Re: Evolving Online Privacy - Advancing User Choice

Shane,

Great document. Something to think about in Seattle.

Pre-ambleŠ

The ultimate objective is a Do Not Track standard that will advance user
choice beyond the number of already available options and will be
implemented by a significant portion of the ecosystem.

Agreed.

Š
Part III Explicit and Separate User Choice
<Normative>
1.     A User Agent must obtain explicit, informed consent to turn on the
DNT header*

2.     The User Agent must also make available via a link in explanatory
text where DNT is enabled to provide more detailed information about DNT
functionality

3.     Any User Agent claiming compliance must have a functional
implementation of the browser exceptions in this specification

4.     Servers MAY MUST respond to users that their UA is ³non-compliant² if
they believe this to be the case

a.     User Agents MUST relay Server responses to users to ensure
transparency

b.     Servers SHOULD MUST be prepared to defend why they have reached this
conclusion

c.      Servers that respond to 100% of DNT requests regardless of User
Agent details ARE NOT compliant with this recommendation

d.     Servers MAY MUST offer users additional information through a
resource link

5.     Efforts to misled users to activate Do Not Track MAY also be seen as
³non-compliant²

*NOTE ­ The TPWG already agreed on this point



Why am I making the suggest changes above? Simply because if the server
decides something then you MUST allow the user to participate in that
decision or else there is NO reason to implement the standard.

Here's the use case.

You've installed Windows 8 and accepted the defaults (Your Choice). You go
to a Web site. The Web site believes that you may have an invalid UA, or may
have NOT chosen the DNT setting by Choice. With your wording above it MAY
decide to respond. That ridiculous. If the server decides to NOT honor the
setting then it MUST communicate that choice back to the user, otherwise it
is NOT being transparent.

You cannot have it both ways. Either you can determine "WHO" set the flag by
choice or not. In the case of the spec you cannot. Therefore if you decide
to validate that choice from the server then the servers "choice" MUST be
communicated back to the user.

And the server MUST make available ALL the reasons why it's choosing NOT to
honor that flag. It MUST then give the user a Choice on whether or not the
USER wants to have that particular UA accepted by the server.

A protocol by definition is about communication. Communication in the case
of Privacy is 2 way. Otherwise it's not transparent, and it's NOT advancing
USER choice, it's merely advancing SERVER choice.





___________________________________
Peter J. Cranstone
720.663.1752


From:  Shane Wiley <wileys@yahoo-inc.com>
Date:  Wednesday, June 20, 2012 1:03 AM
To:  W3 Tracking <public-tracking@w3.org>
Subject:  Evolving Online Privacy - Advancing User Choice
Resent-From:  W3 Tracking <public-tracking@w3.org>
Resent-Date:  Wed, 20 Jun 2012 07:04:11 +0000

> TPWG,
>  
> Please find attached the detailed proposal text we¹ll be reviewing tomorrow
> afternoon (built upon the proposal outline I provided last week).
>  
> The following individuals, companies, and trade associations contributed to
> this proposal:  
>  
> Marc Groman & David Wainberg ­ NAI
> Alan Chapell ­ Chapell & Associates
> Heather West, Sean Harvey, & Ian Fette ­ Google
> Shane Wiley ­ Yahoo!
>  
> There is considerable detail covering numerous topics in this proposal and
> therefore it should not be consider an endorsement by all contributors to all
> parts of this proposal.  That said, all contributors generally agree with the
> direction and approach of this document.
>  
> We look forward to further discussion and fielding questions tomorrow
> afternoon.
> 
> Thank you,
> Shane