- From: イアンフェッティ <ifette@google.com>
- Date: Fri, 8 Jun 2012 19:03:48 -0700
- To: Tamir Israel <tisrael@cippic.ca>
- Cc: Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>, Ninja Marnau <nmarnau@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-ID: <CAF4kx8e-=MBwgwXQ4=eX4bVm_q+fcE_FbeijBiLxogWaifPUsQ@mail.gmail.com>
Tamir and others, I don't think the point is to say "a server merely notifies the user they will ignore their DNT-1 signal, that this is sufficient to gain user consent for server tracking.". Many jurisdictions don't require explicit opt-in consent for "server tracking". Take the US for example. In this case, as long as we're not promising something that we fail to deliver, there is no problem here. I think you are getting hung up on the case where, in some countries depending on what finalized legislation comes out, there might be a requirement to obtain explicit opt-in consent. I agree with you that the mere act of rejecting the user's DNT:1 signal is not explicit opt-in consent in that context, and the website would probably have to take further steps to obtain that explicit opt-in consent. But that does not need to be the problem of this working group or specification. The point of DNT is to allow a user to express a preference on tracking. The point of DNT is not to solve the EU regulatory debacle, or any other country-specific regulations. If it can be useful in that manner, then great, but I continue to question whether we should allow this working group to get continually railroaded into trying to solve country-specific regulatory problems. -Ian On Fri, Jun 8, 2012 at 10:59 AM, Tamir Israel <tisrael@cippic.ca> wrote: > Hi Shane, > > I want to reiterate what I said earlier on -- I understand there is > already an agreement on defaults in the group, and it is not my intention > to question that. > > However, in this context, I'm not clear that where a server merely > notifies the user they will ignore their DNT-1 signal, that this is > sufficient to gain user consent for server tracking. > > Let me explain. The basis for tracking under the current spec is that the > server is gaining implicit, opt-out consent to track the user. The > 'opt-out' consent is mediated through the UA's browser mechanism. Now, if > the server is saying 'I will ignore your DNT-1 because I deem it > non-compliant', there is no longer an opt-out consent mechanism in place > for the server to rely on. > > Best, > Tamir > > > On 6/8/2012 11:29 AM, Shane Wiley wrote: > >> Tamir, >> >> While I agree it does add a degree of uncertainty initially, as long as >> the outcome is completely transparent to the user then I believe the >> appropriate outcome has been reached. >> >> We are attempting to resolve this in the specification by appropriately >> signaling to a user that they will not honor the DNT signal from a specific >> UA. >> >> - Shane >> >> -----Original Message----- >> From: Tamir Israel [mailto:tisrael@cippic.ca] >> Sent: Friday, June 08, 2012 8:11 AM >> To: Shane Wiley >> Cc: Jeffrey Chester; Ninja Marnau; Rigo Wenning; ifette@google.com; >> Bjoern Hoehrmann; David Singer; public-tracking@w3.org ( >> public-tracking@w3.org) >> Subject: Re: Today's call: summary on user agent compliance >> >> Hi Shane, >> >> I suppose the question is what the objective here is. >> >> Allowing any entity to unilaterally question the validity of a facially >> valid signal introduces a great degree of uncertainty into the equation, >> and since this is an anticipated source of disagreement and confusion, >> it might be better to explore addressing it within the spec. >> >> On 6/8/2012 10:16 AM, Shane Wiley wrote: >> >>> Jeff and Ninja, >>> >>> I respectfully disagree and believe any standard that has outlined what >>> a valid signal should consist of (in our case, that a user has activated >>> this signal directly) then any signal not meeting the standard is itself >>> non-compliant and therefore should allow Servers to appropriately respond >>> to users that their current UA is non-compliant and therefore will not be >>> honored - again, hopefully with options for valid UAs the user can access >>> their free services with. If the user doesn't feel comfortable with this >>> outcome WHICH IS COMPLETELY TRANSPARENT, they can decide to keep consuming >>> those free services with DNT not being honored, not access the free content >>> from that particular site, or switch to a compliant UA so their DNT signal >>> is honored while interacting with that site. With transparent and clear >>> messaging to the user, this places the power within the user's hands to >>> decide how best to move forward. I believe this is much better than the >>> user being left in the dark, or alternately no publishers supporting DNT >>> since they are forced to honor non-compliant signals. >>> >>> Predictability - The user is clearly messaged in all cases - so outcomes >>> are completely "predictable". >>> >> I'm not clear that there is any obligation for the user to be clearly >> messaged here. In any case, how would that play out? User: don't track >> me; UA: server does not acknowledge. What's the next step here? >> >> Only for "uncompliant" UAs? - Yes, but this is subjective choice by the >>> Server and they must defend their position. Since messaging is >>> transparent, consumers can quickly raise concerns if they feel a UA is >>> being ignored incorrectly. >>> >>> Who decides wether a UA is "uncompliant"? - The Server does. >>> >> You are correct that ultimately, this could be referred to a regulator >> if the customer disagrees with the server's decision. >> >> Liability issues - disagree on your assessment of liability in this case >>> as the claim is directly tied to a voluntary code and therefore the only >>> legal enforcement is that the Server must follow through on what it says it >>> will (contract). >>> >>> Hindering privacy-by-default - It is FAR too early in the process to >>> attempt to quote draft regulations that will go through tremendous change >>> over the next two years prior to becoming a regulation in force. >>> >>> - Shane >>> >>> -----Original Message----- >>> From: Jeffrey Chester [mailto:jeff@democraticmedia.