³Express >>>>>> Settings² >>>>>> or ³Customize.² >>>>>> >>>>>> Customers will receive prominent notice that their selection of >>>>>>Express >>>>>> Settings turns DNT ³on.² In addition, by using the Customize >>>>>>approach, >>>>>> users will be able to independently turn ³on² and ³off² a number >>>>>> of >>>>>> settings, including the setting for the DNT signal. A ³Learn >>>>>> More² >>>>>> link >>>>>> with detailed information about each recommended setting will >>>>>> help >>>>>> customers decide whether to select Express Settings or >>>>>> Customize. >>>>>> ---- >>>>>> >>>>>> And here is the language from the August 14 TPE draft: >>>>>> >>>>>> ---- >>>>>> The basic principle is that a tracking preference expression is >>>>>> only >>>>>> transmitted when it reflects a deliberate choice by the user. >>>>>> ... >>>>>> >>>>>> A user agent must have a default tracking preference of unset >>>>>> (not >>>>>> enabled) unless a specific tracking preference is implied by the >>>>>> decision >>>>>> to use that agent. ... >>>>>> >>>>>> We do not specify how tracking preference choices are offered to >>>>>> the >>>>>> user >>>>>> or how the preference is enabled: each implementation is >>>>>> responsible >>>>>> for >>>>>> determining the user experience by which a tracking preference >>>>>> is >>>>>> enabled. For example, a user might select a check-box in their >>>>>> user >>>>>> agent's configuration, install an extension or add-on that is >>>>>> specifically designed to add a tracking preference expression, >>>>>> or >>>>>>make >>>>>> a >>>>>> choice for privacy that then implicitly includes a tracking >>>>>>preference >>>>>> (e.g., Privacy settings: high). The user-agent might ask the >>>>>> user for >>>>>> their preference during startup, perhaps on first use or after >>>>>> an >>>>>> update >>>>>> adds the tracking protection feature. >>>>>> ---- >>>>>> >>>>>> There is a plausible argument that selecting Express Settings >>>>>> after >>>>>> being >>>>>> given prominent notice that this will turn DNT on is both a >>>>>>"deliberate >>>>>> choice by the user" and "a choice for privacy that then >>>>>> implicitly >>>>>> includes a tracking preference" that the user-agent "ask[s] the >>>>>> user >>>>>> for >>>>>> ... during startup." And because the user chooses to use >>>>>> Express >>>>>> Settings, there is also a plausible argument that IE 10 will >>>>>> "have a >>>>>> default tracking preference of unset." >>>>>> >>>>>> There are also some plausible counterarguments. For example, it >>>>>> is >>>>>> possible that Microsoft's explanation of the effect of choosing >>>>>>Express >>>>>> Settings will not be clear and prominent enough to make >>>>>> selecting it >>>>>>a >>>>>> "choice for privacy." It is also unclear what the default state >>>>>> of >>>>>>the >>>>>> DNT checkbox will be in "Customize." >>>>>> >>>>>> I'm sure that this is not what many others on the list *intend* >>>>>> the >>>>>>TPE >>>>>> draft to mean, but based on what the draft currently *says*, IE >>>>>> 10's >>>>>> compliance is open to serious debate. >>>>>> >>>>>> James >>>>>> >>>>>> -------------------------------------------------- >>>>>> James Grimmelmann Professor of Law >>>>>> New York Law School (212) 431-2864 >>>>>> 185 West Broadway >>>>>> james.grimmelmann@nyls.edu<mailto:james.grimmelmann@nyls.edu> >>>>>> New York, NY 10013 http://james.grimmelmann.net >>>>>> >>>>>> On Aug 21, 2012, at 9:35 PM, Roy T. Fielding >>>>>> <fielding@gbiv.com<mailto:fielding@gbiv.com>> wrote: >>>>>> >>>>>> On Aug 21, 2012, at 6:01 PM, Tamir Israel wrote: >>>>>> >>>>>> Roy your apache example, as I understood it, applies in clear >>>>>> cases >>>>>>of >>>>>> non-compliance. I don't think there's ever going to be such a >>>>>> clear >>>>>> case >>>>>> as in reality implementations are going to be quite varied and >>>>>>browser >>>>>> sniffing of the kind you're suggesting will lead to browser >>>>>> wars. >>>>>>Case >>>>>> in >>>>>> point: >>>>>> >>>>>> >>>>>> >>>>>>http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/ >>>>>>do >>>>>> -n >>>>>> ot-track-in-the-windows-8-set-up-experience.aspx >>>>>> >>>>>> Which is a clear case of non-compliance. If pre-selecting an >>>>>> option in a dialog box is not sufficient to gain prior consent, >>>>>> then it certainly isn't sufficient to satisfy: >>>>>> >>>>>> "The basic principle is that a tracking preference expression >>>>>> is only transmitted when it reflects a deliberate choice by >>>>>> the user. In the absence of user choice, there is no tracking >>>>>> preference expressed." >>>>>> >>>>>> Browser wars is not a problem I have in HTTP, because of the >>>>>> Apache principle regarding open standards. If you want to >>>>>> change >>>>>> the standard, feel free to make proposals to that effect within >>>>>> the process defined by this WG. Please do not continue this >>>>>> argument about honoring deliberately broken UAs; you are wasting >>>>>> our time, as this WG has even less ability to change Apache's >>>>>> principles >>>>>> than it does to impose implementation of a voluntary standard. >>>>>> >>>>>> ....Roy >>>>>> >>>>>> >>>> >>>> >>> >>>
Received on Wednesday, 22 August 2012 21:01:35 UTC