RE: ISSUE-115: was ACTION-141 from JC Cannon on 2012-03-05 (public-tracking@w3.org from March 2012)

From: JC Cannon <jccannon@microsoft.com>
Date: Mon, 5 Mar 2012 21:03:36 +0000
To: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
CC: Shane Wiley <wileys@yahoo-inc.com>
Message-ID: <DB4282D9ADFE2A4EA9D1C0FB54BC3BD76E52189C@TK5EX14MBXC139.redmond.corp.microsoft.>
<Rigo>Next issue is permission control over time. If a user has set DNT=0 for some interactions and now switches to sensitive things like surfing for medical information, the user can turn on DNT=1 and the site will take the safeguards promised by the compliance document. But once a click-wrap permission is given and overrides every future action, how would or could the user revoke such a permission? </Rigo>

Rigo I really see this the other way. I would turn on DNT:1 to protect me from sites with which I do not have a relationship. If I want to disable a specific site from tracking me based on a setting at that site I would change the setting or logoff from the site. This is the same way that Private Browsing works. It doesn't prevent sites from identifying you if you log into the sight.

I actually find your scenario a bit vague as well.  You say "surfing" as if it is across multiple sites. Generally users don't set permissions at many sites where they may be browsing. If this is still something you want to pursue, can you provide a more concrete scenario where research sites are given permission to create profiles of the user such that they can ignore DNT?

Thanks,
JC


-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: Monday, March 05, 2012 10:20 AM
To: public-tracking@w3.org
Cc: Shane Wiley
Subject: ISSUE-115: was ACTION-141

Hi Shane, 

this was Re: ACTION-141: Draft text on DNT Expressing a Tracking Preference

I think you're addressing exactly the ISSUE-115. The question you raise is
mainly: 

In case of conflict between a DNT header and some other expression of preference outside the DNT context, it is ALWAYS the outside context that prevails. This is tricky for the following reason: 

Imagine an attacking scenario (this is imagination attacking model like in security consideration and parallels to reality are pure coincidence and not intended). In this scenario, a service would have a click-wrap license that contains a web-wide tracking permission in its general conditions on page 42. 
This hidden thingy would override a DNT selection that is much closer to the context, the current request. It also would mean that the browser is offering configuration options that have no meaning anymore only because a service has some out of band permission in the general clauses on page 42. This would mean that the user can be pretty confused as her mind will be probably closer to the concrete context of the actual request then to the out of band permission by general conditions. 

Next issue is permission control over time. If a user has set DNT=0 for some interactions and now switches to sensitive things like surfing for medical information, the user can turn on DNT=1 and the site will take the safeguards promised by the compliance document. But once a click-wrap permission is given and overrides every future action, how would or could the user revoke such a permission?

Saying that, the conflict expressed above is a very common one in legal matters. And there are some good algorithms to resolve those conflicts,
including: 
 - newer expressions override older expressions
 - more specific expressions override general expressions 

So while I think Action-141 is done, I read from this that you're not satisfied yet with ISSUE-115. I think we haven't found a satisfactory solution yet, unfortunately. Any idea better than 'all other will override' or 'all DNT will override'?

Best, 

Rigo

On Monday 05 March 2012 04:48:15 Shane Wiley wrote:
> Rigo,
> 
> Thank you for developing this draft language.  Outside of smaller 
> subjective edit suggestions I'll save for now, there does appear to be 
> a larger logic issue towards the end of the text which I believe will need to be modified:
> 
> "Likewise, servers might make use of other preference information 
> outside the scope of this protocol, such as site-specific user 
> preferences or third-party registration services, to inform or adjust 
> their behavior when no explicit preference is expressed via this protocol."
> 
> In the circumstance of "site-specific user preferences or third-party 
> registration services" I believe we would consider these out-of-band 
> user consent structures and therefore the language around "when no 
> explicit preference is expressed via this protocol" is an incorrect 
> statement as even WITH a preference expressed via this protocol, the 
> out-of-band user consent would trump.
> 
> I would recommend you remove the last portion of the sentence starting 
> with "when".
> 
> Result:
> ""Likewise, servers might make use of other preference information 
> outside the scope of this protocol, such as site-specific user 
> preferences or third-party registration services, to inform or adjust their behavior."
>
Received on Monday, 5 March 2012 21:04:16 UTC