- From: Tamir Israel <tisrael@cippic.ca>
- Date: Fri, 08 Jun 2012 22:56:20 -0400
- To: ifette@google.com
- CC: Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>, Ninja Marnau <nmarnau@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-ID: <4FD2BB54.3080902@cippic.ca>
Hi Ian, On 6/8/2012 10:03 PM, Ian Fette (イアンフェッティ) wrote: > Tamir and others, > > I don't think the point is to say "a server merely notifies the user > they will ignore their DNT-1 signal, that this is sufficient to gain > user consent for server tracking.". > > Many jurisdictions don't require explicit opt-in consent for "server > tracking". Take the US for example. In this case, as long as we're not > promising something that we fail to deliver, there is no problem here. > > I think you are getting hung up on the case where, in some countries > depending on what finalized legislation comes out, there might be a > requirement to obtain explicit opt-in consent. I agree with you that > the mere act of rejecting the user's DNT:1 signal is not explicit > opt-in consent in that context, and the website would probably have to > take further steps to obtain that explicit opt-in consent. But that > does not need to be the problem of this working group or specification. The issue I'm trying to address is a scenario where opt-out consent is required. Functionally, the Canadian system operates much like the US in practice (servers are seemingly free to track without asking [as long as there is a readily available mechanism for opting out]). Typically, U.S.-based businesses find this to be a benefit, since their Canadian implementations can match their US implementation (given our physical proximity). The similarities in regime break down, however, where a server rejects a DNT-1 (because it was set by default), and there is no alternate mechanism left for the user to opt-out. As the server can no longer rely on implicit/opt-out consent in this case, presumably they can no longer track. > > The point of DNT is to allow a user to express a preference on > tracking. The point of DNT is not to solve the EU regulatory debacle, > or any other country-specific regulations. If it can be useful in that > manner, then great, but I continue to question whether we should allow > this working group to get continually railroaded into trying to solve > country-specific regulatory problems. The group may well decide to leave it to regulators in various countries to decide how to solve their own specific regulatory problems around the spec, but I think it is fully legitimate to at least attempt to address these here. Best regards, Tamir > > > > On Fri, Jun 8, 2012 at 10:59 AM, Tamir Israel <tisrael@cippic.ca > <mailto:tisrael@cippic.ca>> wrote: > > Hi Shane, > > I want to reiterate what I said earlier on -- I understand there > is already an agreement on defaults in the group, and it is not my > intention to question that. > > However, in this context, I'm not clear that where a server merely > notifies the user they will ignore their DNT-1 signal, that this > is sufficient to gain user consent for server tracking. > > Let me explain. The basis for tracking under the current spec is > that the server is gaining implicit, opt-out consent to track the > user. The 'opt-out' consent is mediated through the UA's browser > mechanism. Now, if the server is saying 'I will ignore your DNT-1 > because I deem it non-compliant', there is no longer an opt-out > consent mechanism in place for the server to rely on. > > Best, > Tamir > > > On 6/8/2012 11:29 AM, Shane Wiley wrote: > > Tamir, > > While I agree it does add a degree of uncertainty initially, > as long as the outcome is completely transparent to the user > then I believe the appropriate outcome has been reached. > > We are attempting to resolve this in the specification by > appropriately signaling to a user that they will not honor the > DNT signal from a specific UA. > > - Shane > > -----Original Message----- > From: Tamir Israel [mailto:tisrael@cippic.ca > <mailto:tisrael@cippic.ca>] > Sent: Friday, June 08, 2012 8:11 AM > To: Shane Wiley > Cc: Jeffrey Chester; Ninja Marnau; Rigo Wenning; > ifette@google.com <mailto:ifette@google.com>; Bjoern > Hoehrmann; David Singer; public-tracking@w3.org > <mailto:public-tracking@w3.org> (public-tracking@w3.org > <mailto:public-tracking@w3.org>) > Subject: Re: Today's call: summary on user agent compliance > > Hi Shane, > > I suppose the question is what the objective here is. > > Allowing any entity to unilaterally question the validity of a > facially > valid signal introduces a great degree of uncertainty into the > equation, > and since this is an anticipated source of disagreement and > confusion, > it might be better to explore addressing it within the spec. > > On 6/8/2012 10:16 AM, Shane Wiley wrote: > > Jeff and Ninja, > > I respectfully disagree and believe any standard that has > outlined what a valid signal should consist of (in our > case, that a user has activated this signal directly) then > any signal not meeting the standard is itself > non-compliant and therefore should allow Servers to > appropriately respond to users that their current UA is > non-compliant and therefore will not be honored - again, > hopefully with options for valid UAs the user can access > their free services with. If the user doesn't feel > comfortable with this outcome WHICH IS COMPLETELY > TRANSPARENT, they can decide to keep consuming those free > services with DNT not being honored, not access the free > content from that particular site, or switch to a > compliant UA so their DNT signal is honored while > interacting with that site. With transparent and clear > messaging to the user, this places the power within the > user's hands to decide how best to move forward. I > believe this is much better than the user being left in > the dark, or alternately no publishers supporting DNT > since they are forced to