RE: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal

Peter,

That is up to the Server to make the choice to reply with an "Invalid UA" response and provide users with options from that point forward.  That Server will need to defend its position to consumers, advocates, etc. but should absolutely have that option.  Whatever overhead that comes that choice (PR defense, coding overhead, etc.) is the Servers to manage from that point forward.

- Shane

From: Peter Cranstone [mailto:peter.cranstone@gmail.com]
Sent: Wednesday, June 13, 2012 11:04 AM
To: Shane Wiley; Justin Brookman; public-tracking@w3.org
Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal

Shane,

The server does need to know because it's about to reject it. MSIE is non compliant in only ONE aspect - it sets the flag by default. In EVERY other aspect it is COMPLIANT because the user can change that preference.

So in essence you're saying that if you see a UA of MSIE 10 you're going to reject it immediately and send back a 400 message. Get ready to start writing lots of scripts or modules (your preference)


Peter
___________________________________
Peter J. Cranstone
720.663.1752

From: Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>>
Date: Wednesday, June 13, 2012 8:58 AM
To: Peter Cranstone <peter.cranstone@gmail.com<mailto:peter.cranstone@gmail.com>>, Justin Brookman <justin@cdt.org<mailto:justin@cdt.org>>, W3 Tracking <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal

Peter,

The Server doesn't need to know - I believe that's the point you're missing.  The user installed a non-compliant UA and the Server will respond as such.  The user then has multiple options to exercise their choice but continued use of that specific UA to communicate DNT is NOT one of them.

- Shane

From: Peter Cranstone [mailto:peter.cranstone@gmail.com]
Sent: Wednesday, June 13, 2012 10:46 AM
To: Justin Brookman; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal

I know what the spec says.

What I'm asking you to define is how the server knows WHO set the DNT flag. Nobody has been able to answer that question yet.


Peter
___________________________________
Peter J. Cranstone
720.663.1752

From: Justin Brookman <justin@cdt.org<mailto:justin@cdt.org>>
Date: Wednesday, June 13, 2012 8:41 AM
To: W3 Tracking <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal
Resent-From: W3 Tracking <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Wed, 13 Jun 2012 14:41:56 +0000

On 6/13/2012 10:35 AM, Peter Cranstone wrote:
>> We do not specify how tracking preference choices are offered to the user or how the preference is enabled:

&

>> Implementations of HTTP that are not under control of the user must not express a tracking preference on their behalf.

Which means that MSIE 10 is compliant, because it's under the control of the user.
This alone does not mean that IE10 is compliant, as there is separate text saying that "A user agent MUST NOT express a tracking preference for a user unless the user has interacted with the user agent in such a way as to indicate a tracking preference."



>> Implementations of HTTP that are not under control of the user must not express a tracking preference on their behalf.

How do you know? All a proxy server has to do is add DNT:1 - take Abine for example. A 3rd party plugin that adds DNT:1 to the outbound header. You have no idea who set it because there's no code to determine who did it. Me or the add on.
I agree that third parties should not be second guessing DNT:1 signals for all the reasons that I and others have expressed over the list in the last two weeks.



Peter
___________________________________
Peter J. Cranstone
720.663.1752

From: Justin Brookman <justin@cdt.org<mailto:justin@cdt.org>>
Date: Wednesday, June 13, 2012 8:26 AM
To: W3 Tracking <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal
Resent-From: W3 Tracking <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Wed, 13 Jun 2012 14:27:17 +0000

Hello, here is draft language for the compliance document on user agent requirements.  The first paragraph is new, the second two are copied-and-pasted from Section 3 of the current TPE spec.

Replace 4.2 Intermediary Compliance (empty) with this new section:

4.2 User Agent Compliance

A user agent MAY offer a control to express a tracking preference to third parties.  The control MUST communicate the user's preference in accordance with the [[Tracking Preference Expression (DNT)]] recommendation and otherwise comply with that recommendation.  A user agent MUST NOT express a tracking preference for a user unless the user has interacted with the user agent in such a way as to indicate a tracking preference.

We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent's configuration, install an extension or add-on that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., Privacy settings: high). Likewise, a user might install or configure a proxy to add the expression to their own outgoing requests.

Although some controlled network environments, such as public access terminals or managed corporate intranets, might impose restrictions on the use or configuration of installed user agents, such that a user might only have access to user agents with a predetermined preference enabled, the user is at least able to choose whether to make use of those user agents. In contrast, if a user brings their own Web-enabled device to a library or cafe with wireless Internet access, the expectation will be that their chosen user agent and personal preferences regarding Web site behavior will not be altered by the network environment, aside from blanket limitations on what resources can or cannot be accessed through that network. Implementations of HTTP that are not under control of the user must not express a tracking preference on their behalf.

--

Justin Brookman

Director, Consumer Privacy

Center for Democracy & Technology

1634 I Street NW, Suite 1100

Washington, DC 20006

tel 202.407.8812

fax 202.637.0969

justin@cdt.org<mailto:justin@cdt.org>http://www.cdt.org

@CenDemTech

@JustinBrookman

Received on Wednesday, 13 June 2012 16:40:01 UTC