Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance] from Tamir Israel on 2012-06-03 (public-tracking@w3.org from June 2012)

From: Tamir Israel <tisrael@cippic.ca>
Date: Sun, 03 Jun 2012 14:43:06 -0400
To: public-tracking@w3.org
Message-ID: <4FCBB03A.9010903@cippic.ca>

Hi there,

I've been a very silent observer here, so I truly apologize for 
interjecting now.

But I think there is a problem with applying 'default' in a binary 
manner. The objective of this DNT spec is to help users express 
preferences but, surely, this at some point references notions of user 
consent? In this sense, opting in to collection is one thing, and opting 
in to 'non-collection' is quite another since the basis is that you need 
some form (opt-in or opt-out) of consent to collect user information.

I think any specification that overtly _discounts_ a DNT-1 signal sent 
by default is going to be problematic under at least some data 
protection regimes.

Best,
Tamir

-- 

Tamir Israel
Staff Lawyer

Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic
University of Ottawa, Faculty of Law, CML Section
57 Louis Pasteur Street
Ottawa, ON, K1N 6N5
Tel: (613) 562-5800 ext. 2914
Fax: (613) 562-5417

*Do you really need to print this email? / Est-ce nécessaire d'imprimer 
ce courriel?*

On 6/3/2012 10:48 AM, Rigo Wenning wrote:
> Hi Brooks,
>
> welcome back in the game. We have already discussed a requirement in the
> Specification that intermediaries shouldn't inject stuff. Issue is that the
> server doesn't see that it is an injection as we do not have hashing or some
> such SSL. So by receiving a DNT;1 header, the server has to assume this
> status and by receiving a DNT;0 can assume an exception. In case of
> injections, injecting DNT;1 is creating trouble for the server and injecting
> DNT;0 is creating trouble for the user. This is just a weak point of the
> protocol because of the lacking end-to-end security. We can surely require
> it, but does it buy us anything? I don't know. I would not object if someone
> would come up with a good wording.
>
> Rigo
>
> On Friday 01 June 2012 17:56:21 Dobbs, Brooks wrote:
>> New voice here...  I might as well jump right into the controversy.
>>
>> I am not sure there is full consistency here.  I read the spec as saying
>> ³Key to that notion of expression is that it must reflect the user's
>> preference².  This seems pretty foundational to me.  Where there is a
>> significant likelihood for the origin server to believe that the
>> expression is not a reflection of the user¹s preference (either as a 1 or
>> a 0), wouldn¹t such server  be in error to process it accordingly?
>> Conversely to the IE/AVG cases, if hypothetically an ISP were to inject
>> an extension into every DNT header which in the future allowed for an
>> exception, wouldn¹t the server be in error for always making room for
>> this exception where they know it to be coming from that ISP?
>>
>> -Brooks
>

Received on Sunday, 3 June 2012 18:43:38 UTC