W3C home > Mailing lists > Public > public-tracking@w3.org > August 2012

RE: action-231, issue-153 requirements on other software that sets DNT headers

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Wed, 22 Aug 2012 14:51:50 -0700
To: Tamir Israel <tisrael@cippic.ca>
CC: "Grimmelmann, James" <James.Grimmelmann@nyls.edu>, "Dobbs, Brooks" <Brooks.Dobbs@kbmg.com>, "Roy T. Fielding" <fielding@gbiv.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8024F8FDD4F51@SP2-EX07VS02.ds.corp.yahoo.com>
Tamir,

This situation is not gray to me.  DNT ON by Default = non-compliant.  Very black and white.

- Shane

From: Tamir Israel [mailto:tisrael@cippic.ca]
Sent: Wednesday, August 22, 2012 2:46 PM
To: Shane Wiley
Cc: Grimmelmann, James; Dobbs, Brooks; Roy T. Fielding; public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: action-231, issue-153 requirements on other software that sets DNT headers

So "customers will receive prominent notice that their selection of express settings turns DNT 'on'" is still problematic because of the pre-selection?

I personally agree that pre-selection is a real problem, but I can point to a number of contexts where this kind of thing has been accepted (and is commonly used) as a means of determining express user preference.

In the Windows 8 set-up experience, customers will be asked to choose between two ways of configuring a number of settings: "Express Settings" or "Customize." By providing a simple experience that allows customers to set their preferences, we've sought to balance ease of use with choice and control. The recommended Express Settings are designed to expedite and streamline the overall set-up process, and, if selected, generally improve a customer's privacy, security, and overall experience on the device.

DNT fits naturally into this process. Customers will receive prominent notice that their selection of Express Settings turns DNT "on."  In addition, by using the Customize approach, users will be able to independently turn "on" and "off" a number of settings, including the setting for the DNT signal.  A "Learn More" link with detailed information about each recommended setting will help customers decide whether to select Express Settings or Customize. A Privacy Statement link is also available on the screen. Windows 7 customers using IE10 will receive prominent notice that DNT is turned on in their new browser, together with a link providing more information about the setting.
Regardless of what I think, though, I'm not sure that a crystal clear case of non-compliance can be made out here and this is precisely the type of ambiguity and second guessing that I'm worried about. Most scenarios are going to be even grayer than this one.....

On 8/22/2012 5:38 PM, Shane Wiley wrote:

Tamir,



Speaking only for myself, IE10 is still DNT On by Default - and now there is an option to go through a custom install flow to change this fact.  So for me, DNT On by Default still equals non-compliance.



- Shane



-----Original Message-----

From: Tamir Israel [mailto:tisrael@cippic.ca]

Sent: Wednesday, August 22, 2012 2:14 PM

To: Shane Wiley

Cc: Grimmelmann, James; Dobbs, Brooks; Roy T. Fielding; public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)

Subject: Re: action-231, issue-153 requirements on other software that sets DNT headers



Shane -- can you (and others) please confirm whether MSFT's new proposal, which will prompt users to make a DNT election during Win8 install, is 'representing user's choice' or not? Also please confirm whether this is still a clear case or not?



http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/do-not-track-in-the-windows-8-set-up-experience.aspx



To me it appeared as though MSFT was now making a good faith effort to bring their IE10 DNT into compliance.





On 8/22/2012 11:47 AM, Shane Wiley wrote:

James,



I don't believe there is much argument over IE10 NOT representing a user's choice.  The issue the working group is struggling with is even in light of a UA sending DNT:1 outside of user choice (IE10), must Servers still honor it.  Most of those of us that actually have to implement the standard don't believe this should be the case (i.e. optional with user transparency).



- Shane



-----Original Message-----

From: Grimmelmann, James [mailto:James.Grimmelmann@nyls.edu]

Sent: Wednesday, August 22, 2012 7:41 AM

To: Dobbs, Brooks

Cc: Roy T. Fielding; Tamir Israel; public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)

Subject: Re: action-231, issue-153 requirements on other software that sets DNT headers



Brooks,



The language "choice for privacy" has been in the TPE working drafts since last year.  It is there as a way to describe certain kinds of user actions in configuring a user-agent that can reasonably be understood to include a "deliberate choice by the user" about a tracking preference.  This reflects the real-world fact that many users who choose to enable the DNT: 1 header will do so out of a desire for privacy.  Thus, a user agent or extension could offer a more general-purpose privacy setting "that then implicitly includes a tracking preference."



Don't worry: I'm not (and I don't think anyone else is) asking the group to take an official stance on whether widespread DNT use will be good for privacy or bad for privacy.  That's highly contested and highly subjective.  The language shows up in the context of "Determining User Preference" and that's how I'm reading it: to address the question of whether IE 10's DNT: 1 signals will reflect deliberate choices by users about tracking.



James



On Aug 22, 2012, at 9:41 AM, "Dobbs, Brooks"<Brooks.Dobbs@kbmg.com><mailto:Brooks.Dobbs@kbmg.com>  wrote:



James and all,



I think we are moving down the road of making some very dangerous

assumptions here.  We are getting in the habit of referring to sending

the signal DNT: 1 as "a choice for privacy".  This is a highly

subjective statement and not necessarily true.



