- From: Rigo Wenning <rigo@w3.org>
- Date: Mon, 05 Mar 2012 19:20:03 +0100
- To: public-tracking@w3.org
- Cc: Shane Wiley <wileys@yahoo-inc.com>
Hi Shane, this was Re: ACTION-141: Draft text on DNT Expressing a Tracking Preference I think you're addressing exactly the ISSUE-115. The question you raise is mainly: In case of conflict between a DNT header and some other expression of preference outside the DNT context, it is ALWAYS the outside context that prevails. This is tricky for the following reason: Imagine an attacking scenario (this is imagination attacking model like in security consideration and parallels to reality are pure coincidence and not intended). In this scenario, a service would have a click-wrap license that contains a web-wide tracking permission in its general conditions on page 42. This hidden thingy would override a DNT selection that is much closer to the context, the current request. It also would mean that the browser is offering configuration options that have no meaning anymore only because a service has some out of band permission in the general clauses on page 42. This would mean that the user can be pretty confused as her mind will be probably closer to the concrete context of the actual request then to the out of band permission by general conditions. Next issue is permission control over time. If a user has set DNT=0 for some interactions and now switches to sensitive things like surfing for medical information, the user can turn on DNT=1 and the site will take the safeguards promised by the compliance document. But once a click-wrap permission is given and overrides every future action, how would or could the user revoke such a permission? Saying that, the conflict expressed above is a very common one in legal matters. And there are some good algorithms to resolve those conflicts, including: - newer expressions override older expressions - more specific expressions override general expressions So while I think Action-141 is done, I read from this that you're not satisfied yet with ISSUE-115. I think we haven't found a satisfactory solution yet, unfortunately. Any idea better than 'all other will override' or 'all DNT will override'? Best, Rigo On Monday 05 March 2012 04:48:15 Shane Wiley wrote: > Rigo, > > Thank you for developing this draft language. Outside of smaller subjective > edit suggestions I'll save for now, there does appear to be a larger logic > issue towards the end of the text which I believe will need to be modified: > > "Likewise, servers might make use of other preference information outside > the scope of this protocol, such as site-specific user preferences or > third-party registration services, to inform or adjust their behavior when > no explicit preference is expressed via this protocol." > > In the circumstance of "site-specific user preferences or third-party > registration services" I believe we would consider these out-of-band user > consent structures and therefore the language around "when no explicit > preference is expressed via this protocol" is an incorrect statement as > even WITH a preference expressed via this protocol, the out-of-band user > consent would trump. > > I would recommend you remove the last portion of the sentence starting with > "when". > > Result: > ""Likewise, servers might make use of other preference information outside > the scope of this protocol, such as site-specific user preferences or > third-party registration services, to inform or adjust their behavior." >
Received on Monday, 5 March 2012 18:20:39 UTC