Re: ACTION-211 Draft text on how user agents must obtain consent to turn on a DNT signal from Peter Cranstone on 2012-06-13 (public-tracking@w3.org from June 2012)

From: Peter Cranstone <peter.cranstone@gmail.com>
Date: Wed, 13 Jun 2012 16:47:45 -0600
To: Kevin Smith <kevsmith@adobe.com>, "ifette@google.com" <ifette@google.com>
CC: Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CBFE73EA.32D8%peter.cranstone@gmail.com>
Kevin,

In a perfect world with an "enforceable spec" I would agree with you. But
this is not a perfect world, the spec is only a recommendation and you're
forcing the user to go get another browser unless Microsoft changes it's
mind.

If they change then great – but if not, lots of server code has to be
written and 400 errors have to be sent which will piss of the customer. And
this doesn't cost Microsoft a dime in lost Ad revenue.

We'll see what happens.


Peter
___________________________________
Peter J. Cranstone
720.663.1752


From:  Kevin Smith <kevsmith@adobe.com>
Date:  Wednesday, June 13, 2012 4:41 PM
To:  Peter Cranstone <peter.cranstone@gmail.com>, "ifette@google.com"
<ifette@google.com>
Cc:  Justin Brookman <justin@cdt.org>, W3 Tracking <public-tracking@w3.org>
Subject:  RE: ACTION-211 Draft text on how user agents must obtain consent
to turn on a DNT signal

