Re: tracking-ISSUE-147: Transporting Consent via the Exception / DNT mechanisms [Global Considerations]

On Tuesday 15 May 2012 10:58:05 Roy T. Fielding wrote:
> On May 15, 2012, at 12:56 AM, Rigo Wenning wrote:
> > This is not true. If the origin server has received a DNT;0 header, we
> > also assume that the user has given his/her consent to be tracked. This
> > goes way beyond what would be the situation without header.
> 
> Consent to be tracked means data about their activity can be
> collected.  That does not say how it can be used.  The EU regulations,
> individual state regulations, and proposed US policies all require
> that the consent be contextual/informed (the user knows why it is
> being requested and how the data will be used) and that any use or
> sharing outside of the established consent/context requires an
> additional consent.

Only because there is an often implicit binding to some purpose limitation 
in the EU legal system, it doesn't mean we have to make that implicit 
context explicit in a policy language in our Specifications. This would 
require more than P3P. DNT is not granular. For the user it says more or 
less "give me some protection" and "do whatever".  This is the expression 
power. Whether then we include Analytics on the first party in the semantics 
to cover a very common use case without affecting the baseline protection of 
the compliance specification is something I encourage us to discuss. I 
haven't heard Rob saying we need it. 
> 
> In other words, the DNT protocol as currently defined provides no
> utility whatsoever to publishers for meeting those regulations
> without a separate consent mechanism that details the purpose,
> and if we have a separate consent mechanism then we don't need DNT.
> Hence, this is now a critical issue.  DNT needs to deal with
> data usage purposes or limit its scope to one purpose.

Your mistake is to believe that the semantic of the purpose has to be 
carried in the DNT language. And I think the consent mechanism is distinct 
from the backend data handling. We have dealt with the latter in PrimeLife. 
There you may add to the data record that you acquired it within the DNT 
regime and using the DNT communication mechanism. 
> 
> A lot of people (including Rigo) assume that DNT is specific to
> advertising.  That simply isn't the case.  It is not true of our
> documents, it is not true of the regulations, and it is not true
> for the composition of our WG.  If DNT was "Do Not Target Ads",
> then it would be true, and I wouldn't be here.  I'll be perfectly
> happy to resolve this issue by the WG declaring that all of the
> non-OBA uses of tracking are outside the scope of DNT.

Again, the mistake is that you want to exemplify the purpose in the machine 
readable part. This is a dead end because there is an infinite number of 
possible purposes. So purposes may come out of context or explanations on 
the site. And for the data handling issues we may discuss creating a WG to 
renovate P3P along the lines that Dave suggested, to allow for better data 
handling if data was acquired under DNT. 

So I agree, we need further discussion on this as it was underspecified so 
far. But I don't see the roadblocks you see unless Rob puts those explicitly 
in our way. This is the big advantage compared to the P3P work where we had 
no Rob. 

Rigo

Received on Wednesday, 16 May 2012 10:24:57 UTC