W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78]

From: Rigo Wenning <rigo@w3.org>
Date: Tue, 17 Jan 2012 22:55:24 +0100
To: Kevin Smith <kevsmith@adobe.com>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <11249348.ODFgWe2b5G@freud>
Kevin, 

On Tuesday 17 January 2012 09:02:16 Kevin Smith wrote:
> I was not actually commenting on W3C procedure as much as I was mentioning
> that it seems trivial and inefficient to argue over specific wording when
> the underlying decisions have yet to be made, especially when making those
> decisions will also resolve the argument as well, which I believe to be the
> case here.

First of all, I think the "cross-site" or 1st vs 3rd party were all very 
clever diversions to save the analytics business. In fact, as long as the web 
site owner collects data (and any kind of data and whatever data) this is just 
fine. <irony>Only those evil ad networks have brought us into trouble. They are 
evil third parties doing cross-site tracking and analysis</irony>

But in the US context (that triggers all the debate about first/third cross-
site/original) it doesn't matter at all, who collects the data as they can 
exchange it freely in the back end. There is no general privacy law, let alone 
one on data protection. And because data serves innovation, the US government 
is very reluctant to just mow data collection down. 

I am personally (and not as W3C) reluctant to make those distinctions. Because 
I think the Web and its direct connection between all actors will be much 
smarter than any kind of distinction we can come up with. 

But it would be on the other hand a bit derailing for the discussion, if I 
would now ask to focus on a risk analysis. What do we want to protect? Is it 
mere compliance to a feared regulator action while privacy is also a defense 
against the regulating government? If this risk analysis has a result that 
certain collection practices done by first parties within the same side are 
endangering democracy, we shouldn't glue to false principals and address that.

If on the other hand, some third party collections are just Ok, I don't see 
why we should demonize that collection only because it is "cross-site"  or 
"third party". 

And everybody waits that we deliver quickly. So can we really afford changing 
that discussion? Frankly, I don't know. On the other hand, remaining in the 
technology trenches doesn't buy us much either. Delaying doesn't further 
privacy protection on the web and increases the eagerness for harsh 
countermeasures of technologic and social nature by those waiting for us to 
deliver something. 

> 
> The question of our ultimate objective needs to be answered.  

I agree with you. But you have to start thinking about what you can give up. 
And clearly state what you can't give up and why. (without revealing business 
secrets.. ) What is the risk we try to tackle and what is the benefit we'll 
lose?
> 
> One proposed objective is: 
> 
> **To provide a mechanism whereby a user can indicate preference to disallow
> cross-site tracking**

See and others say, DNT is to provide a mechanism to indicate a preference
full stop. By introducing the "cross-site" you draw the discussion about the 
"ultimate objective" into the TPE Spec where it does NOT belong IMHO. Because 
the use of that tool will perhaps change by region and over time.
> 
> I do not believe I am alone in thinking that we at one time had consensus
> that this was our objective.  However, I am no longer sure this is the
> case.  It sounds like some parties would prefer an objective closer to:
> 
> Prevent cross-tracking + X

I never had the impression of such a consensus. But coming back to process. It 
is on the chairs to state whether they see (and suggest a wording for) a 
consensus. 
> 
> However, I have not seen any clear proposals as to what X should be.  

See above. There were many concerns expressed, many times, in the Workshops 
predating the WG and in WG discussions. See my remarks above about a risk-
based discussion..

> I have
> seen a few suggestions focusing on different privacy related issues, but
> nothing comprehensive nor anything that has gained any real traction within
> the group as a whole.  

Which is fragmentation. And fragmentation is the opposite of consensus as far 
as I understand it. We should intelligently seek for common grounds between 
the parties instead of defending the trenches. 

> However, if the group decides to expand upon or
> completely go away from the objective of preventing cross-site tracking,
> then I am confident that the documents will be changed
> accordingly.  

I think it will be impossible to only address the "cross-site" aspects of the 
massive profiling that is happening without risking to be accused to try to 
escape from the real issues. 

How do you prevent abuse of such profiles? What aspects of consumer protection 
are we willing to honor if a user indicates by setting DNT that he wants to be 
left alone for a moment. 
But how can we manage to make the "opt-back-in" really easy and a tool for 
businesses with good practices? So that they gain advantages in the market and 
acquire more users than the evil guys who just rip off every bit they can get? 
If convincing users to allow data collection is hard, DNT has missed an 
opportunity.

> Likewise, if the objective is once again (or perhaps for the
> first time) solidified as mentioned above, then most objections to the
> current language will likely dissipate leaving only organizational
> discussions remaining on this topic.

I think the conflict around the terminology here is just a proxy war around 
certain collection practices. But I confess that we are doing our 
argumentation in public and it is probably necessary to have indirect 
argumentation. 
> 
> I therefore recommend again that this topic be tabled until at least the
> above decision has been made.

I agree it is not good for our discussion to make a show-down on "cross-site" 
vs not "cross-site". Because "cross-site" is as difficult a distinction as 1st 
vs 3rd party. Additionally, "cross-site", by logic, requires two parties. A 
first and a second/third party.

Whether data is collected via 10 first parties using the same analytics 
provider or by 1 third party being embedded into 10 sites doesn't really 
matter. Does it? Can they afford to let some of the traffic drop out? How much 
can drop out until the analysis is not accurate enough anymore to make sense?

Best, 

Rigo
Received on Tuesday, 17 January 2012 21:55:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC