Re: Today's call: summary on user agent compliance

On Jun 7, 2012, at 8:05 , Rigo Wenning wrote:

> On Wednesday 06 June 2012 15:00:00 David Singer wrote:
>> You might have good reason.  But it's still not compliant.  I sent
>> you "Please do X", and you replied "No, I won't, I don't believe
>> you."  I don't think you can describe that as *compliant*.  You
>> might think it *justified*.
> 
> For the record and as a personal opinion. I expressed a totally 
> different opinion on the call. This was not taken into account. 
> 
> If the TPE allows you to send an NACK ("No, I won't" full stop), 
> then it is compliant to say No. It may not be privacy enhancing, but 
> it is compliant. If the TPE contains no way to (explicitly or 
> implicitly) say "No, I won't" then we go into very troubled water, 
> socially and legally!

I think you need to explain this.  

It's a choice to implement DNT (on either end), but once you do, your obligations -- what you signed up for -- should be clear (for both ends).  "Yes, we implement DNT and comply with the W3C specifications" should mean that both ends should know what to expect of the other.

Defining that "I'll stop tracking unless I don't feel like it" as *compliant* makes it basically unpredictable what will happen.

> It means that the user can force the 
> preference on the server.

Nobody is forcing anyone to implement DNT, but once they do, it should be clear what is expected of them: and that needs to be more than "exercise their own judgment over what to do and what not to do".

> The only option is then that the server 
> can silently give up compliance which could be seen as misleading. 
> If I would be a server in this situation, I would give up compliance 
> immediately for all DNT because this is legally untenable.

These are strong words, which I don't see supported.

Imagine a function

"Y = SQRT(X)

This returns the square root of X, unless the system has reason to believe that the caller didn't need a square root at this time, whereupon it returns something else."

Seriously, this is a useful definition?

> Shane argued many times in other areas that if we fail to honor, we 
> can do so, but have to alert the UA. 


*That* I agree with.  At the moment, it's even hard to detect whether the server claims one or more permissions, or believes it has an exception grant from the user.


Overall, the way to get good behavior in any protocol is to strive to be *more compliant* than the other end.  At the moment, people are arguing that they should be allowed, encouraged even, to be *less compliant* (because you would ignore a DNT signal from users who did, in fact, mean it).  This is a race to the bottom, and a recipe for something worthless.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Thursday, 7 June 2012 16:31:44 UTC