W3C home > Mailing lists > Public > public-tracking@w3.org > August 2012

RE: action-231, issue-153 requirements on other software that sets DNT headers

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Wed, 22 Aug 2012 14:33:11 -0700
To: "rob@blaeu.com" <rob@blaeu.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8024F8FDD4F36@SP2-EX07VS02.ds.corp.yahoo.com>
Rob,

I appreciate your attempt at making IE10 somehow acceptable to a long-standing position within the working group but I don't believe it's every fair to allow a "Default ON".  We've covered this numerous times so I'm not sure why this language changes the core belief of the WG.

"MAY HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED)"

- Shane

-----Original Message-----
From: Rob van Eijk [mailto:rob@blaeu.com] 
Sent: Wednesday, August 22, 2012 2:01 PM
To: public-tracking@w3.org
Subject: Re: action-231, issue-153 requirements on other software that sets DNT headers


Dobbs,

I follow your conclusion that the question is not IF, but HOW to continue the online ad ecosystem. It underlines the disbalance. If only the current web functioned in such a way that a casual user would even have a choice to prevent being tagged by not visiting a donut shop. With innovating services like real time bidding and e-scoring gaining momentum, it doesn't matter where a user goes online for shopping. The casual user will often get the same unique tags anyway.

Circling back to the requirements on other software that sets DNT headers, I would like to table an additional text proposal.

Proposal (changes in CAPITAL):

Change the existing paragraph in the TPE spec to:
A user agent MAY EITHER have a default tracking preference of unset (not enabled) OR MAY HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED). IN CASE OF A DEFAULT OF SET (ENABLED), IT IS UP TO THE USER AGENT TO ACCURATELY REFLECT THE USER'S INTENT DURING INSTALLATION AND UPDATE. A USER AGENT MUST THEREFOR NOT HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED) WITHOUT CONSULTING THE USER. A user agent extension or add-on must not alter the tracking preference unless the act of installing and enabling that extension or add-on is an explicit choice by the user for that tracking preference. IT IS UP TO THE USER AGENT EXTENSION OR ADD-ON TO ACCURATELY REFLECT THE USER'S INTENT DURING INSTALLATION AND UPDATE. A USER AGENT EXTENSION OR ADD-ON MUST THEREFOR NOT HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED) WITHOUT CONSULTING THE USER.

Rob

Dobbs, Brooks schreef op 2012-08-22 20:58:
> Tamir,
>
> I again note that DNT: 1 is NOT a preference FOR privacy.  It is a 
> preference that a recipient server will process data in accordance 
> with the compliance spec as required by the signal.  The net impact of 
> the server's behavior may or may not on the whole be more or less 
> privacy protective for the individual concerned.  A user may 
> reasonably conclude that DNT: 0 or unset is likely to have a better 
> net impact on privacy.
> Being asked for OOB exception or a micropayment for content may not, 
> in many reasonable minds, be privacy enhancing.
>
> I am not being pedantic here.  We must be conscious that we aren't 
> discussing IF ad supported websites will continue to be funded but 
> HOW.
> If a donut store offers you "free" donuts for giving their advertising 
> sponsors your IP address and cookie as you wait in line but then is 
> required by protocol not to collect those things, you may expect the 
> shop will ask you for a credit card when you get to the register (or 
> they'll close).
>
>
>
> -Brooks
>
>
> --
>
> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the 
> Wunderman Network
> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com 
> brooks.dobbs@kbmg.com
>
>
>
> This email ­ including attachments ­ may contain confidential 
> information.
> If you are not the intended recipient,  do not copy, distribute or act 
> on it. Instead, notify the sender immediately and delete the message.
>
>
>
> On 8/22/12 2:09 PM, "Tamir Israel" <tisrael@cippic.ca> wrote:
>
>>I don't think the terminology is inappropriate. Within the context of 
>>'expressing an individual's choice', an individual selection of DNT-1  
>>is expressive of that individual's preference for privacy, not of any 
>>broader social impact on global privacy that may or may not result  
>>from that choice.
>>
>>This seems right to me.
>>
>>Best,
>>Tamir
>>
>>On 8/22/2012 11:46 AM, Alan Chapell wrote:
>>> James -
>>>
>>> Judging by the email thread over the past couple of days, it seems 
>>> like that phrase is creating some confusion - even amongst the 
>>> working group.
>>> Perhaps we can find a better term for our documents so as not to 
>>> confuse the marketplace.
>>>
>>> Perhaps "deliberate choice for the DNT signal"?
>>>
>>>
>>> Cheers,
>>>
>>> Alan Chapell
>>> Chapell & Associates
>>> 917 318 8440
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 8/22/12 10:40 AM, "Grimmelmann, James" 
>>> <James.Grimmelmann@nyls.edu>
>>> wrote:
>>>
>>>> Brooks,
>>>>
>>>> The language "choice for privacy" has been in the TPE working  
>>>>drafts  since last year.  It is there as a way to describe certain 
>>>>kinds  of user  actions in configuring a user-agent that can 
>>>>reasonably be  understood to  include a "deliberate choice by the 
>>>>user" about a tracking  preference.
>>>> This reflects the real-world fact that many users who choose to  
>>>>enable  the DNT: 1 header will do so out of a desire for privacy.  
>>>>Thus, a  user  agent or extension could offer a more general-purpose 
>>>>privacy  setting  "that then implicitly includes a tracking 
>>>>preference."
>>>>
>>>> Don't worry: I'm not (and I don't think anyone else is) asking the 
>>>>group  to take an official stance on whether widespread DNT use will 
>>>>be  good for  privacy or bad for privacy.  That's highly contested 
>>>>and highly  subjective.  The language shows up in the context of 
>>>>"Determining  User  Preference" and that's how I'm reading it: to 
>>>>address the question  of  whether IE 10's DNT: 1 signals will 
>>>>reflect deliberate choices by  users  about tracking.
>>>>
>>>> James
>>>>
>>>> On Aug 22, 2012, at 9:41 AM, "Dobbs, Brooks" 
>>>> <Brooks.Dobbs@kbmg.com>
>>>> wrote:
>>>>
>>>>> James and all,
>>>>>
>>>>> I think we are moving down the road of making some very dangerous 
>>>>> assumptions here.  We are getting in the habit of referring to 
>>>>> sending the signal DNT: 1 as "a choice for privacy".  This is a 
>>>>> highly subjective statement and not necessarily true.
>>>>>
>>>>> Choosing DNT: 1 is a signal to an origin server that it must  
>>>>>follow the  rules as established by the compliance doc with all the 
>>>>>resulting  treatments to the UA.  This may result in initial 
>>>>>outcomes that  many  users  will see as privacy enhancing.  
>>>>>However, it may also channel UAs  to  different website payment 
>>>>>schemes (non-ad supported) or move  people  towards advertising 
>>>>>tools run by parties with a PII relationship  to the  user who are 
>>>>>able to get out of band exceptions; neither would  likely to  be 
>>>>>called "a choice for privacy".  This is not hypothetical at  all.
>>>>>If
>>>>> a
>>>>> website needs N million dollars a year to provide content and  
>>>>>service  and  that funding is cut to a third by DNT, they will seek 
>>>>>one of  those two  roads, neither of which makes a lot of sense to 
>>>>>call "a choice  for  privacy".
>>>>>
>>>>> Let's keep this conversation where it should be.  A "preference"
>>>>>means a
>>>>> user's desire for his/her transaction to be processed by the  
>>>>>recipient  server in accordance with the rules established for that 
>>>>>signal  by the  compliance doc.  If an individual user, with 
>>>>>individual use  patterns, at  any given time finds that to be "a 
>>>>>choice for privacy" then so it  is -  for  her.  I doubt that the 
>>>>>person asked for a credit card or to  identify  himself for an out 
>>>>>of band exception to view a previously ad  supported  site will be 
>>>>>as cavalier with the word choice.
>>>>>
>>>>> -Brooks
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of 
>>>>> the Wunderman Network
>>>>> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com 
>>>>> brooks.dobbs@kbmg.com
>>>>>
>>>>>
>>>>>
>>>>> This email ­ including attachments ­ may contain confidential 
>>>>> information.
>>>>> If you are not the intended recipient, do not copy, distribute or 
>>>>> act on it. Instead, notify the sender immediately and delete the 
>>>>> message.
>>>>>
>>>>>
>>>>>
>>>>> On 8/21/12 10:43 PM, "Grimmelmann, James" 
>>>>> <James.Grimmelmann@nyls.edu>
>>>>> wrote:
>>>>>
>>>>>> I disagree; this is far from a "clear" case.  Here is the coming  
>>>>>>IE
>>>>>>10
>>>>>> setup process as described by Microsoft (cutting and pasting a
>>>>>> bit):
>>>>>>
>>>>>> ----
>>>>>> In the Windows 8 set-up experience, customers will be asked to 
>>>>>> choose between two ways of configuring a number of settings: 
>>>>>> ³Express Settings² or ³Customize.²
>>>>>>
>>>>>> Customers will receive prominent notice that their selection of 
>>>>>>Express  Settings turns DNT ³on.² In addition, by using the 
>>>>>>Customize approach,  users will be able to independently turn ³on² 
>>>>>>and ³off² a number  of  settings, including the setting for the 
>>>>>>DNT signal.  A ³Learn  More²  link  with detailed information 
>>>>>>about each recommended setting will  help  customers decide 
>>>>>>whether to select Express Settings or  Customize.
>>>>>> ----
>>>>>>
>>>>>> And here is the language from the August 14 TPE draft:
>>>>>>
>>>>>> ----
>>>>>> The basic principle is that a tracking preference expression is 
>>>>>> only transmitted when it reflects a deliberate choice by the 
>>>>>> user.
>>>>>> ...
>>>>>>
>>>>>> A user agent must have a default tracking preference of unset 
>>>>>> (not
>>>>>> enabled) unless a specific tracking preference is implied by the 
>>>>>> decision to use that agent. ...
>>>>>>
>>>>>> We do not specify how tracking preference choices are offered to  
>>>>>>the  user  or how the preference is enabled: each implementation 
>>>>>>is  responsible  for  determining the user experience by which a 
>>>>>>tracking preference  is  enabled. For example, a user might select 
>>>>>>a check-box in their  user  agent's configuration, install an 
>>>>>>extension or add-on that is  specifically designed to add a 
>>>>>>tracking preference expression,  or make  a  choice for privacy 
>>>>>>that then implicitly includes a tracking preference  (e.g., 
>>>>>>Privacy settings: high). The user-agent might ask the  user for  
>>>>>>their preference during startup, perhaps on first use or after  an  
>>>>>>update  adds the tracking protection feature.
>>>>>> ----
>>>>>>
>>>>>> There is a plausible argument that selecting Express Settings  
>>>>>>after  being  given prominent notice that this will turn DNT on is 
>>>>>>both a "deliberate  choice by the user" and "a choice for privacy 
>>>>>>that then  implicitly  includes a tracking preference" that the 
>>>>>>user-agent "ask[s] the  user  for  ... during startup."  And 
>>>>>>because the user chooses to use  Express  Settings, there is also 
>>>>>>a plausible argument that IE 10 will  "have a  default tracking 
>>>>>>preference of unset."
>>>>>>
>>>>>> There are also some plausible counterarguments.  For example, it  
>>>>>>is  possible that Microsoft's explanation of the effect of 
>>>>>>choosing Express  Settings will not be clear and prominent enough 
>>>>>>to make  selecting it a  "choice for privacy."  It is also unclear 
>>>>>>what the default state  of the  DNT checkbox will be in 
>>>>>>"Customize."
>>>>>>
>>>>>> I'm sure that this is not what many others on the list *intend*  
>>>>>>the TPE  draft to mean, but based on what the draft currently 
>>>>>>*says*, IE  10's  compliance is open to serious debate.
>>>>>>
>>>>>> James
>>>>>>
>>>>>> --------------------------------------------------
>>>>>> James Grimmelmann              Professor of Law
>>>>>> New York Law School                 (212) 431-2864
>>>>>> 185 West Broadway
>>>>>> james.grimmelmann@nyls.edu<mailto:james.grimmelmann@nyls.edu>
>>>>>> New York, NY 10013    http://james.grimmelmann.net

