Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance] from Justin Brookman on 2012-06-01 (public-tracking@w3.org from June 2012)

From: Justin Brookman <justin@cdt.org>
Date: Fri, 01 Jun 2012 18:31:51 -0400
To: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4FC942D7.1020904@cdt.org>
As a user, if I'm going to pick a party to guess my preference, I am 
going to pick *my* user agent instead of some downstream third party I 
have no relationship with whatsoever.  If I choose to run PrivacyBrowser 
because it has been marketed as the privacy-protective browser that runs 
DNT automatically, I am going to be rather surprised to hear that 
AdNetzUnlimited has ignored or stripped the header because I probably 
never meant it in the first place.  You can't do that with default 
cookie settings today in Safari, and you won't be able to do it with DNT 
either.  If an ISP changed the user's headings from DNT:1 to DNT:0 
without user interaction, I am comfortable that existing law would 
address that situation and I would not expect third party websites to be 
in a position to police that.  If anyone feels they have a legal case 
against a user agent for pre-checking DNT or otherwise pushing users 
toward using the header, W3C will pose no barrier to the pursuit of 
those remedies.

We spent the last several months stating we're not going to specify UI 
or guess user intent.  The group rejected specifying standards of 
consent for exceptions to DNT.  I still haven't heard how you are going 
to deal with the example of PrivacySuite configuring Mozilla to send 
DNT.  If lawyers or coders at each of the companies are going to have to 
guess what constitutes UA compliance for a part of the spec we haven't 
written yet and guess what the UI was for that UA for each user, you're 
opening yourselves up to extra compliance costs and significant exposure 
to liability, let alone intense press and user scrutiny.

Justin Brookman
Director, Consumer Privacy
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 6/1/2012 6:56 PM, Dobbs, Brooks wrote:
> New voice here...  I might as well jump right into the controversy.
>
> I am not sure there is full consistency here.  I read the spec as 
> saying "Key to that notion of expression is that it /must/ reflect the 
> user's preference".  This seems pretty foundational to me.  Where 
> there is a significant likelihood for the origin server to believe 
> that the expression is not a reflection of the user's preference 
> (either as a 1 or a 0), wouldn't such server  be in error to process 
> it accordingly?  Conversely to the IE/AVG cases, if hypothetically an 
> ISP were to inject an extension into every DNT header which in the 
> future allowed for an exception, wouldn't the server be in error for 
> always making room for this exception where they know it to be coming 
> from that ISP?
>
> -Brooks
>
> -- 
>
> *Brooks Dobbs, CIPP *| Chief Privacy Officer |*KBM Group* | Part of 
> the Wunderman Network
> (Tel) 678 580 2683 | (Mob) 678 492 1662 | *kbmg.com*
> _brooks.dobbs@kbmg.com
>
>
> _
> This email -- including attachments -- may contain confidential 
> information. If you are not the intended recipient,
>  do not copy, distribute or act on it. Instead, notify the sender 
> immediately and delete the message.
>
>
> On 6/1/12 4:36 PM, "Justin Brookman" <justin@cdt.org> wrote:
>
>       Agree with David --- we don't even know what MSFT's eventual
>     implementation is going to be, and I can't say I know what AVG's
>     is today.  Is there a screen that's pre-checked?  Is there some
>     sort of ephemeral notice saying "by the way, DNT is on."  Will
>     those UIs change over time?  Who is going to monitor the UIs and
>     make the decision: "No, this isn't user choicey enough!"  How will
>     you know what the UI was when the user installed the user agent?
>      Even if the default is on and there's no notice at all, how will
>     the party know that the user didn't turn it off at some point, see
>     a retargeted ad for a Vegas casino, and then turn in back on again?
>
>      I can't see how a standard answers those questions.
>
>     Justin Brookman
>     Director, Consumer Privacy
>     Center for Democracy & Technology
>     1634 I Street NW, Suite 1100
>     Washington, DC 20006
>     tel 202.407.8812
>     fax 202.637.0969
>     justin@cdt.org
>     http://www.cdt.org
>     @CenDemTech
>     @JustinBrookman
>
>      On 6/1/2012 5:28 PM, David Singer wrote:
>
>
>
>
>         On Jun 1, 2012, at 14:22 , Shane Wiley wrote:
>
>
>
>
>
>             David,
>
>
>
>             I disagree.  If you know that an UA is non-compliant, it
>             should be fair to NOT honor the DNT signal from that
>             non-compliant UA and message this back to the user in the
>             well-known URI or Response Header.  Further, we can
>             provide information for the user to use a UA that is DNT
>             compliant if they wish for their preference to be honored
>             in that regard.
>
>
>
>
>
>
>
>
>         OK, I think we will have to agree to disagree.  I can't think
>         of any other spec., off hand, that allows one end to
>         'misbehave' if they believe the other end is misbehaving.
>          There *are* specs that deal with what you do if you see
>         actual invalid values, incorrect responses, etc., but none
>         that I know of that allow you to conclude 'you didn't really
>         mean that' and do something other than what was signalled.
>
>
>
>
>         I still don't know how you tell the difference between a user
>         who agree with, and wanted, the choice, and a user who wasn't
>         aware of it.
>
>
>
>
>
>
>
>
>
>
>
>
>         David Singer
>
>         Multimedia and Software Standards, Apple Inc.
>
>
>
>
>
>
>
Received on Friday, 1 June 2012 22:32:25 UTC