- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Wed, 22 Aug 2012 14:33:11 -0700
- To: "rob@blaeu.com" <rob@blaeu.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Rob, I appreciate your attempt at making IE10 somehow acceptable to a long-standing position within the working group but I don't believe it's every fair to allow a "Default ON". We've covered this numerous times so I'm not sure why this language changes the core belief of the WG. "MAY HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED)" - Shane -----Original Message----- From: Rob van Eijk [mailto:rob@blaeu.com] Sent: Wednesday, August 22, 2012 2:01 PM To: public-tracking@w3.org Subject: Re: action-231, issue-153 requirements on other software that sets DNT headers Dobbs, I follow your conclusion that the question is not IF, but HOW to continue the online ad ecosystem. It underlines the disbalance. If only the current web functioned in such a way that a casual user would even have a choice to prevent being tagged by not visiting a donut shop. With innovating services like real time bidding and e-scoring gaining momentum, it doesn't matter where a user goes online for shopping. The casual user will often get the same unique tags anyway. Circling back to the requirements on other software that sets DNT headers, I would like to table an additional text proposal. Proposal (changes in CAPITAL): Change the existing paragraph in the TPE spec to: A user agent MAY EITHER have a default tracking preference of unset (not enabled) OR MAY HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED). IN CASE OF A DEFAULT OF SET (ENABLED), IT IS UP TO THE USER AGENT TO ACCURATELY REFLECT THE USER'S INTENT DURING INSTALLATION AND UPDATE. A USER AGENT MUST THEREFOR NOT HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED) WITHOUT CONSULTING THE USER. A user agent extension or add-on must not alter the tracking preference unless the act of installing and enabling that extension or add-on is an explicit choice by the user for that tracking preference. IT IS UP TO THE USER AGENT EXTENSION OR ADD-ON TO ACCURATELY REFLECT THE USER'S INTENT DURING INSTALLATION AND UPDATE. A USER AGENT EXTENSION OR ADD-ON MUST THEREFOR NOT HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED) WITHOUT CONSULTING THE USER. Rob Dobbs, Brooks schreef op 2012-08-22 20:58: > Tamir, > > I again note that DNT: 1 is NOT a preference FOR privacy. It is a > preference that a recipient server will process data in accordance > with the compliance spec as required by the signal. The net impact of > the server's behavior may or may not on the whole be more or less > privacy protective for the individual concerned. A user may > reasonably conclude that DNT: 0 or unset is likely to have a better > net impact on privacy. > Being asked for OOB exception or a micropayment for content may not, > in many reasonable minds, be privacy enhancing. > > I am not being pedantic here. We must be conscious that we aren't > discussing IF ad supported websites will continue to be funded but > HOW. > If a donut store offers you "free" donuts for giving their advertising > sponsors your IP address and cookie as you wait in line but then is > required by protocol not to collect those things, you may expect the > shop will ask you for a credit card when you get to the register (or > they'll close). > > > > -Brooks > > > -- > > Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the > Wunderman Network > (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com > brooks.dobbs@kbmg.com > > > > This email including attachments may contain confidential > information. > If you are not the intended recipient, do not copy, distribute or act > on it. Instead, notify the sender immediately and delete the message. > > > > On 8/22/12 2:09 PM, "Tamir Israel" <tisrael@cippic.ca> wrote: > >>I don't think the terminology is inappropriate. Within the context of >>'expressing an individual's choice', an individual selection of DNT-1 >>is expressive of that individual's preference for privacy, not of any >>broader social impact on global privacy that may or may not result >>from that choice. >> >>This seems right to me. >> >>Best, >>Tamir >> >>On 8/22/2012 11:46 AM, Alan Chapell wrote: >>> James - >>> >>> Judging by the email thread over the past couple of days, it seems >>> like that phrase is creating some confusion - even amongst the >>> working group. >>> Perhaps we can find a better term for our documents so as not to >>> confuse the marketplace. >>> >>> Perhaps "deliberate choice for the DNT signal"? >>> >>> >>> Cheers, >>> >>> Alan Chapell >>> Chapell & Associates >>> 917 318 8440 >>> >>> >>> >>> >>> >>> >>> On 8/22/12 10:40 AM, "Grimmelmann, James" >>> <James.Grimmelmann@nyls.edu> >>> wrote: >>> >>>> Brooks, >>>> >>>> The language "choice for privacy" has been in the TPE working >>>>drafts since last year. It is there as a way to describe certain >>>>kinds of user actions in configuring a user-agent that can >>>>reasonably be understood to include a "deliberate choice by the >>>>user" about a tracking preference. >>>> This reflects the real-world fact that many users who choose to >>>>enable the DNT: 1 header will do so out of a desire for privacy. >>>>Thus, a user agent or extension could offer a more general-purpose >>>>privacy setting "that then implicitly includes a tracking >>>>preference." >>>> >>>> Don't worry: I'm not (and I don't think anyone else is) asking the >>>>group to take an official stance on whether widespread DNT use will >>>>be good for privacy or bad for privacy. That's highly contested >>>>and highly subjective. The language shows up in the context of >>>>"Determining User Preference" and that's how I'm reading it: to >>>>address the question of whether IE 10's DNT: 1 signals will >>>>reflect deliberate choices by users about tracking. >>>> >>>> James >>>> >>>> On Aug 22, 2012, at 9:41 AM, "Dobbs, Brooks" >>>> <Brooks.Dobbs@kbmg.com> >>>> wrote: >>>> >>>>> James and all, >>>>> >>>>> I think we are moving down the road of making some very dangerous >>>>> assumptions here. We are getting in the habit of referring to >>>>> sending the signal DNT: 1 as "a choice for privacy". This is a >>>>> highly subjective statement and not necessarily true. >>>>> >>>>> Choosing DNT: 1 is a signal to an origin server that it must >>>>>follow the rules as established by the compliance doc with all the >>>>>resulting treatments to the UA. This may result in initial >>>>>outcomes that many users will see as privacy enhancing. >>>>>However, it may also channel UAs to different website payment >>>>>schemes (non-ad supported) or move people towards advertising >>>>>tools run by parties with a PII relationship to the user who are >>>>>able to get out of band exceptions; neither would likely to be >>>>>called "a choice for privacy". This is not hypothetical at all. >>>>>If >>>>> a >>>>> website needs N million dollars a year to provide content and >>>>>service and that funding is cut to a third by DNT, they will seek >>>>>one of those two roads, neither of which makes a lot of sense to >>>>>call "a choice for privacy". >>>>> >>>>> Let's keep this conversation where it should be. A "preference" >>>>>means a >>>>> user's desire for his/her transaction to be processed by the >>>>>recipient server in accordance with the rules established for that >>>>>signal by the compliance doc. If an individual user, with >>>>>individual use patterns, at any given time finds that to be "a >>>>>choice for privacy" then so it is - for her. I doubt that the >>>>>person asked for a credit card or to identify himself for an out >>>>>of band exception to view a previously ad supported site will be >>>>>as cavalier with the word choice. >>>>> >>>>> -Brooks >>>>> >>>>> >>>>> -- >>>>> >>>>> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of >>>>> the Wunderman Network >>>>> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com >>>>> brooks.dobbs@kbmg.com >>>>> >>>>> >>>>> >>>>> This email including attachments may contain confidential >>>>> information. >>>>> If you are not the intended recipient, do not copy, distribute or >>>>> act on it. Instead, notify the sender immediately and delete the >>>>> message. >>>>> >>>>> >>>>> >>>>> On 8/21/12 10:43 PM, "Grimmelmann, James" >>>>> <James.Grimmelmann@nyls.edu> >>>>> wrote: >>>>> >>>>>> I disagree; this is far from a "clear" case. Here is the coming >>>>>>IE >>>>>>10 >>>>>> setup process as described by Microsoft (cutting and pasting a >>>>>> bit): >>>>>> >>>>>> ---- >>>>>> In the Windows 8 set-up experience, customers will be asked to >>>>>> choose between two ways of configuring a number of settings: >>>>>> ³Express Settings² or ³Customize.² >>>>>> >>>>>> Customers will receive prominent notice that their selection of >>>>>>Express Settings turns DNT ³on.