ISSUE-115: was ACTION-141

Hi Shane, 

this was Re: ACTION-141: Draft text on DNT Expressing a Tracking Preference

I think you're addressing exactly the ISSUE-115. The question you raise is 
mainly: 

In case of conflict between a DNT header and some other expression of 
preference outside the DNT context, it is ALWAYS the outside context that 
prevails. This is tricky for the following reason: 

Imagine an attacking scenario (this is imagination attacking model like in 
security consideration and parallels to reality are pure coincidence and not 
intended). In this scenario, a service would have a click-wrap license that 
contains a web-wide tracking permission in its general conditions on page 42. 
This hidden thingy would override a DNT selection that is much closer to the 
context, the current request. It also would mean that the browser is offering 
configuration options that have no meaning anymore only because a service has 
some out of band permission in the general clauses on page 42. This would mean 
that the user can be pretty confused as her mind will be probably closer to 
the concrete context of the actual request then to the out of band permission 
by general conditions. 

Next issue is permission control over time. If a user has set DNT=0 for some 
interactions and now switches to sensitive things like surfing for medical 
information, the user can turn on DNT=1 and the site will take the safeguards 
promised by the compliance document. But once a click-wrap permission is given 
and overrides every future action, how would or could the user revoke such a 
permission?

Saying that, the conflict expressed above is a very common one in legal 
matters. And there are some good algorithms to resolve those conflicts, 
including: 
 - newer expressions override older expressions
 - more specific expressions override general expressions 

So while I think Action-141 is done, I read from this that you're not 
satisfied yet with ISSUE-115. I think we haven't found a satisfactory solution 
yet, unfortunately. Any idea better than 'all other will override' or 'all DNT 
will override'?

Best, 

Rigo

On Monday 05 March 2012 04:48:15 Shane Wiley wrote:
> Rigo,
> 
> Thank you for developing this draft language.  Outside of smaller subjective
> edit suggestions I'll save for now, there does appear to be a larger logic
> issue towards the end of the text which I believe will need to be modified:
> 
> "Likewise, servers might make use of other preference information outside
> the scope of this protocol, such as site-specific user preferences or
> third-party registration services, to inform or adjust their behavior when
> no explicit preference is expressed via this protocol."
> 
> In the circumstance of "site-specific user preferences or third-party
> registration services" I believe we would consider these out-of-band user
> consent structures and therefore the language around "when no explicit
> preference is expressed via this protocol" is an incorrect statement as
> even WITH a preference expressed via this protocol, the out-of-band user
> consent would trump.
> 
> I would recommend you remove the last portion of the sentence starting with
> "when".
> 
> Result:
> ""Likewise, servers might make use of other preference information outside
> the scope of this protocol, such as site-specific user preferences or
> third-party registration services, to inform or adjust their behavior."
> 

Received on Monday, 5 March 2012 18:20:39 UTC