Choosing DNT: 1 is a signal to an origin server that it must follow

the rules as established by the compliance doc with all the resulting

treatments to the UA.  This may result in initial outcomes that many

users will see as privacy enhancing.  However, it may also channel UAs

to different website payment schemes (non-ad supported) or move people

towards advertising tools run by parties with a PII relationship to

the user who are able to get out of band exceptions; neither would

likely to be called "a choice for privacy".  This is not hypothetical

at all.  If a website needs N million dollars a year to provide

content and service and that funding is cut to a third by DNT, they

will seek one of those two roads, neither of which makes a lot of

sense to call "a choice for privacy".



Let's keep this conversation where it should be.  A "preference" means

a user's desire for his/her transaction to be processed by the

recipient server in accordance with the rules established for that

signal by the compliance doc.  If an individual user, with individual

use patterns, at any given time finds that to be "a choice for

privacy" then so it is - for her.  I doubt that the person asked for a

credit card or to identify himself for an out of band exception to

view a previously ad supported site will be as cavalier with the word choice.



-Brooks





--



Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the

Wunderman Network

(Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com

brooks.dobbs@kbmg.com<mailto:brooks.dobbs@kbmg.com>







This email ­ including attachments ­ may contain confidential information.

If you are not the intended recipient, do not copy, distribute or act

on it. Instead, notify the sender immediately and delete the message.







On 8/21/12 10:43 PM, "Grimmelmann, James"<James.Grimmelmann@nyls.edu><mailto:James.Grimmelmann@nyls.edu>

wrote:



I disagree; this is far from a "clear" case.  Here is the coming IE

10 setup process as described by Microsoft (cutting and pasting a bit):



----

In the Windows 8 set-up experience, customers will be asked to choose

between two ways of configuring a number of settings: ³Express

Settings² or ³Customize.²



Customers will receive prominent notice that their selection of

Express Settings turns DNT ³on.² In addition, by using the Customize

approach, users will be able to independently turn ³on² and ³off² a

number of settings, including the setting for the DNT signal.  A

³Learn More² link with detailed information about each recommended

setting will help customers decide whether to select Express Settings or Customize.

----



And here is the language from the August 14 TPE draft:



----

The basic principle is that a tracking preference expression is only

transmitted when it reflects a deliberate choice by the user. ...



A user agent must have a default tracking preference of unset (not

enabled) unless a specific tracking preference is implied by the

decision to use that agent. ...



We do not specify how tracking preference choices are offered to the

user or how the preference is enabled: each implementation is

responsible for determining the user experience by which a tracking

preference is enabled. For example, a user might select a check-box

in their user agent's configuration, install an extension or add-on

that is specifically designed to add a tracking preference

expression, or make a choice for privacy that then implicitly

includes a tracking preference (e.g., Privacy settings: high). The

user-agent might ask the user for their preference during startup,

perhaps on first use or after an update adds the tracking protection feature.

----



There is a plausible argument that selecting Express Settings after

being given prominent notice that this will turn DNT on is both a

"deliberate choice by the user" and "a choice for privacy that then

implicitly includes a tracking preference" that the user-agent

"ask[s] the user for ... during startup."  And because the user

chooses to use Express Settings, there is also a plausible argument

that IE 10 will "have a default tracking preference of unset."



There are also some plausible counterarguments.  For example, it is

possible that Microsoft's explanation of the effect of choosing

Express Settings will not be clear and prominent enough to make

selecting it a "choice for privacy."  It is also unclear what the

default state of the DNT checkbox will be in "Customize."



I'm sure that this is not what many others on the list *intend* the

TPE draft to mean, but based on what the draft currently *says*, IE

10's compliance is open to serious debate.



James



--------------------------------------------------

James Grimmelmann              Professor of Law

New York Law School                 (212) 431-2864

185 West Broadway

james.grimmelmann@nyls.edu<mailto:james.grimmelmann@nyls.edu><mailto:james.grimmelmann@nyls.edu><mailto:james.grimmelmann@nyls.edu>

New York, NY 10013    http://james.grimmelmann.net



On Aug 21, 2012, at 9:35 PM, Roy T. Fielding

<fielding@gbiv.com<mailto:fielding@gbiv.com><mailto:fielding@gbiv.com><mailto:fielding@gbiv.com>>  wrote:



On Aug 21, 2012, at 6:01 PM, Tamir Israel wrote:



Roy your apache example, as I understood it, applies in clear cases

of non-compliance. I don't think there's ever going to be such a

clear case as in reality implementations are going to be quite varied

and browser sniffing of the kind you're suggesting will lead to

browser wars. Case in

point:



http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07

/do-n ot-track-in-the-windows-8-set-up-experience.aspx



Which is a clear case of non-compliance.  If pre-selecting an option

in a dialog box is not sufficient to gain prior consent, then it

certainly isn't sufficient to satisfy:



"The basic principle is that a tracking preference expression  is

only transmitted when it reflects a deliberate choice by  the user.

In the absence of user choice, there is no tracking  preference

expressed."



Browser wars is not a problem I have in HTTP, because of the Apache

principle regarding open standards.  If you want to change the

standard, feel free to make proposals to that effect within the

process defined by this WG.  Please do not continue this argument

about honoring deliberately broken UAs; you are wasting our time, as

this WG has even less ability to change Apache's principles than it

does to impose implementation of a voluntary standard.



....Roy
Received on Wednesday, 22 August 2012 21:52:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:54 UTC