Re: Today's call: summary on user agent compliance from Tamir Israel on 2012-06-14 (public-tracking@w3.org from June 2012)

From: Tamir Israel <tisrael@cippic.ca>
Date: Thu, 14 Jun 2012 01:00:31 -0400
To: ifette@google.com
CC: Rigo Wenning <rigo@w3.org>, public-tracking@w3.org, Kevin Smith <kevsmith@adobe.com>, "Roy T. Fielding" <fielding@gbiv.com>
Message-ID: <4FD96FEF.10807@cippic.ca>
I think treading the line between "annoying" and "ensuring exception 
requests are brought to users' attention" is not an impossible one to draw.

Rigo's dashboard (which btw is in PRE alpha :P) and Jonathan's banner 
are less intrusive than your typical plug-in prompt, and users are able 
to 'accept' from the bar itself. Also, I took Rigo's point to be that 
web-wide exceptions would build momentum,

While much will certainly come down to specific browser implementations, 
if one browser's users are plagued with an excess of annoyances vis a 
vis others, this will surely take care of itself.

I think, however, it is in everyone's interest to resolve this through 
the spec. Otherwise you can get the following scenario:

MSIE: DNT-1 (set by default)
Server: Neg ACK (I have taken a look at MSIE's implementation of the 
standard and I do not deem this DNT-1 to be a valid expression of user 
choice).
MSIE: prompts the user (through an in-browser dashboard it has 
developed): this server has failed to acknowledge your DNT-1. Please 
select one of the following a.) I don't want to be tracked by this 
server; b.) I do want to be tracked by this server; c.) I'm generally ok 
with being tracked, please stop bothering me.
User: I pick 'a.) I don't want to be tracked by this server'
MSIE: DNT-1 (again)
Server: ????

The server is basing its rejection of the first DNT-1 on its own 
research and the assessment that it did not result from 'user choice'. I 
don't think it can do so for the second DNT-1. Indeed, this second DNT-1 
is fully compliant as far as I can tell.

So, I think we are better off addressing this within the spec by more 
working with the exceptions.

Best,
Tamir

On 6/13/2012 8:00 PM, Ian Fette (イアンフェッティ) wrote:
> Rigo, I didn't mean to suggest it had to be a literal popup. It could 
> be any sort of mechanism (infobar, flashing lights, whatever). The 
> point is that if it's to be acceptable to the companies representing 
> the third parties likely to be requesting exceptions, it will have to 
> be rather prominent. And if it's rather prominent, then the browser 
> vendors will be incentivized to reduce the number of times it shows up 
> in an unwanted sense ("it's annoying").
>
> Unless you're suggesting that the browser decide based on heuristics 
> of when it thinks the user is likely to click "yes" based on the 
> user's past history, and either answers for them (seems like it would 
> violate "express consent") or just doesn't answer at all (doesn't give 
> third parties equal footing and would greatly disincentivize them from 
> participating in DNT).
>
> I'm not saying there's _nothing_ we can do here, but it does seem that 
> the likely outcome is that it's not quite so simple :)
>
> On Wed, Jun 13, 2012 at 4:53 PM, Rigo Wenning <rigo@w3.org 
> <mailto:rigo@w3.org>> wrote:
>
>     On Wednesday 13 June 2012 16:38:21 Ian Fette wrote:
>     > Because I thought we said earlier (in DC) that we expected
>     > browsers would only show exception UI in response to a user
>     > gesture. Otherwise, you end up with popups on every page (which
>     > apparently some people think is an OK outcome).
>
>     Ok, I challenge you with my research result:
>
>     When Dave made the privacy dashboard, I had the idea that everybody
>     has their "known territory" in the digital world. I uncovered this
>     while training my CRM114 spam-protection system. It would start by
>     asking me for every other email. After 3 weeks, accuracy was over
>     90%. After 4 month of training, I got one false positive and about 5
>     false negatives per month.
>
>     Translated into the dashboard, we had this hanging bar. It would
>     only appear if you encounter something new. This is what users
>     expect. It works on a per-site basis and has per-site permissions.
>     Try it at code.w3.org/privacy-dashboard/
>     <http://code.w3.org/privacy-dashboard/> UI was tested in UX labs.
>     It is still somewhat alpha.. I don't want to mandate anything, just
>     suggest that we think beyond "pop up".
>
>     It has shown a way to inform the user that is not invasive (pop up)
>     and still does the trick. So we may have a third way. We should at
>     least look at that option.
>
>     Rigo
>
>
Received on Thursday, 14 June 2012 05:01:33 UTC