>>>>>>
>>>>>> On Aug 21, 2012, at 9:35 PM, Roy T. Fielding 
>>>>>> <fielding@gbiv.com<mailto:fielding@gbiv.com>> wrote:
>>>>>>
>>>>>> On Aug 21, 2012, at 6:01 PM, Tamir Israel wrote:
>>>>>>
>>>>>> Roy your apache example, as I understood it, applies in clear  
>>>>>>cases of  non-compliance. I don't think there's ever going to be 
>>>>>>such a  clear  case  as in reality implementations are going to be 
>>>>>>quite varied and browser  sniffing of the kind you're suggesting 
>>>>>>will lead to browser  wars.
>>>>>>Case
>>>>>> in
>>>>>> point:
>>>>>>
>>>>>>
>>>>>>
>>>>>>http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08

>>>>>>/07/
>>>>>>do
>>>>>> -n
>>>>>> ot-track-in-the-windows-8-set-up-experience.aspx
>>>>>>
>>>>>> Which is a clear case of non-compliance.  If pre-selecting an 
>>>>>> option in a dialog box is not sufficient to gain prior consent, 
>>>>>> then it certainly isn't sufficient to satisfy:
>>>>>>
>>>>>> "The basic principle is that a tracking preference expression  is 
>>>>>> only transmitted when it reflects a deliberate choice by  the 
>>>>>> user. In the absence of user choice, there is no tracking  
>>>>>> preference expressed."
>>>>>>
>>>>>> Browser wars is not a problem I have in HTTP, because of the 
>>>>>> Apache principle regarding open standards.  If you want to change 
>>>>>> the standard, feel free to make proposals to that effect within 
>>>>>> the process defined by this WG.  Please do not continue this 
>>>>>> argument about honoring deliberately broken UAs; you are wasting 
>>>>>> our time, as this WG has even less ability to change Apache's 
>>>>>> principles than it does to impose implementation of a voluntary 
>>>>>> standard.
>>>>>>
>>>>>> ....Roy
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>


Received on Wednesday, 22 August 2012 21:33:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:54 UTC