> 
> Peter, 
> We are getting our threads crossed.  But I just responded to a different
> thread stating why I believe that a UA which enables DNT:1 by default CANNOT
> send a valid request.  You can flip DNT:0 to 1 and vice versa all you like,
> but that UA can no longer express user intent.  Therefore, all DNT headers
> from it are invalid.  A server need not distinguish between user intent and UA
> intent because they cannot do so – therefore they would respond to all
> requests from that UA in a consistent manner.  If they chose to ignore the
> header – they would alert the user as to why they did so.  This will only have
> a negative effect on good will (as you have indicated) if only a few sites do
> so.  If many sites support DNT but choose not to support it from non-compliant
> UA’s, then that negative good will is transferred to the non-compliant UA –
> which hopefully encourages them to become compliant.  Therefore, we win the
> battle and the war.
>  
>  
> 
> Kevin Smith  |  Engineering Manager  |  Adobe  |  385.221.1288 |
> kevsmith@adobe.com
>  
> 
> From: Peter Cranstone [mailto:peter.cranstone@gmail.com]
> Sent: Wednesday, June 13, 2012 4:17 PM
> To: Kevin Smith; ifette@google.com
> Cc: Justin Brookman; public-tracking@w3.org
> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to
> turn on a DNT signal
>  
> 
> Kevin,
> 
>  
> 
> You're going to win the battle and lose the war.
> 
>  
> 
> Show me in the spec where you can distinguish the "origination of the intent".
> It doesn't exist. So if Microsoft ships it, and then I switch to DNT:0 or turn
> it back on three days later the server still sees that as non-complaint?
> That's ridiculous.
> 
>  
> 
> Microsoft exploited a loophole in the spec – the ability to not determine the
> origination of intent. It leverage that hole and is now seen leading the
> charge for Privacy. The comments against are based on a technicality which has
> a hole in it. 
> 
>  
> 
> We've beaten this mule to death.
> 
>  
> 
> 
> Peter
> ___________________________________
> Peter J. Cranstone
> 720.663.1752
> 
>  
> 
> From: Kevin Smith <kevsmith@adobe.com>
> Date: Wednesday, June 13, 2012 4:07 PM
> To: Peter Cranstone <peter.cranstone@gmail.com>, "ifette@google.com"
> <ifette@google.com>
> Cc: Justin Brookman <justin@cdt.org>, W3 Tracking <public-tracking@w3.org>
> Subject: RE: ACTION-211 Draft text on how user agents must obtain consent to
> turn on a DNT signal
> 
>  
>> 
>> Peter, its that very fact which makes MSIE 10 non-compliant and gives servers
>> the right to ignore all DNT headers from IE regardless of who set them and
>> still be compliant.  You are hitting the point exactly.  However, this does
>> not mean that servers need to cave in and do what a non-compliant browser
>> dictates to them.  In fact, it means the exact opposite.  It means that since
>> you cannot tell the origination of the intent, you can ignore all DNT:1
>> headers from that particular UA.  In this case, it is the user who is
>> negatively affected, especially if they intended to send the DNT:1 signal.
>> This will provide that user with incentive to switch browsers which will in
>> turn apply pressure to the non-compliant browser to become compliant.
>>  
>> -kevin
>>  
>> 
>> From: Peter Cranstone [mailto:peter.cranstone@gmail.com]
>> Sent: Wednesday, June 13, 2012 8:57 AM
>> To: ifette@google.com
>> Cc: Justin Brookman; public-tracking@w3.org
>> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to
>> turn on a DNT signal
>>  
>> 
>> The point that I'm trying to make is that the server has NO indication WHO
>> set the DNT flag. There is NOTHING in the spec to indicate this.
>> 
>>  
>> 
>> You know (human) that MSIE ships with the default set to 1. Ok, I get that.
>> But if I change it and then change it back two days later are you still going
>> to reject every request?
>> 
>>  
>> 
>> This whole "default" issue is a red herring. The server doesn't know default
>> from a hole in the wall. All it sees is DNT:1 and a UA.
>> 
>>  
>> 
>>  
>> 
>> 
>> Peter
>> ___________________________________
>> Peter J. Cranstone
>> 720.663.1752
>> 
>>  
>> 
>> From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
>> Reply-To: <ifette@google.com>
>> Date: Wednesday, June 13, 2012 8:52 AM
>> To: Peter Cranstone <peter.cranstone@gmail.com>
>> Cc: Justin Brookman <justin@cdt.org>, W3 Tracking <public-tracking@w3.org>
>> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to
>> turn on a DNT signal
>> 
>>  
>>> Peter, what are you trying to get at? I am missing it.
>>> 
>>>  
>>> 
>>> In the case of seeing DNT:1 from IE10, by far the most likely reason for
>>> seeing that is that it's the default, and so in the absence of any other
>>> information a server would be justified in thinking that it wasn't an actual
>>> expression by the user but rather an expression by MSFT. You're correct in
>>> that in the general case it's impossible to tell who tweaked the setting
>>> (except perhaps in the case of SSL, where you know it was something on the
>>> user's computer), but what are you trying to get at?
>>> 
>>> On Wed, Jun 13, 2012 at 7:46 AM, Peter Cranstone <peter.cranstone@gmail.com>
>>> wrote:
>>> 
>>> I know what the spec says.
>>> 
>>>  
>>> 
>>> What I'm asking you to define is how the server knows WHO set the DNT flag.
