- From: Heather West <heatherwest@google.com>
- Date: Thu, 31 May 2012 18:59:42 -0400
- To: "Aleecia M. McDonald" <aleecia@aleecia.com>
- Cc: Shane Wiley <wileys@yahoo-inc.com>, Lauren Gelman <gelman@blurryedge.com>, "ifette@google.com" <ifette@google.com>, Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <CA+Z3oOZnZ_EgfJHifamzhZbKhn8oLBCf+Mcj-mpfG0+6=vrk2Q@mail.gmail.com>
I think that these developments - and the resulting surprise from many - make it pretty clear that we should take some time and outline what we expect of user agents. I definitely think we should add a section for that. On Thu, May 31, 2012 at 6:31 PM, Aleecia M. McDonald <aleecia@aleecia.com>wrote: > Some very quick points: > > - Until we have a published recommendation, there is nothing to comply > with. > - I see this as a reason to push for a recommendation sooner rather than > later: this is the sort of thing that happens in the days before a > recommendation, with companies interpreting and implementing as they like > on all sides. > > I've had calmer days, how about all of you? > > On the call yesterday I suggested we add a new section on what user agents > either must or should do to be in compliance with the spec. As written, > there are currently no requirements on browsers. This seems like an area > for further discussion. If a user agent claims to be compliant and is not, > they have the FTC to answer to in the US. If a user agent is not compliant, > they have press questions to answer. This is what I had in mind when we > started the conversation yesterday. > > Of note: I did not know about MSFT's upcoming announcement prior to the > call yesterday. > > Aleecia > > On May 31, 2012, at 2:25 PM, Shane Wiley wrote: > > This is an invalid use case as the draft compliance document already > states a user must actively turn on DNT and this cannot be turned on by > default. IE10 is already out of DNT compliance.**** > ** ** > - Shane**** > ** ** > *From:* Lauren Gelman [mailto:gelman@blurryedge.com] > *Sent:* Thursday, May 31, 2012 2:21 PM > *To:* ifette@google.com > *Cc:* Shane Wiley; Justin Brookman; public-tracking@w3.org > *Subject:* Re: tracking-ISSUE-150: DNT conflicts from multiple user > agents [Tracking Definitions and Compliance]**** > ** ** > ** ** > I just saw this, so in fairness I am revisiting Shane's question: **** > http://www.microsoft.com/en-us/news/Press/2012/May12/05-31Windows8RPPR.aspx > **** > ** ** > If a browser ships DNT:0 by default and a user turns it to DNT:1, then > "informed, explicit" consent is needed for a publisher to cookie the user. > **** > ** ** > If a browser ships DNT:1 by default, and a user turns it to DNT:0 then > "informed, explicit" consent would be needed for a publisher to not collect > cookies from the user.**** > ** ** > So it still seems to be a matter of requiring heightened awareness based > on a PROCESS-- when someone who has changed their default setting is asked > to override that default and not SUBSTANCE-- whether the change is turning > on or off DNT.**** > ** ** > Lauren Gelman > BlurryEdge Strategies > 415-627-8512**** > ** ** > On May 30, 2012, at 9:31 PM, Ian Fette (イアンフェッティ) wrote:**** > > > **** > > It's also to note that over time, things have tended to shift, e.g. some > browsers are now blocking third party cookies by default...**** > On Wed, May 30, 2012 at 4:44 PM, Lauren Gelman <gelman@blurryedge.com> > wrote:**** > ** ** > Of course-- but realistically, majority default DNT is not the world this > standard will exist in. DNT is going to be a 10% solution.**** > ** ** > Frankly, having done privacy for almost 20 years, the idea that millions > of users are going to turn on any privacy setting such that they > unknowingly stop sharing their data in a way that actually has any impact > on any businesses bottom line is unrealistic at best. (Can anyone point to > any internet business, ever, where this has happened??) I've heard of spam, > spyware, fishing, spear fishing, etc. I've never heard of a massive > pro-privacy viral campaign that worked. There's lots of $ behind > companies trying to get users to turn off DNT and no $ to try to get them > to turn it on, so I think this is really orthogonal to what this group is > working on.**** > ** ** > Lauren Gelman > BlurryEdge Strategies > 415-627-8512**** > ** ** > On May 30, 2012, at 4:05 PM, Ian Fette (イアンフェッティ) wrote:**** > > > **** > I think the desire though is that DNT is a representation of a user's > explicit preference. If a browser set it by default, for instance, would a > site be obligated to respect it?**** > ** ** > > -Ian**** > On Wed, May 30, 2012 at 3:33 PM, Lauren Gelman <gelman@blurryedge.com> > wrote:**** > ** ** > I don't see the parity here. One is a user's affirmative action being > overruled by another entity. The other is the user opting to change a > default setting. **** > ** ** > Lauren Gelman > BlurryEdge Strategies > 415-627-8512**** > ** ** > On May 30, 2012, at 3:22 PM, Shane Wiley wrote:**** > > > **** > Justin,**** > **** > If companies are expected to achieve “informed and explicit” consent to > turn off DNT, then it is only fair that User Agents also achieve “informed > and explicit” consent to turn on DNT. Do you disagree?