- From: Aleecia M. McDonald <aleecia@aleecia.com>
- Date: Sat, 14 Jan 2012 18:54:40 -0800
- To: Tracking Protection Working Group WG <public-tracking@w3.org>
- Cc: Nicholas Doty <npdoty@w3.org>
- Message-Id: <BF6153D0-1C93-4D24-BDD1-C670336A28FE@aleecia.com>
As sent by Ori Eisen. Nick, could you check into why Ori's message was held up? Apologies if this eventually results in a duplicate message. Aleecia Begin forwarded message: -----Original Message----- From: Ori Eisen - AdTruth Sent: Friday, January 13, 2012 5:58 PM To: 'Kevin Smith'; Tom Lowenthal; public-tracking@w3.org Subject: RE: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78] Kevin et al, I am new to this thread, and relatively new to the industry. I have experience with how government bodies review definitions, from a risk and fraud detection perspective. I think that to the industry insiders, the definitions of DNT are either technical or business in nature, and have impact as a result. However, what regulators often review is the user's perspective. For example, if we were all bankers or credit card issuers - we would discuss the minimum APR% clause and how it would affect our accounting and profitability. However, to a regulator, this comes secondary, and they will review how a user interprets the language. For them, the language will revolve around Fair Lending Practices and nothing that is considered industry "lingo". The notion of first-party and third-party cookies are not obvious to most users, and if you need proof, ask your parents to explain the difference to you. Most users do not know, nor care how the online display industry works. Do Not Track sounds like Do Not Call, and the FTC will assume it works the same way - yet, it does not. I do think that DNT is the best option we have seen to date as far something that can get mass adoption, quickly, with a UI that a 79 year-old can operate (sorry Mom). Here is how I would interpret the intent, and how we may want to think about it. I started my first-ever reply to this thread acknowledging that I am newbie to the ad industry, so I could be completely off on this... Here is how I see it: When I point my browser to CNN.com, and they ask me "Would you like the US or European Edition", I click on the US. They will then set a first-party cookie that helps me get a better use of CNN.com. That relationship between me and CNN is not the intent of DNT. As the cookie set for this, is NOT intended to "track" me beyond the digital walls at CNN. Further, this cookie is really an implementation choice to render the US edition for me by default, so I don't need to keep telling them what I prefer to read each time I come to their site. Beyond this "type of use" of cookies, we begin the "T Word" - Tracking. Now, I would consider fair game, if CNN used this cookie or similar first-party cookie to analyze my behavior on CNN, get usability tests and everything else that makes my relationship with CNN "better". The extreme use of this first party cookie, is<drum roll>... selling me stuff on CNN based on my interests. For example, if I click on a story about Mardi Gras - they can sells me or show display ads about beads, plane tickets and hotel rooms in New Orleans. That would actually be a great service. Anything ELSE would be considered by a regulator as "Secondary Use of Data" - and would be questionable. When I go to CNN.com, I am unaware of the 30 retargeting companies who have been allowed to ALSO get my information, for uses on CNN.com and beyond. It is THAT, which users want control over first and foremost. It is the secondary use of data, which is not bound by the IMPLICIT relationship users have with CNN.com by merely visiting their site, for free. Hence, perhaps our discussion should also have a user's perspective and what would a regulator most-likely care about, in order for us to move the discussion forward. Otherwise, we as a working-group, can have a situation where the "operation is a success, but the patient died". All this to say, is after we identify the core of the matter, we can begin the discussion of the implementation options and their implications. Is it not our intent that beyond self-regulation, we present a solution that users and regulators can fully understand and adopt? Ori -----Original Message----- From: Kevin Smith [mailto:kevsmith@adobe.com] Sent: Friday, January 13, 2012 1:58 PM To: Tom Lowenthal; public-tracking@w3.org Subject: RE: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78] I personally think that's the least of our problems. The two docs are two halves to a whole. Neither have identity or meaning without the other. If they disagree, that's a problem. Otherwise, I think we are a little early in the process to worry about minor editorial decisions. Eventually, it probably makes the most sense to combine the docs. However, as a frequent consumer of technical docs, I would be (and have been) frustrated by a doc that instructs on how to configure a setting without providing adequate detail on what that configuration means. As a potential implementer, I plead with you to leave the description of the setting, next