- From: Rigo Wenning <rigo@w3.org>
- Date: Wed, 16 May 2012 12:25:21 +0200
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
On Tuesday 15 May 2012 10:58:05 Roy T. Fielding wrote: > On May 15, 2012, at 12:56 AM, Rigo Wenning wrote: > > This is not true. If the origin server has received a DNT;0 header, we > > also assume that the user has given his/her consent to be tracked. This > > goes way beyond what would be the situation without header. > > Consent to be tracked means data about their activity can be > collected. That does not say how it can be used. The EU regulations, > individual state regulations, and proposed US policies all require > that the consent be contextual/informed (the user knows why it is > being requested and how the data will be used) and that any use or > sharing outside of the established consent/context requires an > additional consent. Only because there is an often implicit binding to some purpose limitation in the EU legal system, it doesn't mean we have to make that implicit context explicit in a policy language in our Specifications. This would require more than P3P. DNT is not granular. For the user it says more or less "give me some protection" and "do whatever". This is the expression power. Whether then we include Analytics on the first party in the semantics to cover a very common use case without affecting the baseline protection of the compliance specification is something I encourage us to discuss. I haven't heard Rob saying we need it. > > In other words, the DNT protocol as currently defined provides no > utility whatsoever to publishers for meeting those regulations > without a separate consent mechanism that details the purpose, > and if we have a separate consent mechanism then we don't need DNT. > Hence, this is now a critical issue. DNT needs to deal with > data usage purposes or limit its scope to one purpose. Your mistake is to believe that the semantic of the purpose has to be carried in the DNT language. And I think the consent mechanism is distinct from the backend data handling. We have dealt with the latter in PrimeLife. There you may add to the data record that you acquired it within the DNT regime and using the DNT communication mechanism. > > A lot of people (including Rigo) assume that DNT is specific to > advertising. That simply isn't the case. It is not true of our > documents, it is not true of the regulations, and it is not true > for the composition of our WG. If DNT was "Do Not Target Ads", > then it would be true, and I wouldn't be here. I'll be perfectly > happy to resolve this issue by the WG declaring that all of the > non-OBA uses of tracking are outside the scope of DNT. Again, the mistake is that you want to exemplify the purpose in the machine readable part. This is a dead end because there is an infinite number of possible purposes. So purposes may come out of context or explanations on the site. And for the data handling issues we may discuss creating a WG to renovate P3P along the lines that Dave suggested, to allow for better data handling if data was acquired under DNT. So I agree, we need further discussion on this as it was underspecified so far. But I don't see the roadblocks you see unless Rob puts those explicitly in our way. This is the big advantage compared to the P3P work where we had no Rob. Rigo
Received on Wednesday, 16 May 2012 10:24:57 UTC