- From: Peter Cranstone <peter.cranstone@gmail.com>
- Date: Wed, 13 Jun 2012 16:47:45 -0600
- To: Kevin Smith <kevsmith@adobe.com>, "ifette@google.com" <ifette@google.com>
- CC: Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <CBFE73EA.32D8%peter.cranstone@gmail.com>
Kevin, In a perfect world with an "enforceable spec" I would agree with you. But this is not a perfect world, the spec is only a recommendation and you're forcing the user to go get another browser unless Microsoft changes it's mind. If they change then great – but if not, lots of server code has to be written and 400 errors have to be sent which will piss of the customer. And this doesn't cost Microsoft a dime in lost Ad revenue. We'll see what happens. Peter ___________________________________ Peter J. Cranstone 720.663.1752 From: Kevin Smith <kevsmith@adobe.com> Date: Wednesday, June 13, 2012 4:41 PM To: Peter Cranstone <peter.cranstone@gmail.com>, "ifette@google.com" <ifette@google.com> Cc: Justin Brookman <justin@cdt.org>, W3 Tracking <public-tracking@w3.org> Subject: RE: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal > > Peter, > We are getting our threads crossed. But I just responded to a different > thread stating why I believe that a UA which enables DNT:1 by default CANNOT > send a valid request. You can flip DNT:0 to 1 and vice versa all you like, > but that UA can no longer express user intent. Therefore, all DNT headers > from it are invalid. A server need not distinguish between user intent and UA > intent because they cannot do so – therefore they would respond to all > requests from that UA in a consistent manner. If they chose to ignore the > header – they would alert the user as to why they did so. This will only have > a negative effect on good will (as you have indicated) if only a few sites do > so. If many sites support DNT but choose not to support it from non-compliant > UA’s, then that negative good will is transferred to the non-compliant UA – > which hopefully encourages them to become compliant. Therefore, we win the > battle and the war. > > > > Kevin Smith | Engineering Manager | Adobe | 385.221.1288 | > kevsmith@adobe.com > > > From: Peter Cranstone [mailto:peter.cranstone@gmail.com] > Sent: Wednesday, June 13, 2012 4:17 PM > To: Kevin Smith; ifette@google.com > Cc: Justin Brookman; public-tracking@w3.org > Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to > turn on a DNT signal > > > Kevin, > > > > You're going to win the battle and lose the war. > > > > Show me in the spec where you can distinguish the "origination of the intent". > It doesn't exist. So if Microsoft ships it, and then I switch to DNT:0 or turn > it back on three days later the server still sees that as non-complaint? > That's ridiculous. > > > > Microsoft exploited a loophole in the spec – the ability to not determine the > origination of intent. It leverage that hole and is now seen leading the > charge for Privacy. The comments against are based on a technicality which has > a hole in it. > > > > We've beaten this mule to death. > > > > > Peter > ___________________________________ > Peter J. Cranstone > 720.663.1752 > > > > From: Kevin Smith <kevsmith@adobe.com> > Date: Wednesday, June 13, 2012 4:07 PM > To: Peter Cranstone <peter.cranstone@gmail.com>, "ifette@google.com" > <ifette@google.com> > Cc: Justin Brookman <justin@cdt.org>, W3 Tracking <public-tracking@w3.org> > Subject: RE: ACTION-211 Draft text on how user agents must obtain consent to > turn on a DNT signal > > >> >> Peter, its that very fact which makes MSIE 10 non-compliant and gives servers >> the right to ignore all DNT headers from IE regardless of who set them and >> still be compliant. You are hitting the point exactly. However, this does >> not mean that servers need to cave in and do what a non-compliant browser >> dictates to them. In fact, it means the exact opposite. It means that since >> you cannot tell the origination of the intent, you can ignore all DNT:1 >> headers from that particular UA. In this case, it is the user who is >> negatively affected, especially if they intended to send the DNT:1 signal. >> This will provide that user with incentive to switch browsers which will in >> turn apply pressure to the non-compliant browser to become compliant. >> >> -kevin >> >> >> From: Peter Cranstone [mailto:peter.cranstone@gmail.com] >> Sent: Wednesday, June 13, 2012 8:57 AM >> To: ifette@google.com >> Cc: Justin Brookman; public-tracking@w3.org >> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to >> turn on a DNT signal >> >> >> The point that I'm trying to make is that the server has NO indication WHO >> set the DNT flag. There is NOTHING in the spec to indicate this. >> >> >> >> You know (human) that MSIE ships with the default set to 1. Ok, I get that. >> But if I change it and then change it back two days later are you still going >> to reject every request? >> >> >> >> This whole "default" issue is a red herring. The server doesn't know default >> from a hole in the wall. All it sees is DNT:1 and a UA. >> >> >> >> >> >> >> Peter >> ___________________________________ >> Peter J. Cranstone >> 720.663.1752 >> >> >> >> From: "Ian Fette (イアンフェッティ)" <ifette@google.com> >> Reply-To: <ifette@google.com> >> Date: Wednesday, June 13, 2012 8:52 AM >> To: Peter Cranstone <peter.cranstone@gmail.com> >> Cc: Justin Brookman <justin@cdt.org>, W3 Tracking <public-tracking@w3.org> >> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to >> turn on a DNT signal >> >> >>> Peter, what are you trying to get at? I am missing it. >>> >>> >>> >>> In the case of seeing DNT:1 from IE10, by far the most likely reason for >>> seeing that is that it's the default, and so in the absence of any other >>> information a server would be