² In addition, by using the >>>>>>Customize approach, users will be able to independently turn ³on² >>>>>>and ³off² a number of settings, including the setting for the >>>>>>DNT signal. A ³Learn More² link with detailed information >>>>>>about each recommended setting will help customers decide >>>>>>whether to select Express Settings or Customize. >>>>>> ---- >>>>>> >>>>>> And here is the language from the August 14 TPE draft: >>>>>> >>>>>> ---- >>>>>> The basic principle is that a tracking preference expression is >>>>>> only transmitted when it reflects a deliberate choice by the >>>>>> user. >>>>>> ... >>>>>> >>>>>> A user agent must have a default tracking preference of unset >>>>>> (not >>>>>> enabled) unless a specific tracking preference is implied by the >>>>>> decision to use that agent. ... >>>>>> >>>>>> We do not specify how tracking preference choices are offered to >>>>>>the user or how the preference is enabled: each implementation >>>>>>is responsible for determining the user experience by which a >>>>>>tracking preference is enabled. For example, a user might select >>>>>>a check-box in their user agent's configuration, install an >>>>>>extension or add-on that is specifically designed to add a >>>>>>tracking preference expression, or make a choice for privacy >>>>>>that then implicitly includes a tracking preference (e.g., >>>>>>Privacy settings: high). The user-agent might ask the user for >>>>>>their preference during startup, perhaps on first use or after an >>>>>>update adds the tracking protection feature. >>>>>> ---- >>>>>> >>>>>> There is a plausible argument that selecting Express Settings >>>>>>after being given prominent notice that this will turn DNT on is >>>>>>both a "deliberate choice by the user" and "a choice for privacy >>>>>>that then implicitly includes a tracking preference" that the >>>>>>user-agent "ask[s] the user for ... during startup." And >>>>>>because the user chooses to use Express Settings, there is also >>>>>>a plausible argument that IE 10 will "have a default tracking >>>>>>preference of unset." >>>>>> >>>>>> There are also some plausible counterarguments. For example, it >>>>>>is possible that Microsoft's explanation of the effect of >>>>>>choosing Express Settings will not be clear and prominent enough >>>>>>to make selecting it a "choice for privacy." It is also unclear >>>>>>what the default state of the DNT checkbox will be in >>>>>>"Customize." >>>>>> >>>>>> I'm sure that this is not what many others on the list *intend* >>>>>>the TPE draft to mean, but based on what the draft currently >>>>>>*says*, IE 10's compliance is open to serious debate. >>>>>> >>>>>> James >>>>>> >>>>>> -------------------------------------------------- >>>>>> James Grimmelmann Professor of Law >>>>>> New York Law School (212) 431-2864 >>>>>> 185 West Broadway >>>>>> james.grimmelmann@nyls.edu<mailto:james.grimmelmann@nyls.edu> >>>>>> New York, NY 10013 http://james.grimmelmann.net >>>>>> >>>>>> On Aug 21, 2012, at 9:35 PM, Roy T. Fielding >>>>>> <fielding@gbiv.com<mailto:fielding@gbiv.com>> wrote: >>>>>> >>>>>> On Aug 21, 2012, at 6:01 PM, Tamir Israel wrote: >>>>>> >>>>>> Roy your apache example, as I understood it, applies in clear >>>>>>cases of non-compliance. I don't think there's ever going to be >>>>>>such a clear case as in reality implementations are going to be >>>>>>quite varied and browser sniffing of the kind you're suggesting >>>>>>will lead to browser wars. >>>>>>Case >>>>>> in >>>>>> point: >>>>>> >>>>>> >>>>>> >>>>>>http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08 >>>>>>/07/ >>>>>>do >>>>>> -n >>>>>> ot-track-in-the-windows-8-set-up-experience.aspx >>>>>> >>>>>> Which is a clear case of non-compliance. If pre-selecting an >>>>>> option in a dialog box is not sufficient to gain prior consent, >>>>>> then it certainly isn't sufficient to satisfy: >>>>>> >>>>>> "The basic principle is that a tracking preference expression is >>>>>> only transmitted when it reflects a deliberate choice by the >>>>>> user. In the absence of user choice, there is no tracking >>>>>> preference expressed." >>>>>> >>>>>> Browser wars is not a problem I have in HTTP, because of the >>>>>> Apache principle regarding open standards. If you want to change >>>>>> the standard, feel free to make proposals to that effect within >>>>>> the process defined by this WG. Please do not continue this >>>>>> argument about honoring deliberately broken UAs; you are wasting >>>>>> our time, as this WG has even less ability to change Apache's >>>>>> principles than it does to impose implementation of a voluntary >>>>>> standard. >>>>>> >>>>>> ....Roy >>>>>> >>>>>> >>>> >>>> >>> >>>
Received on Wednesday, 22 August 2012 21:33:54 UTC