Re: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal from Justin Brookman on 2012-06-13 (public-tracking@w3.org from June 2012)

From: Justin Brookman <justin@cdt.org>
Date: Wed, 13 Jun 2012 10:41:22 -0400
To: public-tracking@w3.org
Message-ID: <4FD8A692.8020907@cdt.org>
On 6/13/2012 10:35 AM, Peter Cranstone wrote:
> >> We do not specify how tracking preference choices are offered to 
> the user or how the preference is enabled:
>
> &
>
> >> Implementations of HTTP that are not under control of the user 
> /must not/ express a tracking preference on their behalf.
>
> Which means that MSIE 10 is compliant, because it's under the control 
> of the user.
This alone does not mean that IE10 is compliant, as there is separate 
text saying that "A user agent MUST NOT express a tracking preference 
for a user unless the user has interacted with the user agent in such a 
way as to indicate a tracking preference."
>
> >> Implementations of HTTP that are not under control of the user 
> /must not/ express a tracking preference on their behalf.
>
> How do you know? All a proxy server has to do is add DNT:1 -- take 
> Abine for example. A 3rd party plugin that adds DNT:1 to the outbound 
> header. You have no idea who set it because there's no code to 
> determine who did it. Me or the add on.
I agree that third parties should not be second guessing DNT:1 signals 
for all the reasons that I and others have expressed over the list in 
the last two weeks.
>
> Peter
> ___________________________________
> Peter J. Cranstone
> 720.663.1752
>
>
> From: Justin Brookman <justin@cdt.org <mailto:justin@cdt.org>>
> Date: Wednesday, June 13, 2012 8:26 AM
> To: W3 Tracking <public-tracking@w3.org <mailto:public-tracking@w3.org>>
> Subject: ACTION-211 Draft text on how user agents must obtain consent 
> to turn on a DNT signal
> Resent-From: W3 Tracking <public-tracking@w3.org 
> <mailto:public-tracking@w3.org>>
> Resent-Date: Wed, 13 Jun 2012 14:27:17 +0000
>
>     Hello, here is draft language for the compliance document on user
>     agent requirements.  The first paragraph is new, the second two
>     are copied-and-pasted from Section 3 of the current TPE spec.
>
>     Replace 4.2 Intermediary Compliance (empty) with this new section:
>
>     4.2 User Agent Compliance
>
>     A user agent MAY offer a control to express a tracking preference
>     to third parties.  The control MUST communicate the user's
>     preference in accordance with the [[Tracking Preference Expression
>     (DNT)]] recommendation and otherwise comply with that
>     recommendation.  A user agent MUST NOT express a tracking
>     preference for a user unless the user has interacted with the user
>     agent in such a way as to indicate a tracking preference.
>
>     We do not specify how tracking preference choices are offered to
>     the user or how the preference is enabled: each implementation is
>     responsible for determining the user experience by which a
>     tracking preference is enabled. For example, a user might select a
>     check-box in their user agent's configuration, install an
>     extension or add-on that is specifically designed to add a
>     tracking preference expression, or make a choice for privacy that
>     then implicitly includes a tracking preference (e.g., "Privacy
>     settings: high"). Likewise, a user might install or configure a
>     proxy to add the expression to their own outgoing requests.
>
>     Although some controlled network environments, such as public
>     access terminals or managed corporate intranets, might impose
>     restrictions on the use or configuration of installed user agents,
>     such that a user might only have access to user agents with a
>     predetermined preference enabled, the user is at least able to
>     choose whether to make use of those user agents. In contrast, if a
>     user brings their own Web-enabled device to a library or cafe with
>     wireless Internet access, the expectation will be that their
>     chosen user agent and personal preferences regarding Web site
>     behavior will not be altered by the network environment, aside
>     from blanket limitations on what resources can or cannot be
>     accessed through that network. Implementations of HTTP that are
>     not under control of the user /must not/ express a tracking
>     preference on their behalf.
>
>     -- 
>     Justin Brookman
>     Director, Consumer Privacy
>     Center for Democracy&  Technology
>     1634 I Street NW, Suite 1100
>     Washington, DC 20006
>     tel 202.407.8812
>     fax 202.637.0969
>     justin@cdt.orghttp://www.cdt.org
>     @CenDemTech
>     @JustinBrookman
>
Received on Wednesday, 13 June 2012 14:41:54 UTC