W3C home > Mailing lists > Public > public-tracking@w3.org > August 2012

Re: action-231, issue-153 requirements on other software that sets DNT headers

From: Rob van Eijk <rob@blaeu.com>
Date: Wed, 22 Aug 2012 23:01:06 +0200
To: <public-tracking@w3.org>
Message-ID: <0deb14a3d990bbd33935c4cf2f7e85f3@xs4all.nl>

Dobbs,

I follow your conclusion that the question is not IF, but HOW to 
continue the online ad ecosystem. It underlines the disbalance. If only 
the current web functioned in such a way that a casual user would even 
have a choice to prevent being tagged by not visiting a donut shop. With 
innovating services like real time bidding and e-scoring gaining 
momentum, it doesn't matter where a user goes online for shopping. The 
casual user will often get the same unique tags anyway.

Circling back to the requirements on other software that sets DNT 
headers, I would like to table an additional text proposal.

Proposal (changes in CAPITAL):

Change the existing paragraph in the TPE spec to:
A user agent MAY EITHER have a default tracking preference of unset 
(not enabled) OR MAY HAVE A DEFAULT TRACKING PREFERENCE OF SET 
(ENABLED). IN CASE OF A DEFAULT OF SET (ENABLED), IT IS UP TO THE USER 
AGENT TO ACCURATELY REFLECT THE USER'S INTENT DURING INSTALLATION AND 
UPDATE. A USER AGENT MUST THEREFOR NOT HAVE A DEFAULT TRACKING 
PREFERENCE OF SET (ENABLED) WITHOUT CONSULTING THE USER. A user agent 
extension or add-on must not alter the tracking preference unless the 
act of installing and enabling that extension or add-on is an explicit 
choice by the user for that tracking preference. IT IS UP TO THE USER 
AGENT EXTENSION OR ADD-ON TO ACCURATELY REFLECT THE USER'S INTENT DURING 
INSTALLATION AND UPDATE. A USER AGENT EXTENSION OR ADD-ON MUST THEREFOR 
NOT HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED) WITHOUT 
CONSULTING THE USER.

