Re: ACTION-43: added user-agent-managed site-specific exception proposal to Editor's Draft

David, 

we are approaching the "normal" catch22 situation of the data self 
determination concept that is secretly underlying all our discussions IMHO. 

On Wednesday 18 January 2012 16:37:25 David Singer wrote:
> I think we're designing a protocol between the UA and the server, and what
> that protocol means and its requirements.  UA to user interactions are out
> of the scope of a MUST statement, I think.

And if you want to have (some) user-control and self-determination, we assume 
that at some point the user should be enabled to make a (albeit possibly 
automated) decision. And the protocol, at some point, needs to trigger that 
decision process. I do not believe we can avoid that without going square to 
the entire concept of privacy (because privacy is finally about autonomy).

This said, a specification should only said that there MUST be a user decision 
and not how that user decision is implemented. Note that P3P implementation on 
UAs failed mainly because of lacking guidance and complete misunderstanding by 
implementers. Coming out of a 4 year research project where we investigated 
some of this, I could imagine that it may be worthwhile to have some good 
practices documentation where we join forces to unearth good privacy 
interfacing guidelines.

Best, 

Rigo

Received on Thursday, 19 January 2012 07:45:50 UTC