honor non-compliant signals. > > Predictability - The user is clearly messaged in all cases > - so outcomes are completely "predictable". > > I'm not clear that there is any obligation for the user to be > clearly > messaged here. In any case, how would that play out? User: > don't track > me; UA: server does not acknowledge. What's the next step here? > > Only for "uncompliant" UAs? - Yes, but this is subjective > choice by the Server and they must defend their position. > Since messaging is transparent, consumers can quickly > raise concerns if they feel a UA is being ignored incorrectly. > > Who decides wether a UA is "uncompliant"? - The Server does. > > You are correct that ultimately, this could be referred to a > regulator > if the customer disagrees with the server's decision. > > Liability issues - disagree on your assessment of > liability in this case as the claim is directly tied to a > voluntary code and therefore the only legal enforcement is > that the Server must follow through on what it says it > will (contract). > > Hindering privacy-by-default - It is FAR too early in the > process to attempt to quote draft regulations that will go > through tremendous change over the next two years prior to > becoming a regulation in force. > > - Shane > > -----Original Message----- > From: Jeffrey Chester [mailto:jeff@democraticmedia.org > <mailto:jeff@democraticmedia.org>] > Sent: Friday, June 08, 2012 3:52 AM > To: Ninja Marnau > Cc: Rigo Wenning; ifette@google.com > <mailto:ifette@google.com>; Bjoern Hoehrmann; David > Singer; public-tracking@w3.org > <mailto:public-tracking@w3.org> (public-tracking@w3.org > <mailto:public-tracking@w3.org>) > Subject: Re: Today's call: summary on user agent compliance > > I support what Ninja says below, and the concerns Jonathan > raises. There shouldn't be "cherry-picking" allowed in > the spec. When sites receive DNT, they should honor it. > The W3C should not develop a policy that permits the > over-riding of requests/intent of global Internet users. > > The key issue for us to address is the need to limit > collection and retention. I hope we can discuss and build > support for a consensus on the proposal sent the other day > by EFF/Mozilla and Jonathan. Without meaningful > collection and retention policy, we risk not having a spec > that can receive the support from many stakeholders (esp > civil society). That is critical to the fate of the > privacy and digital consumer protection debates, esp. both > sides of the Atlantic. > > Finally, I want to add that in my view and fairly quickly > a site that doesn't honor DNT will not be considered > "brand safe." Responsible advertisers and brands > concerned about their reputation will need to respect a > robust DNT. They will have to add DNT to the > blacklist/whitelist systems in place. It behooves us to > continue to advance the process of ensuring monetization > and privacy can thrive together in the digital economy. > > Jeff > > On Jun 8, 2012, at 5:26 AM, Ninja Marnau wrote: > > We are discussing two different issues here. > > First is, I support that servers should give the users > a clear answer wether their DNT request is honored. > There should be an option to answer NACK. > > Second is, a company claiming "We will honor DNT when > it's coming from the following user agents" or "We > will honor DNT from all user agents except for the > following" (I am quoting Ian's example here) is honest > - and I appreciate that. But whether it is "compliant" > to the DNT recommendation or not, is up to us as a > working group. It is our task to discuss whether we > want the spec to allow this cherry-picking. (Don't get > me wrong, companies can stll do so. But will they be > able to claim DNT compliance?). > I oppose this. I think the spec should state that when > you receive a valid signal, no matter from what UA, > you have to honor it in order to claim DNT compliance. > > There are several reasons for this: > 1) predictability > David raised this point and I agree: "Defining that > "I'll stop tracking unless I don't feel like it" as > *compliant* makes it basically unpredictable what will > happen." > > 2) only for "uncompliant" UAs? > If we open the spec to cherry-picking. Will it stop at > "uncompliant"? Or will the spec just stay silent or > explicitly allow for other motivations? Patent > lawsuits, harming competitors, just feeling like it - > for painting a very black picture. > I don't support this as being considered DNT compliant. > > 3) Who decides wether a UA is "uncompliant"? > As long as there is no judgement by a competent > authority, this is a very critical statement. > > 4) liability issues > If the spec allows to NACK the DNT requests of > "uncompliant" UAs, and I site claims to "honor DNT > from all user agents except for the following ..." it > makes a legally relevant statement about these UAs. > Which may lead to liability and claims for damages by > these UAs if the judgement is wrong. > If the spec is more open -> issue 2. > > 5) hindering privacy-by-default > The proposed Data Protection Regulation of the EC > explicitly asks for privacy by default. (Art. 23) > > > Ninja > > > > Am 08.06.2012 10:25, schrieb Rigo Wenning: > > On Thursday 07 June 2012 18:25:27 Ian Fette wrote: > > A site is already under no obligation to > conform to DNT. Would you > rather have the user be clear that their > request is being > ignored, or left to wonder? > > Precisely my point! Thanks Ian > > Rigo > > -- > > Ninja Marnau > mail: NMarnau@datenschutzzentrum.de > <mailto:NMarnau@datenschutzzentrum.de> - > http://www.datenschutzzentrum.de > Telefon: +49 431/988-1285 > <tel:%2B49%20431%2F988-1285>, Fax +49 431/988-1223 > <tel:%2B49%20431%2F988-1223> > Unabhaengiges Landeszentrum fuer Datenschutz > Schleswig-Holstein > Independent Centre for Privacy Protection > Schleswig-Holstein > > > > > > >
Received on Saturday, 9 June 2012 03:02:11 UTC