>>> Nobody has been able to answer that question yet.
>>> 
>>>  
>>> 
>>> 
>>> Peter
>>> ___________________________________
>>> Peter J. Cranstone
>>> 720.663.1752 <tel:720.663.1752>
>>> 
>>>  
>>> 
>>> From: Justin Brookman <justin@cdt.org>
>>> Date: Wednesday, June 13, 2012 8:41 AM
>>> To: W3 Tracking <public-tracking@w3.org>
>>> Subject: Re: ACTION-211 Draft text on how user agents must obtain consent to
>>> turn on a DNT signal
>>> Resent-From: W3 Tracking <public-tracking@w3.org>
>>> Resent-Date: Wed, 13 Jun 2012 14:41:56 +0000
>>> 
>>>  
>>>> 
>>>> On 6/13/2012 10:35 AM, Peter Cranstone wrote:
>>>>> 
>>>>>>> >> We do not specify how tracking preference choices are offered to the
>>>>>>> user or how the preference is enabled:
>>>>> 
>>>>>  
>>>>> 
>>>>> & 
>>>>> 
>>>>>  
>>>>> 
>>>>>>> >> Implementations of HTTP that are not under control of the user must
>>>>>>> not express a tracking preference on their behalf.
>>>>> 
>>>>>  
>>>>> 
>>>>> Which means that MSIE 10 is compliant, because it's under the control of
>>>>> the user.
>>>> This alone does not mean that IE10 is compliant, as there is separate text
>>>> saying that "A user agent MUST NOT express a tracking preference for a user
>>>> unless the user has interacted with the user agent in such a way as to
>>>> indicate a tracking preference."
>>>> 
>>>> 
>>>>  
>>>> 
>>>>>> >> Implementations of HTTP that are not under control of the user must
>>>>>> not express a tracking preference on their behalf.
>>>> 
>>>>  
>>>> 
>>>> How do you know? All a proxy server has to do is add DNT:1  take Abine for
>>>> example. A 3rd party plugin that adds DNT:1 to the outbound header. You
>>>> have no idea who set it because there's no code to determine who did it. Me
>>>> or the add on.
>>>> 
>>>> I agree that third parties should not be second guessing DNT:1 signals for
>>>> all the reasons that I and others have expressed over the list in the last
>>>> two weeks.
>>>>> 
>>>>> 
>>>>> Peter
>>>>> ___________________________________
>>>>> Peter J. Cranstone
>>>>> 720.663.1752 <tel:720.663.1752>
>>>>> 
>>>>>  
>>>>> 
>>>>> From: Justin Brookman <justin@cdt.org>
>>>>> Date: Wednesday, June 13, 2012 8:26 AM
>>>>> To: W3 Tracking <public-tracking@w3.org>
>>>>> Subject: ACTION-211 Draft text on how user agents must obtain consent to
>>>>> turn on a DNT signal
>>>>> Resent-From: W3 Tracking <public-tracking@w3.org>
>>>>> Resent-Date: Wed, 13 Jun 2012 14:27:17 +0000
>>>>> 
>>>>>  
>>>>>> 
>>>>>> Hello, here is draft language for the compliance document on user agent
>>>>>> requirements.  The first paragraph is new, the second two are
>>>>>> copied-and-pasted from Section 3 of the current TPE spec.
>>>>>> 
>>>>>> Replace 4.2 Intermediary Compliance (empty) with this new section:
>>>>>> 
>>>>>> 4.2 User Agent Compliance
>>>>>> 
>>>>>> A user agent MAY offer a control to express a tracking preference to
>>>>>> third parties.  The control MUST communicate the user's preference in
>>>>>> accordance with the [[Tracking Preference Expression (DNT)]]
>>>>>> recommendation and otherwise comply with that recommendation.  A user
>>>>>> agent MUST NOT express a tracking preference for a user unless the user
>>>>>> has interacted with the user agent in such a way as to indicate a
>>>>>> tracking preference.
>>>>>> We do not specify how tracking preference choices are offered to the user
>>>>>> or how the preference is enabled: each implementation is responsible for
>>>>>> determining the user experience by which a tracking preference is
>>>>>> enabled. For example, a user might select a check-box in their user
>>>>>> agent's configuration, install an extension or add-on that is
>>>>>> specifically designed to add a tracking preference expression, or make a
>>>>>> choice for privacy that then implicitly includes a tracking preference
>>>>>> (e.g., Privacy settings: high). Likewise, a user might install or
>>>>>> configure a proxy to add the expression to their own outgoing requests.
>>>>>> 
>>>>>> Although some controlled network environments, such as public access
>>>>>> terminals or managed corporate intranets, might impose restrictions on
>>>>>> the use or configuration of installed user agents, such that a user might
>>>>>> only have access to user agents with a predetermined preference enabled,
>>>>>> the user is at least able to choose whether to make use of those user
>>>>>> agents. In contrast, if a user brings their own Web-enabled device to a
>>>>>> library or cafe with wireless Internet access, the expectation will be
>>>>>> that their chosen user agent and personal preferences regarding Web site
>>>>>> behavior will not be altered by the network environment, aside from
>>>>>> blanket limitations on what resources can or cannot be accessed through
>>>>>> that network. Implementations of HTTP that are not under control of the
>>>>>> user must not express a tracking preference on their behalf.
>>>>>> -- 
>>>>>> Justin Brookman
>>>>>> Director, Consumer Privacy
>>>>>> Center for Democracy & Technology
>>>>>> 1634 I Street NW, Suite 1100
>>>>>> Washington, DC 20006
>>>>>> tel 202.407.8812 <tel:202.407.8812>
>>>>>> fax 202.637.0969 <tel:202.637.0969> justin@cdt.orghttp://www.cdt.org
>>>>>> @CenDemTech
>>>>>> @JustinBrookman
>>>
Received on Wednesday, 13 June 2012 22:48:27 UTC