Re: action-231, issue-153 requirements on other software that sets DNT headers from Justin Brookman on 2012-08-23 (public-tracking@w3.org from August 2012)

From: Justin Brookman <jbrookman@cdt.org>
Date: Thu, 23 Aug 2012 17:48:24 -0400
To: public-tracking@w3.org
Message-ID: <876c1ab6-c1ec-41fe-a6f0-44653b8785bf@blur>

No, what is obvious is that are advocating for two different levels of user  
intent: a high bar for turning on DNT in the first place, and a considerably  
lower bar for getting a user-granted exception to the DNT signal.  A user  
agent must set its user interface very carefully to ensure that DNT is the  
clearly intentioned will of the user but a party, but a site only needs to  
abide by the law to get an exception to this c

Sent via mobile, please excuse curtness and typos

-----Original message-----
From: "Roy T. Fielding" <fielding@gbiv.com>
To: Justin Brookman <jbrookman@cdt.org>
Cc: public-tracking@w3.org
Sent: Thu, Aug 23, 2012 20:28:22 GMT+00:00
Subject: Re: action-231, issue-153 requirements on other software that sets   
DNT  headers

On Aug 23, 2012, at 6:01 AM, Justin Brookman wrote:

> It is inaccurate to say that IE10's implementation is inconsistent witht  
the spec, as the WG has not chosen an option to define explicit and informed  
consent.  The Windows flow presents information about DNT along with several  
other options; as an opt-in flow, you could argue that DNT should be called  
out more prominently, but I have seen a lot worse.
> 
> Please recall that the group previously rejected requiring consent to  
require distinct permission separate from other information, and you  
yourself wanted to leave open the possibility that consent could be obtained  
through a *privacy policy*.  So it is certainly an open question whether  
IE10 meets the explicit and informed consent standard that the spec provides  
for.

No, I said that a privacy policy is not by nature inconsistent
with prior consent. It depends how the policy is constructed and
presented to the user.  In other words, they are orthogonal, whereas
you assume that "privacy policy" means some long document elsewhere
that is not presented to the user and does not have an affirmative
choice option.  I also said that prior consent is a state of being,
and regulators can and do fine companies when they assume consent
that has not actually been granted.  None of that should be a surprise.
It is sufficient to say "must have prior consent", without any
further details whatsoever, because that's how existing laws work.

What is missing from the MSIE co

Received on Thursday, 23 August 2012 21:48:37 UTC