Re: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal

On Wed, Jun 13, 2012 at 7:56 AM, Peter Cranstone
<peter.cranstone@gmail.com>wrote:

> The point that I'm trying to make is that the server has NO indication WHO
> set the DNT flag. There is NOTHING in the spec to indicate this.
>
> You know (human) that MSIE ships with the default set to 1. Ok, I get
> that. But if I change it and then change it back two days later are you
> still going to reject every request?
>

Yes, as I still have no way of differentiating your setting from the
default. Blame MS there.


>
> This whole "default" issue is a red herring. The server doesn't know
> default from a hole in the wall. All it sees is DNT:1 and a UA.
>
>
>
> Peter
> ___________________________________
> Peter J. Cranstone
> 720.663.1752
>
>
> From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
> Reply-To: <ifette@google.com>
> Date: Wednesday, June 13, 2012 8:52 AM
> To: Peter Cranstone <peter.cranstone@gmail.com>
> Cc: Justin Brookman <justin@cdt.org>, W3 Tracking <public-tracking@w3.org>
>
> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent
> to turn on a DNT signal
>
> Peter, what are you trying to get at? I am missing it.
>
> In the case of seeing DNT:1 from IE10, by far the most likely reason for
> seeing that is that it's the default, and so in the absence of any other
> information a server would be justified in thinking that it wasn't an
> actual expression by the user but rather an expression by MSFT. You're
> correct in that in the general case it's impossible to tell who tweaked the
> setting (except perhaps in the case of SSL, where you know it was something
> on the user's computer), but what are you trying to get at?
>
> On Wed, Jun 13, 2012 at 7:46 AM, Peter Cranstone <
> peter.cranstone@gmail.com> wrote:
>
>> I know what the spec says.
>>
>> What I'm asking you to define is how the server knows WHO set the DNT
>> flag. Nobody has been able to answer that question yet.
>>
>>
>> Peter
>> ___________________________________
>> Peter J. Cranstone
>> 720.663.1752
>>
>>
>> From: Justin Brookman <justin@cdt.org>
>> Date: Wednesday, June 13, 2012 8:41 AM
>> To: W3 Tracking <public-tracking@w3.org>
>> Subject: Re: ACTION-211 Draft text on how user agents must obtain
>> consent to turn on a DNT signal
>> Resent-From: W3 Tracking <public-tracking@w3.org>
>> Resent-Date: Wed, 13 Jun 2012 14:41:56 +0000
>>
>>  On 6/13/2012 10:35 AM, Peter Cranstone wrote:
>>
>>  >> We do not specify how tracking preference choices are offered to the
>> user or how the preference is enabled:
>>
>>  &
>>
>>  >> Implementations of HTTP that are not under control of the user *must
>> not* express a tracking preference on their behalf.
>>
>>  Which means that MSIE 10 is compliant, because it's under the control
>> of the user.
>>
>> This alone does not mean that IE10 is compliant, as there is separate
>> text saying that "A user agent MUST NOT express a tracking preference
>> for a user unless the user has interacted with the user agent in such a way
>> as to indicate a tracking preference."
>>
>>
>>  >> Implementations of HTTP that are not under control of the user *must
>> not* express a tracking preference on their behalf.
>>
>>  How do you know? All a proxy server has to do is add DNT:1 ­ take Abine
>> for example. A 3rd party plugin that adds DNT:1 to the outbound header. You
>> have no idea who set it because there's no code to determine who did it. Me
>> or the add on.
>>
>> I agree that third parties should not be second guessing DNT:1 signals
>> for all the reasons that I and others have expressed over the list in the
>> last two weeks.
>>
>>
>> Peter
>> ___________________________________
>> Peter J. Cranstone
>> 720.663.1752
>>
>>
>>  From: Justin Brookman <justin@cdt.org>
>> Date: Wednesday, June 13, 2012 8:26 AM
>> To: W3 Tracking <public-tracking@w3.org>
>> Subject: ACTION-211 Draft text on how user agents must obtain consent to
>> turn on a DNT signal
>> Resent-From: W3 Tracking <public-tracking@w3.org>
>> Resent-Date: Wed, 13 Jun 2012 14:27:17 +0000
>>
>>   Hello, here is draft language for the compliance document on user
>> agent requirements.  The first paragraph is new, the second two are
>> copied-and-pasted from Section 3 of the current TPE spec.
>>
>> Replace 4.2 Intermediary Compliance (empty) with this new section:
>>
>> 4.2 User Agent Compliance
>>
>> A user agent MAY offer a control to express a tracking preference to
>> third parties.  The control MUST communicate the user's preference in
>> accordance with the [[Tracking Preference Expression (DNT)]] recommendation
>> and otherwise comply with that recommendation.  A user agent MUST NOT
>> express a tracking preference for a user unless the user has interacted
>> with the user agent in such a way as to indicate a tracking preference.
>>
>> We do not specify how tracking preference choices are offered to the user
>> or how the preference is enabled: each implementation is responsible for
>> determining the user experience by which a tracking preference is enabled.
>> For example, a user might select a check-box in their user agent's
>> configuration, install an extension or add-on that is specifically designed
>> to add a tracking preference expression, or make a choice for privacy that
>> then implicitly includes a tracking preference (e.g., Privacy settings:
>> high). Likewise, a user might install or configure a proxy to add the
>> expression to their own outgoing requests.
>>
>> Although some controlled network environments, such as public access
>> terminals or managed corporate intranets, might impose restrictions on the
>> use or configuration of installed user agents, such that a user might only
>> have access to user agents with a predetermined preference enabled, the
>> user is at least able to choose whether to make use of those user agents.
>> In contrast, if a user brings their own Web-enabled device to a library or
>> cafe with wireless Internet access, the expectation will be that their
>> chosen user agent and personal preferences regarding Web site behavior will
>> not be altered by the network environment, aside from blanket limitations
>> on what resources can or cannot be accessed through that network.
>> Implementations of HTTP that are not under control of the user *must not*express a tracking preference on their behalf.
>>
>> --
>> Justin Brookman
>> Director, Consumer Privacy
>> Center for Democracy & Technology
>> 1634 I Street NW, Suite 1100
>> Washington, DC 20006
>> tel 202.407.8812
>> fax 202.637.0969justin@cdt.orghttp://www.cdt.org
>> @CenDemTech
>> @JustinBrookman
>>
>>
>

Received on Wednesday, 13 June 2012 14:58:45 UTC