RE: ACTION-43: added user-agent-managed site-specific exception proposal to Editor's Draft from JC Cannon on 2012-01-19 (public-tracking@w3.org from January 2012)

From: JC Cannon <jccannon@microsoft.com>
Date: Thu, 19 Jan 2012 21:17:33 +0000
To: David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <DB4282D9ADFE2A4EA9D1C0FB54BC3BD76E47F4F1@TK5EX14MBXC133.redmond.corp.microsoft.>

I wholeheartedly agree with David on this point.

JC

-----Original Message-----
From: David Singer [mailto:singer@apple.com] 
Sent: Thursday, January 19, 2012 9:29 AM
To: public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: ACTION-43: added user-agent-managed site-specific exception proposal to Editor's Draft

Right.  As I am sure you know, I am all for user-control and user self-determination.

But there is an important avenue that users have to exercise that control, and that is in their choice of user-agent, and their choice of its configuration.

They re at liberty to say "I use browser X even though it doesn't support DNT because of Y", and they are liberty to say "I prefer browser M over browser N, because N is constantly asking me to make DNT choices in real-time, whereas M I can configure so it just gets it right".

I think it a *huge* mistake for us to design the way the user makes choices.  Be clear in the text that certain aspects of 'driving' the protocol belong to the user, but don't tell browsers what to do to make sure that that is the case. " MUST provide a user interface prompting the user to choose" is not a good phrase.

On Jan 18, 2012, at 23:45 , Rigo Wenning wrote:

> David, 
> 
> we are approaching the "normal" catch22 situation of the data self 
> determination concept that is secretly underlying all our discussions IMHO. 
> 
> On Wednesday 18 January 2012 16:37:25 David Singer wrote:
>> I think we're designing a protocol between the UA and the server, and what
>> that protocol means and its requirements.  UA to user interactions are out
>> of the scope of a MUST statement, I think.
> 
> And if you want to have (some) user-control and self-determination, we assume 
> that at some point the user should be enabled to make a (albeit possibly 
> automated) decision. And the protocol, at some point, needs to trigger that 
> decision process. I do not believe we can avoid that without going square to 
> the entire concept of privacy (because privacy is finally about autonomy).
> 
> This said, a specification should only said that there MUST be a user decision 
> and not how that user decision is implemented. Note that P3P implementation on 
> UAs failed mainly because of lacking guidance and complete misunderstanding by 
> implementers. Coming out of a 4 year research project where we investigated 
> some of this, I could imagine that it may be worthwhile to have some good 
> practices documentation where we join forces to unearth good privacy 
> interfacing guidelines.
> 
> Best, 
> 
> Rigo
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Thursday, 19 January 2012 21:18:09 UTC