justified in thinking that it wasn't an actual >>> expression by the user but rather an expression by MSFT. You're correct in >>> that in the general case it's impossible to tell who tweaked the setting >>> (except perhaps in the case of SSL, where you know it was something on the >>> user's computer), but what are you trying to get at? >>> >>> On Wed, Jun 13, 2012 at 7:46 AM, Peter Cranstone <peter.cranstone@gmail.com> >>> wrote: >>> >>> I know what the spec says. >>> >>> >>> >>> What I'm asking you to define is how the server knows WHO set the DNT flag. >>> Nobody has been able to answer that question yet. >>> >>> >>> >>> >>> Peter >>> ___________________________________ >>> Peter J. Cranstone >>> 720.663.1752 <tel:720.663.1752> >>> >>> >>> >>> From: Justin Brookman <justin@cdt.org> >>> Date: Wednesday, June 13, 2012 8:41 AM >>> To: W3 Tracking <public-tracking@w3.org> >>> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to >>> turn on a DNT signal >>> Resent-From: W3 Tracking <public-tracking@w3.org> >>> Resent-Date: Wed, 13 Jun 2012 14:41:56 +0000 >>> >>> >>>> >>>> On 6/13/2012 10:35 AM, Peter Cranstone wrote: >>>>> >>>>>>> >> We do not specify how tracking preference choices are offered to the >>>>>>> user or how the preference is enabled: >>>>> >>>>> >>>>> >>>>> & >>>>> >>>>> >>>>> >>>>>>> >> Implementations of HTTP that are not under control of the user must >>>>>>> not express a tracking preference on their behalf. >>>>> >>>>> >>>>> >>>>> Which means that MSIE 10 is compliant, because it's under the control of >>>>> the user. >>>> This alone does not mean that IE10 is compliant, as there is separate text >>>> saying that "A user agent MUST NOT express a tracking preference for a user >>>> unless the user has interacted with the user agent in such a way as to >>>> indicate a tracking preference." >>>> >>>> >>>> >>>> >>>>>> >> Implementations of HTTP that are not under control of the user must >>>>>> not express a tracking preference on their behalf. >>>> >>>> >>>> >>>> How do you know? All a proxy server has to do is add DNT:1 take Abine for >>>> example. A 3rd party plugin that adds DNT:1 to the outbound header. You >>>> have no idea who set it because there's no code to determine who did it. Me >>>> or the add on. >>>> >>>> I agree that third parties should not be second guessing DNT:1 signals for >>>> all the reasons that I and others have expressed over the list in the last >>>> two weeks. >>>>> >>>>> >>>>> Peter >>>>> ___________________________________ >>>>> Peter J. Cranstone >>>>> 720.663.1752 <tel:720.663.1752> >>>>> >>>>> >>>>> >>>>> From: Justin Brookman <justin@cdt.org> >>>>> Date: Wednesday, June 13, 2012 8:26 AM >>>>> To: W3 Tracking <public-tracking@w3.org> >>>>> Subject: ACTION-211 Draft text on how user agents must obtain consent to >>>>> turn on a DNT signal >>>>> Resent-From: W3 Tracking <public-tracking@w3.org> >>>>> Resent-Date: Wed, 13 Jun 2012 14:27:17 +0000 >>>>> >>>>> >>>>>> >>>>>> Hello, here is draft language for the compliance document on user agent >>>>>> requirements. The first paragraph is new, the second two are >>>>>> copied-and-pasted from Section 3 of the current TPE spec. >>>>>> >>>>>> Replace 4.2 Intermediary Compliance (empty) with this new section: >>>>>> >>>>>> 4.2 User Agent Compliance >>>>>> >>>>>> A user agent MAY offer a control to express a tracking preference to >>>>>> third parties. The control MUST communicate the user's preference in >>>>>> accordance with the [[Tracking Preference Expression (DNT)]] >>>>>> recommendation and otherwise comply with that recommendation. A user >>>>>> agent MUST NOT express a tracking preference for a user unless the user >>>>>> has interacted with the user agent in such a way as to indicate a >>>>>> tracking preference. >>>>>> We do not specify how tracking preference choices are offered to the user >>>>>> or how the preference is enabled: each implementation is responsible for >>>>>> determining the user experience by which a tracking preference is >>>>>> enabled. For example, a user might select a check-box in their user >>>>>> agent's configuration, install an extension or add-on that is >>>>>> specifically designed to add a tracking preference expression, or make a >>>>>> choice for privacy that then implicitly includes a tracking preference >>>>>> (e.g., Privacy settings: high). Likewise, a user might install or >>>>>> configure a proxy to add the expression to their own outgoing requests. >>>>>> >>>>>> Although some controlled network environments, such as public access >>>>>> terminals or managed corporate intranets, might impose restrictions on >>>>>> the use or configuration of installed user agents, such that a user might >>>>>> only have access to user agents with a predetermined preference enabled, >>>>>> the user is at least able to choose whether to make use of those user >>>>>> agents. In contrast, if a user brings their own Web-enabled device to a >>>>>> library or cafe with wireless Internet access, the expectation will be >>>>>> that their chosen user agent and personal preferences regarding Web site >>>>>> behavior will not be altered by the network environment, aside from >>>>>> blanket limitations on what resources can or cannot be accessed through >>>>>> that network. Implementations of HTTP that are not under control of the >>>>>> user must not express a tracking preference on their behalf. >>>>>> -- >>>>>> Justin Brookman >>>>>> Director, Consumer Privacy >>>>>> Center for Democracy & Technology >>>>>> 1634 I Street NW, Suite 1100 >>>>>> Washington, DC 20006 >>>>>> tel 202.407.8812 <tel:202.407.8812> >>>>>> fax 202.637.0969 <tel:202.637.0969> justin@cdt.orghttp://www.cdt.org >>>>>> @CenDemTech >>>>>> @JustinBrookman >>>
Received on Wednesday, 13 June 2012 22:48:27 UTC