to the setting. After all, the intent of the second doc is to provide definition of compliance, not definition of functionality. -----Original Message----- From: Tom Lowenthal [mailto:tom@mozilla.com] Sent: Friday, January 13, 2012 12:22 PM To: public-tracking@w3.org Subject: Re: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78] I completely agree with you that we should define the meaning of the DNT:1/DNT:0 in the compliance document not the expression document. I would much rather not have any normative explanation of what behavior is associated with on/off/not-sent in the TPE doc. But, if there is a short blurb, I'd prefer if it were accurate rather than inaccurate. I think that we've made some good progress on defining the "who" when we introduced the first/third party definition Jonathan and I worked on, the group responded positively, and gave some really specific, constructive suggestions. I hope to be able to incorporate the suggestions by Monday. What do you think of our progress so far? Would folks be opposed to cutting the compliance-related summary from the TPE spec all together? On 01/13/2012 01:28 AM, Rigo Wenning wrote: > Tom, > > while I like your definitions of DNT:1 and DNT:0, I maintain that the > DNT Specification should say that DNT is enabled/disabled/unset. And > not saying anything about "First parties not sharing information". > > The difficult part is IMHO then the definition of scope of the user's > DNT- declaration. You say "who receives it" This was my initial take > to scope it, namely simply by the GET request. People thought that > this wouldn't be sufficient. Then we talked about "origins" and first and third parties. > > So one of the weaknesses of the DNT - definitions is still the exact > circle of addressees. We have tried corporation law rules > (affiliate), social rules (first, third parties), browser habits > (origins), user expectations (theoretic horizon). But as in the real > world, if one speaks out, it is difficult to determine for all others > what she really meant and to whom he was really talking to. At some > point the choice ends up having something arbitrary that best fits > the needs and integrates into web architecture. Because once this > technology is out, it will create the user expectations we are trying to anticipate. But it may be hard to anticipate the non-existing. > > IMHO we haven't yet really found a good addressee (or multitude > thereof) and should discuss this further. Once we have the addressee, > we can discuss about how the preference expression is perceived and what it is supposed to mean. > "Supposed to mean" is a topic for the compliance specification IMHO. > > Best, > > Rigo > > > On Thursday 12 January 2012 15:36:48 Tom Lowenthal wrote: >> Correction: "All parties" in the DNT:0 blurb should be "Both first >> and third parties". The header only imparts >> information/permission/preferences to the party receiving it, not to >> anyone else. That was just sloppy writing on my part. >> >> Does anyone have any suggestions for modifications to this? Roy, if >> we don't get any suggested changes, could you incorporate this >> before the "let's read it on the plane" document freeze? >> >> On 01/12/2012 03:02 PM, Roy T. Fielding wrote: >>> On Jan 12, 2012, at 12:52 PM, Tom Lowenthal wrote: >>>> On 01/10/2012 06:12 PM, Roy T. Fielding wrote: >>>>> 1 Do not track me across differently-branded sites and do not use >>>>> previously tracked/obtained behavioral data from other sites to >>>>> personalize a response. >>>>> >>>>> 0 Use of cross-site tracking and personalization has been >>>>> specifically permitted for this site, as described in section 6. >>>>> User-agent-managed site-specific exceptions. >>>> [Section 4, 4.1] >>>> As mentioned on the call, I was surprised to see this definition >>>> of >>>> DNT:0 positioned as a site-specific exception to a general DNT:1 >>>> preference. I was expecting (and others on the call seemed to >>>> assume) a quite different approach. My understanding is more as >>>> follows: >>>> >>>> >>>> DNT:1 Tells everyone who receives it that I have a heightened >>>> preference for privacy and against being tracked. First parties >>>> mustn't share any information about me. Third parties must treat >>>> me like someone about whom they know nothing, and remember nothing >>>> about me later. >>>> >>>> DNT:0 Tells everyone who receives it that I have a preference >>>> towards a personalized service, and consent to tracking. All >>>> parties may gather data and learn about me and should use that >>>> information to improve my experience with them. >>> I have no problem defining it that way if that is how user agents >>> intend to implement it. What I wrote is how it is currently >>> implemented, AFAICT. I agree that the current state isn't as crisp >>> as what you describe above, for a variety of reasons. >>> >>> Can we get some input from the other browser vendors? >>> >>> ....Roy The information contained in this e-mail is confidential and/or proprietary of AdTruth. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system.
Received on Sunday, 15 January 2012 02:55:27 UTC