W3C home > Mailing lists > Public > public-tracking@w3.org > July 2012

Re: Support for ISSUE 143 - EDUCATED Consumer Choice Should Be REQUIRED

From: Tamir Israel <tisrael@cippic.ca>
Date: Sat, 07 Jul 2012 16:43:26 -0400
Message-ID: <4FF89F6E.3020704@cippic.ca>
To: Matthias Schunter <mts-std@schunter.org>
CC: Chris Mejia <chris.mejia@iab.net>, "public-tracking@w3.org" <public-tracking@w3.org>
On 7/7/2012 4:49 AM, Matthias Schunter wrote:
> Hi Chris,
>
>
> I am in the process of post-processing my emails ;-)
>
> Did anything happen on this discussion / has it been resolved?
> If not you may push it forward  by proposing text.
>
> What I deem important is that the text defines meaning/intent without 
> freezing UI or text (if feasible). This will allow for more user agent 
> innovation.
>
> Note that the same holds for DNT;0: If the publisher receives DNT;0 
> then it is interesting to know
> what consent this transports,too. AFAIK Rigo/Rob aim for a similar 
> standardisation for DNT;0.
>
>
> Regards,
> matthias
>
> On 23/05/2012 22:58, Chris Mejia wrote:
>> W3C Tracking Protection Working Group:
>>
>> A DNT choice mechanism is fundamentally flawed when it does not rest 
>> on the basic tenant of _user-educated and informed choice_. I'm 
>> concerned that this working group is setting up an impossible 
>> situation for compliancy:  without a clear _requirement_ for the user 
>> to be informed/educated about the choice they are making, at the 
>> point of that choice (in the user-interface), publishers who receive 
>> DNT:1 signals will have no (up-front) way to understand what the 
>> user's ACTUAL intent was when making their choice, and thus will not 
>> understand how to "honor" such choices.  Without users having a 
>> common understanding of what it means to turn on DNT, users will be 
>> setting/sending the DNT:1 header flag for a myriad of different 
>> reasons, representing many different "choices," based on their 
>> individual understandings of what "tracking," "privacy," or 
>> "do-not-track" mean, as influenced (or not influenced) by the 
>> user-interface they were exposed to when making/setting their choice. 
>>  This 'many choices = one outcome' model is fundamentally flawed and 
>> does not serve the best interest of users or the websites they visit.
>>
>> I have heard the argument that "/users won't get-it/" or "/it's too 
>> complicated for users/" or "/users won't care/"; my reply is, "then 
>> why are we doing this in the first place?"  Which market requirement 
>> are we replying to with DNT:1 = MANY/CHOOSE?  I find it highly 
>> irresponsible and even reckless to put a [powerful] choice mechanism 
>> in front of users without providing users the qualified information 
>> and context necessary to understand what that choice represents/does, 
>> and how it will affect them and the websites/businesses they 
>> frequent/support.  It's akin to saying, "you might need this gun for 
>> personal defense- it's free, take it," but not letting people know 
>> what the gun does. "What happens when I pull this trigger?"  "Just 
>> take the gun." Reckless.
>>
>> In support of Open Issue 143 
>> (http://www.w3.org/2011/tracking-protection/track/issues/143), I 
>> believe this working group's work-product should REQUIRE that users 
>> receive a qualified [by this group] message regarding their DNT 
>> choice, AS that choice is presented to the user in the UI, for ALL 
>> programs that seek COMPLIANCE with this initiative— the technical 
>> requirement of this disclosure should be a mandated and required 
>> component of compliance.  Failing the inclusion of this important 
>> component, compliance (the general compliance document) should not be 
>> contemplated at all.  Adding the notion/suggestion of informed 
>> consent to a "best practices" document/addendum is not nearly 
>> sufficient; it leaves open too many loopholes will introduce market 
>> confusion.
I think Justin's proposed explanation from the compliance spec on where 
the various interests here lie is very balanced:

While there are a variety of business models to monetize content on the web, many rely on advertising. Advertisements can be targeted to a particular user's interests based on information gathered about one's online activity. While the Internet industry believes many users appreciate such targeted advertising, as well as other personalized content, there is also an understanding that some people find the practice intrusive. If this opinion becomes widespread, it could undermine the trust necessary to conduct business on the Internet. ... This should be a win-win for business and consumers alike. The Internet brings millions of users and web sites together in a vibrant and rich ecosystem. As the sophistication of the Internet has grown, so too has its complexity which leaves all but the most technically savvy unable to deeply understand how web sites collect and use data about their online interactions. While on the surface many web sites may appear to be served by a single entity, in fact, many web sites are an assembly of multiple parties coming together to power a user's online experience. As an additional privacy tool, this specification provides both the technical and compliance guidelines to enable the online ecosystem to further empower users with the ability to communicate a tracking preferences to a web site and its partners.


Maybe someone can adjust this into a user-facing message? In any case, I 
feel confident that it is possible to craft a user-facing message that 
conveys a.) the importance of tracking to websites and b.) the 
importance of letting users choose who they do or do not wish to track 
them. I am confident this can be done in a balanced way....

>>
>> Some members of this working group believe that the "solution" to 
>> this problem is for publishers to ascertain a user's actual choice 
>> expression/intention by messaging all users who transmit the DNT:1 
>> header flag, asking the silly question, "I see you have chosen not to 
>> be tracked, so I just wanted to re-confirm, do you REALLY not want to 
>> be tracked?" allowing for an "exception" when a user answers "oh no, 
>> I didn't really mean THAT."  Come on all… Why do you want to push the 
>> burden of informing consumers, downstream onto publishers?  The end 
>> game of your flawed "logic" is that the Web becomes a battlefield of 
>> annoying privacy pop-up land mines for consumer to navigate— a battle 
>> played out on publisher pages, and at publisher's expense.  Doesn't 
>> it make MUCH more sense to require that the original choice be made 
>> by adequately informed users, up-front in the DNT user-interface, at 
>> the point of choice?
I do not see the exceptions as an attempt to do this. I see the 
exceptions as an attempt to ask the user if she trusts a _specific_ 
publisher or ad network to track them (but not all others). I may very 
well trust advertiserA and advertiserB, but not FinancialProfileMakerC, 
etc....

This is an important nuance, and I would think advertisers and 
publishers would be supportive of this. If it's the mechanism that is 
troubling because it puts too much burden on servers, there's always the 
TPLs....
>>
>> Finally, I want to point out that user education and informed consent 
>> are basic core tenants of the interactive advertising industry's 
>> [DAA's] self-regulation program for online behavioral advertising 
>> (http://www.aboutads.info/)— a program that's been very successful 
>> and praised as a model for all industry, by government (including The 
>> White House, FTC and Dept. of Commerce), regulators, lawmakers and 
>> consumers alike.  Thus far, those basic tenants are missing in DNT. 
>>  If we are going to do this, then let's get it right— we all have a 
>> responsibility to get it right, and serve the BEST interests of 
>> _informed_ consumers.
There is no system of law that I am aware of where you need to seek user 
consent (informed or otherwise) in order to *not* track them....I get 
that this W3C process is about providing mechanisms to 'express user 
preferences', but please let's not pretend you need consent to refrain 
from tracking a user. This just makes no sense in any data protection 
context.

In addition to that, I think many have now indicated that the DAA 
mechanism (as well meaning as it may be) is flawed, most users are not 
aware of it or how to locate it, and overall is not sufficient.

Best,
Tamir
Received on Saturday, 7 July 2012 20:44:07 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:52 UTC