Rob

Dobbs, Brooks schreef op 2012-08-22 20:58:
> Tamir,
>
> I again note that DNT: 1 is NOT a preference FOR privacy.  It is a
> preference that a recipient server will process data in accordance 
> with
> the compliance spec as required by the signal.  The net impact of the
> server's behavior may or may not on the whole be more or less privacy
> protective for the individual concerned.  A user may reasonably 
> conclude
> that DNT: 0 or unset is likely to have a better net impact on 
> privacy.
> Being asked for OOB exception or a micropayment for content may not, 
> in
> many reasonable minds, be privacy enhancing.
>
> I am not being pedantic here.  We must be conscious that we aren't
> discussing IF ad supported websites will continue to be funded but 
> HOW.
> If a donut store offers you "free" donuts for giving their 
> advertising
> sponsors your IP address and cookie as you wait in line but then is
> required by protocol not to collect those things, you may expect the 
> shop
> will ask you for a credit card when you get to the register (or 
> they'll
> close).
>
>
>
> -Brooks
>
>
> --
>
> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
> Wunderman Network
> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
> brooks.dobbs@kbmg.com
>
>
>
> This email ­ including attachments ­ may contain confidential 
> information.
> If you are not the intended recipient,
>  do not copy, distribute or act on it. Instead, notify the sender
> immediately and delete the message.
>
>
>
> On 8/22/12 2:09 PM, "Tamir Israel" <tisrael@cippic.ca> wrote:
>
>>I don't think the terminology is inappropriate. Within the context of
>>'expressing an individual's choice', an individual selection of DNT-1 
>> is
>>expressive of that individual's preference for privacy, not of any
>>broader social impact on global privacy that may or may not result 
>> from
>>that choice.
>>
>>This seems right to me.
>>
>>Best,
>>Tamir
>>
>>On 8/22/2012 11:46 AM, Alan Chapell wrote:
>>> James -
>>>
>>> Judging by the email thread over the past couple of days, it seems 
>>> like
>>> that phrase is creating some confusion - even amongst the working 
>>> group.
>>> Perhaps we can find a better term for our documents so as not to 
>>> confuse
>>> the marketplace.
>>>
>>> Perhaps "deliberate choice for the DNT signal"?
>>>
>>>
>>> Cheers,
>>>
>>> Alan Chapell
>>> Chapell & Associates
>>> 917 318 8440
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 8/22/12 10:40 AM, "Grimmelmann, James" 
>>> <James.Grimmelmann@nyls.edu>
>>> wrote:
>>>
>>>> Brooks,
>>>>
>>>> The language "choice for privacy" has been in the TPE working 
>>>> drafts
>>>> since last year.  It is there as a way to describe certain kinds 
>>>> of
>>>>user
>>>> actions in configuring a user-agent that can reasonably be 
>>>> understood
>>>>to
>>>> include a "deliberate choice by the user" about a tracking 
>>>> preference.
>>>> This reflects the real-world fact that many users who choose to 
>>>> enable
>>>> the DNT: 1 header will do so out of a desire for privacy.  Thus, a 
>>>> user
>>>> agent or extension could offer a more general-purpose privacy 
>>>> setting
>>>> "that then implicitly includes a tracking preference."
>>>>
>>>> Don't worry: I'm not (and I don't think anyone else is) asking the
>>>>group
>>>> to take an official stance on whether widespread DNT use will be 
>>>> good
>>>>for
>>>> privacy or bad for privacy.  That's highly contested and highly
>>>> subjective.  The language shows up in the context of "Determining 
>>>> User
>>>> Preference" and that's how I'm reading it: to address the question 
>>>> of
>>>> whether IE 10's DNT: 1 signals will reflect deliberate choices by 
>>>> users
>>>> about tracking.
>>>>
>>>> James
>>>>
>>>> On Aug 22, 2012, at 9:41 AM, "Dobbs, Brooks" 
>>>> <Brooks.Dobbs@kbmg.com>
>>>> wrote:
>>>>
>>>>> James and all,
>>>>>
>>>>> I think we are moving down the road of making some very dangerous
>>>>> assumptions here.  We are getting in the habit of referring to 
>>>>> sending
>>>>> the
>>>>> signal DNT: 1 as "a choice for privacy".  This is a highly 
>>>>> subjective
>>>>> statement and not necessarily true.
>>>>>
>>>>> Choosing DNT: 1 is a signal to an origin server that it must 
>>>>> follow
>>>>>the
>>>>> rules as established by the compliance doc with all the resulting
>>>>> treatments to the UA.  This may result in initial outcomes that 
>>>>> many
>>>>> users
>>>>> will see as privacy enhancing.  However, it may also channel UAs 
>>>>> to
>>>>> different website payment schemes (non-ad supported) or move 
>>>>> people
>>>>> towards advertising tools run by parties with a PII relationship 
>>>>> to
>>>>>the
>>>>> user who are able to get out of band exceptions; neither would 
>>>>> likely
>>>>>to
>>>>> be called "a choice for privacy".  This is not hypothetical at 
>>>>> all.
>>>>>If
>>>>> a
>>>>> website needs N million dollars a year to provide content and 
>>>>> service
>>>>> and
>>>>> that funding is cut to a third by DNT, they will seek one of 
>>>>> those two
>>>>> roads, neither of which makes a lot of sense to call "a choice 
>>>>> for
>>>>> privacy".
>>>>>
>>>>> Let's keep this conversation where it should be.  A "preference"
>>>>>means a
>>>>> user's desire for his/her transaction to be processed by the 
>>>>> recipient
>>>>> server in accordance with the rules established for that signal 
>>>>> by the
>>>>> compliance doc.  If an individual user, with individual use 
>>>>> patterns,
>>>>>at
>>>>> any given time finds that to be "a choice for privacy" then so it 
>>>>> is -
>>>>> for
>>>>> her.  I doubt that the person asked for a credit card or to 
>>>>> identify
>>>>> himself for an out of band exception to view a previously ad 
>>>>> supported
>>>>> site will be as cavalier with the word choice.
>>>>>
>>>>> -Brooks
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of 
>>>>> the
>>>>> Wunderman Network
>>>>> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
>>>>> brooks.dobbs@kbmg.com
>>>>>
>>>>>
>>>>>
>>>>> This email ­ including attachments ­ may contain confidential
>>>>> information.
>>>>> If you are not the intended recipient,
>>>>> do not copy, distribute or act on it. Instead, notify the sender
>>>>> immediately and delete the message.
>>>>>
>>>>>
>>>>>
>>>>> On 8/21/12 10:43 PM, "Grimmelmann, James" 
>>>>> <James.Grimmelmann@nyls.edu>
>>>>> wrote:
>>>>>
>>>>>> I disagree; this is far from a "clear" case.  Here is the coming 
>>>>>> IE
>>>>>>10
>>>>>> setup process as described by Microsoft (cutting and pasting a 
>>>>>> bit):
>>>>>>
>>>>>> ----
>>>>>> In the Windows 8 set-up experience, customers will be asked to 
>>>>>> choose
>>>>>> between two ways of configuring a number of settings: ³Express
>>>>>> Settings²
>>>>>> or ³Customize.²
>>>>>>
>>>>>> Customers will receive prominent notice that their selection of
>>>>>>Express
>>>>>> Settings turns DNT ³on.² In addition, by using the Customize
>>>>>>approach,
>>>>>> users will be able to independently turn ³on² and ³off² a number 
>>>>>> of
>>>>>> settings, including the setting for the DNT signal.  A ³Learn 
>>>>>> More²
>>>>>> link
>>>>>> with detailed information about each recommended setting will 
>>>>>> help
>>>>>> customers decide whether to select Express Settings or 
>>>>>> Customize.
>>>>>> ----
>>>>>>
>>>>>> And here is the language from the August 14 TPE draft:
>>>>>>
>>>>>> ----
>>>>>> The basic principle is that a tracking preference expression is 
>>>>>> only
>>>>>> transmitted when it reflects a deliberate choice by the user. 
>>>>>> ...
>>>>>>
>>>>>> A user agent must have a default tracking preference of unset 
>>>>>> (not
>>>>>> enabled) unless a specific tracking preference is implied by the
>>>>>> decision
>>>>>> to use that agent. ...
>>>>>>
>>>>>> We do not specify how tracking preference choices are offered to 
>>>>>> the
>>>>>> user
>>>>>> or how the preference is enabled: each implementation is 
>>>>>> responsible
>>>>>> for
>>>>>> determining the user experience by which a tracking preference 
>>>>>> is
>>>>>> enabled. For example, a user might select a check-box in their 
>>>>>> user
>>>>>> agent's configuration, install an extension or add-on that is
>>>>>> specifically designed to add a tracking preference expression, 
>>>>>> or
>>>>>>make
>>>>>> a
>>>>>> choice for privacy that then implicitly includes a tracking
>>>>>>preference
>>>>>> (e.g., Privacy settings: high). The user-agent might ask the 
>>>>>> user for
>>>>>> their preference during startup, perhaps on first use or after 
>>>>>> an
>>>>>> update
>>>>>> adds the tracking protection feature.
>>>>>> ----
>>>>>>
>>>>>> There is a plausible argument that selecting Express Settings 
>>>>>> after
>>>>>> being
>>>>>> given prominent notice that this will turn DNT on is both a
>>>>>>"deliberate
>>>>>> choice by the user" and "a choice for privacy that then 
>>>>>> implicitly
>>>>>> includes a tracking preference" that the user-agent "ask[s] the 
>>>>>> user
>>>>>> for
>>>>>> ... during startup."  And because the user chooses to use 
>>>>>> Express
>>>>>> Settings, there is also a plausible argument that IE 10 will 
>>>>>> "have a
>>>>>> default tracking preference of unset."
>>>>>>
>>>>>> There are also some plausible counterarguments.  For example, it 
>>>>>> is
>>>>>> possible that Microsoft's explanation of the effect of choosing
>>>>>>Express
>>>>>> Settings will not be clear and prominent enough to make 
>>>>>> selecting it
>>>>>>a
>>>>>> "choice for privacy."  It is also unclear what the default state 
>>>>>> of
>>>>>>the
>>>>>> DNT checkbox will be in "Customize."
>>>>>>
>>>>>> I'm sure that this is not what many others on the list *intend* 
>>>>>> the
>>>>>>TPE
>>>>>> draft to mean, but based on what the draft currently *says*, IE 
>>>>>> 10's
>>>>>> compliance is open to serious debate.
>>>>>>
>>>>>> James
>>>>>>
>>>>>> --------------------------------------------------
>>>>>> James Grimmelmann              Professor of Law
>>>>>> New York Law School                 (212) 431-2864
>>>>>> 185 West Broadway
>>>>>> james.grimmelmann@nyls.edu<mailto:james.grimmelmann@nyls.edu>
>>>>>> New York, NY 10013    http://james.grimmelmann.net
>>>>>>
>>>>>> On Aug 21, 2012, at 9:35 PM, Roy T. Fielding
>>>>>> <fielding@gbiv.com<mailto:fielding@gbiv.com>> wrote:
>>>>>>
>>>>>> On Aug 21, 2012, at 6:01 PM, Tamir Israel wrote:
>>>>>>
>>>>>> Roy your apache example, as I understood it, applies in clear 
>>>>>> cases
>>>>>>of
>>>>>> non-compliance. I don't think there's ever going to be such a 
>>>>>> clear
>>>>>> case
>>>>>> as in reality implementations are going to be quite varied and
>>>>>>browser
>>>>>> sniffing of the kind you're suggesting will lead to browser 
>>>>>> wars.
>>>>>>Case
>>>>>> in
>>>>>> point:
>>>>>>
>>>>>>
>>>>>>
>>>>>>http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/
>>>>>>do
>>>>>> -n
>>>>>> ot-track-in-the-windows-8-set-up-experience.aspx
>>>>>>
>>>>>> Which is a clear case of non-compliance.  If pre-selecting an
>>>>>> option in a dialog box is not sufficient to gain prior consent,
>>>>>> then it certainly isn't sufficient to satisfy:
>>>>>>
>>>>>> "The basic principle is that a tracking preference expression
>>>>>>  is only transmitted when it reflects a deliberate choice by
>>>>>>  the user. In the absence of user choice, there is no tracking
>>>>>>  preference expressed."
>>>>>>
>>>>>> Browser wars is not a problem I have in HTTP, because of the
>>>>>> Apache principle regarding open standards.  If you want to 
>>>>>> change
>>>>>> the standard, feel free to make proposals to that effect within
>>>>>> the process defined by this WG.  Please do not continue this
>>>>>> argument about honoring deliberately broken UAs; you are wasting
>>>>>> our time, as this WG has even less ability to change Apache's
>>>>>> principles
>>>>>> than it does to impose implementation of a voluntary standard.
>>>>>>
>>>>>> ....Roy
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>
Received on Wednesday, 22 August 2012 21:01:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:54 UTC