**org<jeff@democraticmedia.org> >>> ] >>> Sent: Friday, June 08, 2012 3:52 AM >>> To: Ninja Marnau >>> Cc: Rigo Wenning; ifette@google.com; Bjoern Hoehrmann; David Singer; >>> public-tracking@w3.org (public-tracking@w3.org) >>> Subject: Re: Today's call: summary on user agent compliance >>> >>> I support what Ninja says below, and the concerns Jonathan raises. >>> There shouldn't be "cherry-picking" allowed in the spec. When sites >>> receive DNT, they should honor it. The W3C should not develop a policy >>> that permits the over-riding of requests/intent of global Internet users. >>> >>> The key issue for us to address is the need to limit collection and >>> retention. I hope we can discuss and build support for a consensus on the >>> proposal sent the other day by EFF/Mozilla and Jonathan. Without >>> meaningful collection and retention policy, we risk not having a spec that >>> can receive the support from many stakeholders (esp civil society). That >>> is critical to the fate of the privacy and digital consumer protection >>> debates, esp. both sides of the Atlantic. >>> >>> Finally, I want to add that in my view and fairly quickly a site that >>> doesn't honor DNT will not be considered "brand safe." Responsible >>> advertisers and brands concerned about their reputation will need to >>> respect a robust DNT. They will have to add DNT to the blacklist/whitelist >>> systems in place. It behooves us to continue to advance the process of >>> ensuring monetization and privacy can thrive together in the digital >>> economy. >>> >>> Jeff >>> >>> On Jun 8, 2012, at 5:26 AM, Ninja Marnau wrote: >>> >>> We are discussing two different issues here. >>>> >>>> First is, I support that servers should give the users a clear answer >>>> wether their DNT request is honored. There should be an option to answer >>>> NACK. >>>> >>>> Second is, a company claiming "We will honor DNT when it's coming from >>>> the following user agents" or "We will honor DNT from all user agents >>>> except for the following" (I am quoting Ian's example here) is honest - and >>>> I appreciate that. But whether it is "compliant" to the DNT recommendation >>>> or not, is up to us as a working group. It is our task to discuss whether >>>> we want the spec to allow this cherry-picking. (Don't get me wrong, >>>> companies can stll do so. But will they be able to claim DNT compliance?). >>>> I oppose this. I think the spec should state that when you receive a >>>> valid signal, no matter from what UA, you have to honor it in order to >>>> claim DNT compliance. >>>> >>>> There are several reasons for this: >>>> 1) predictability >>>> David raised this point and I agree: "Defining that "I'll stop tracking >>>> unless I don't feel like it" as *compliant* makes it basically >>>> unpredictable what will happen." >>>> >>>> 2) only for "uncompliant" UAs? >>>> If we open the spec to cherry-picking. Will it stop at "uncompliant"? >>>> Or will the spec just stay silent or explicitly allow for other >>>> motivations? Patent lawsuits, harming competitors, just feeling like it - >>>> for painting a very black picture. >>>> I don't support this as being considered DNT compliant. >>>> >>>> 3) Who decides wether a UA is "uncompliant"? >>>> As long as there is no judgement by a competent authority, this is a >>>> very critical statement. >>>> >>>> 4) liability issues >>>> If the spec allows to NACK the DNT requests of "uncompliant" UAs, and I >>>> site claims to "honor DNT from all user agents except for the following >>>> ..." it makes a legally relevant statement about these UAs. Which may lead >>>> to liability and claims for damages by these UAs if the judgement is wrong. >>>> If the spec is more open -> issue 2. >>>> >>>> 5) hindering privacy-by-default >>>> The proposed Data Protection Regulation of the EC explicitly asks for >>>> privacy by default. (Art. 23) >>>> >>>> >>>> Ninja >>>> >>>> >>>> >>>> Am 08.06.2012 10:25, schrieb Rigo Wenning: >>>> >>>>> On Thursday 07 June 2012 18:25:27 Ian Fette wrote: >>>>> >>>>>> A site is already under no obligation to conform to DNT. Would you >>>>>> rather have the user be clear that their request is being >>>>>> ignored, or left to wonder? >>>>>> >>>>> Precisely my point! Thanks Ian >>>>> >>>>> Rigo >>>>> >>>>> -- >>>> >>>> Ninja Marnau >>>> mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.** >>>> de <http://www.datenschutzzentrum.de> >>>> Telefon: +49 431/988-1285, Fax +49 431/988-1223 >>>> Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein >>>> Independent Centre for Privacy Protection Schleswig-Holstein >>>> >>>> >>>> >>>> >>> >> >
Received on Saturday, 9 June 2012 02:04:21 UTC