Re: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78] from John Simpson on 2012-01-13 (public-tracking@w3.org from January 2012)

From: John Simpson <john@consumerwatchdog.org>
Date: Fri, 13 Jan 2012 12:11:59 -0800
To: Tom Lowenthal <tom@mozilla.com>
Cc: public-tracking@w3.org
Message-Id: <350B5EE3-A34B-430F-89AC-F1D2958C1161@consumerwatchdog.org>
I believe the compliance related summary does not belong in the TPE.  That sort of language should go in the compliance document.

On Jan 13, 2012, at 11:22 AM, Tom Lowenthal wrote:

> I completely agree with you that we should define the meaning of the
> DNT:1/DNT:0 in the compliance document not the expression document. I
> would much rather not have any normative explanation of what behavior is
> associated with on/off/not-sent in the TPE doc. But, if there is a short
> blurb, I'd prefer if it were accurate rather than inaccurate.
> 
> I think that we've made some good progress on defining the "who" when we
> introduced the first/third party definition Jonathan and I worked on,
> the group responded positively, and gave some really specific,
> constructive suggestions. I hope to be able to incorporate the
> suggestions by Monday. What do you think of our progress so far?
> 
> Would folks be opposed to cutting the compliance-related summary from
> the TPE spec all together?
> 
> On 01/13/2012 01:28 AM, Rigo Wenning wrote:
>> Tom, 
>> 
>> while I like your definitions of DNT:1 and DNT:0, I maintain that the DNT 
>> Specification should say that DNT is enabled/disabled/unset. And not saying 
>> anything about "First parties not sharing information". 
>> 
>> The difficult part is IMHO then the definition of scope of the user's DNT-
>> declaration. You say "who receives it" This was my initial take to scope it, 
>> namely simply by the GET request. People thought that this wouldn't be 
>> sufficient. Then we talked about "origins" and first and third parties. 
>> 
>> So one of the weaknesses of the DNT - definitions is still the exact circle of 
>> addressees. We have tried corporation law rules (affiliate), social rules (first, 
>> third parties), browser habits (origins), user expectations (theoretic 
>> horizon). But as in the real world, if one speaks out, it is difficult to 
>> determine for all others what she really meant and to whom he was really 
>> talking to. At some point the choice ends up having something arbitrary that 
>> best fits the needs and integrates into web architecture. Because once this 
>> technology is out, it will create the user expectations we are trying to 
>> anticipate. But it may be hard to anticipate the non-existing. 
>> 
>> IMHO we haven't yet really found a good addressee (or multitude thereof) and 
>> should discuss this further. Once we have the addressee, we can discuss about 
>> how the preference expression is perceived and what it is supposed to mean. 
>> "Supposed to mean" is a topic for the compliance specification IMHO.
>> 
>> Best, 
>> 
>> Rigo
>> 
>> 
>> On Thursday 12 January 2012 15:36:48 Tom Lowenthal wrote:
>>> Correction: "All parties" in the DNT:0 blurb should be "Both first and
>>> third parties". The header only imparts
>>> information/permission/preferences to the party receiving it, not to
>>> anyone else. That was just sloppy writing on my part.
>>> 
>>> Does anyone have any suggestions for modifications to this? Roy, if we
>>> don't get any suggested changes, could you incorporate this before the
>>> "let's read it on the plane" document freeze?
>>> 
>>> On 01/12/2012 03:02 PM, Roy T. Fielding wrote:
>>>> On Jan 12, 2012, at 12:52 PM, Tom Lowenthal wrote:
>>>>> On 01/10/2012 06:12 PM, Roy T. Fielding wrote:
>>>>>> 1	Do not track me across differently-branded sites and do not use
>>>>>> previously tracked/obtained behavioral data from other sites to
>>>>>> personalize a response.
>>>>>> 
>>>>>> 0	Use of cross-site tracking and personalization has been
>>>>>> specifically permitted for this site, as described in section 6.
>>>>>> User-agent-managed site-specific exceptions.
>>>>> 
>>>>> [Section 4, 4.1]
>>>>> As mentioned on the call, I was surprised to see this definition of
>>>>> DNT:0 positioned as a site-specific exception to a general DNT:1
>>>>> preference. I was expecting (and others on the call seemed to assume)
>>>>> a
>>>>> quite different approach. My understanding is more as follows:
>>>>> 
>>>>> 
>>>>> DNT:1 Tells everyone who receives it that I have a heightened
>>>>> preference
>>>>> for privacy and against being tracked. First parties mustn't share any
>>>>> information about me. Third parties must treat me like someone about
>>>>> whom they know nothing, and remember nothing about me later.
>>>>> 
>>>>> DNT:0 Tells everyone who receives it that I have a preference towards
>>>>> a
>>>>> personalized service, and consent to tracking. All parties may gather
>>>>> data and learn about me and should use that information to improve my
>>>>> experience with them.
>>>> 
>>>> I have no problem defining it that way if that is how user agents intend
>>>> to implement it.  What I wrote is how it is currently implemented,
>>>> AFAICT. I agree that the current state isn't as crisp as what you
>>>> describe above, for a variety of reasons.
>>>> 
>>>> Can we get some input from the other browser vendors?
>>>> 
>>>> ....Roy
>> 
> 

----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org
Received on Friday, 13 January 2012 20:17:38 UTC