- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 23 Aug 2012 16:46:26 -0700
- To: Justin Brookman <jbrookman@cdt.org>
- Cc: public-tracking@w3.org
- Message-Id: <6BF21AF2-0C41-4630-A877-C3FAA425931C@gbiv.com>
On Aug 23, 2012, at 2:48 PM, Justin Brookman wrote: > No, what is obvious is that are advocating for two different levels of user intent: a high bar for turning on DNT in the first place, and a considerably lower bar for getting a user-granted exception to the DNT signal. I don't know what you are talking about. To get a user-granted exception we have to interrupt the user's task, ask them to grant an exception, have an explicit action by the user grant that exception (unless it has already been explicitly granted and cached by the UA), and then hope that the UA actually sends DNT:0 as a result of the user granting that exception. That is a much higher bar than the spec requires for turning DNT on. I don't even believe it will be implemented by UAs, but that's not my responsibility. To obtain explicit and informed prior consent, we have to do something out of band that obtains explicit and informed consent. I don't know exactly what that is, but I am sure it doesn't include giving a pre-selected option in a dialog during initial installation/use of an operating system default UA. Would you accept it if Microsoft had said the same dialogs default to sending DNT:0? Would Rob say that the EU data protection laws would be satisfied by the same dialogs pre-selected for DNT:0? My guess is no, that would not qualify in Europe, and companies that operate in Europe would be required to ignore that invalid signal because it is the recipient's obligation to obtain valid (informed, specific, and explicit) prior consent regardless of what some buggy software sends us on the wire. But that's just a guess based on my read of the WP opinions. Unlike turning DNT on, assuming explicit and informed consent when it has not actually been granted in fact (according to the regulator) can result in penalties that are quite high, both financially and in terms of reputation. Hence, there is a built-in bar for prior consent, based on enforcement actions, that is far more extensive than anything we could summarize in our spec, particularly given that it is also sensitive to context and regional laws. The argument you were having with Shane, to which I responded, was about what more the document would require for prior consent. Many people are simply not willing to engage in a process of "let's define what regulators should enforce" in the absence of context. It's like playing "pin the tail on the donkey" with actual pins and a real donkey -- not recommended, in practice, and almost certain to be forbidden by our employers. It does not mean that we think consent should be a low bar. ....Roy
Received on Thursday, 23 August 2012 23:46:43 UTC