**** > **** > - Shane**** > **** > *From:* Justin Brookman [mailto:justin@cdt.org] > *Sent:* Wednesday, May 30, 2012 3:17 PM > *To:* public-tracking@w3.org > *Subject:* Re: tracking-ISSUE-150: DNT conflicts from multiple user > agents [Tracking Definitions and Compliance]**** > **** > > What problem? You honor the header by doing what the spec says. There is > no need for you to try to discern user intent, and indeed, no way for you > to do so. Ad networks cannot be and are not expected to be responsible for > every UI or every possible bit of misinformation someone saw in a comment > thread on Reddit to get them to turn on DNT in the first place. > > Today, if someone sets their browser to block third-party cookies, you > don't try to circumvent that on the theory that someone maybe didn't > understand what cookies did in the first place. Nor do we dictate to the > user agents how and when to surface and describe those capabilities. > > If there are conflicting headers, that's a different issue, and Ian and > Jonathan are putting together draft text on that issue.**** > > > Justin Brookman**** > > Director, Consumer Privacy**** > > > Center for Democracy & Technology**** > > 1634 I Street NW, Suite 1100**** > > Washington, DC 20006**** > > > tel 202.407.8812**** > > > fax 202.637.0969**** > > justin@cdt.org**** > > http://www.cdt.org**** > > > @CenDemTech**** > > @JustinBrookman**** > > > On 5/30/2012 3:34 PM, Chris Mejia wrote:**** > I believe new Issue-150 is closely related to open Issue-143. If the > user's intent in turning on/off DNT is not clear (especially in cases where > the user doesn't even know they are specifically sending a DNT:1 header), > there is no way for publishers to understand how to accurately "honor" any > consumer's DNT header flag― *it's a fundamental flaw with this scope of > this proceeding*. I laid out the concern in some detail in my previous > email to the group ("In Support of Issue-143"); so I'll just give the brief > version here: if publishers do not understand the context of the user's DNT > expression (was the user properly informed about what setting does/means, > before it was set) how are publishers to determine what the user actually > intended, or if they user is even aware that a DNT flag is being sent? If > any question/statement in any UI can lead to the sending of DNT:1 or DNT:0, > where is the integrity of the system/solution? **** > **** > To give just one example (there are many) of how a DNT mechanism that > lacks a uniform informed consent requirement might be abused, consider the > theoretical yet plausible scenario where an email is sent to (millions of) > users informing the users that they should "*click here to prevent evil > doers from knowing who you are*" or even worse, "*click here if you think > blue is a pretty color*" (replace with a variety of malware tactics), the > user's click leading to a programatic setting of DNT, without the user's > informed consent under uniform compliance rules. When that happens (some > zealot decides to abuse the system), I'm sure we'll eventually learn about > it, after some amount of damage being done. **** > **** > *When it becomes known that users were deceived into sending a DNT > expression (no uniform informed consent), here's what the end-game of > publishers might be: * without a way of discerning how DNT was set (which > program; who owns the program; being able to inspect the program), and > under which auspices it was set (what did the user agree to when they > clicked?), when learning of a set of users who were deceived into setting > DNT, publishers may be forced to consider if they should honor any DNT > header requests at all, in an effort to protect the web experience of all > users. Under this scenario, publishers may be compelled to issue public > statements outlining the fatal flaws of this W3C DNT mechanism, citing the > specific abuses, and walking away from compliance on the grounds that being > "compliant" with such a system would be harmful to the majority of its > users.**** > **** > Is that really the result that this working group is looking for? If not, > I strongly suggest that we all get on board with defining a system where > the actual intent of the user is absolutely clear― the only way I can think > to accomplish this is to require compliance with a uniform requirement to > properly educate/inform the user about their choice, at the point user > choice is made. Of course I'm open to hearing other suggestions for > solving this problem, but I feel that "*it's out of scope/Charter for > this project*" is not an acceptable solution― that answer does not solve > the problem described here and in open Issue-143. Please, let's solve the > actual problem.**** > **** > Chris Mejia, IAB/DAA**** > **** > **** > On 5/30/12 1:35 PM, "Tracking Protection Working Group Issue Tracker" < > sysbot+tracker@w3.org> wrote:**** > **** > > tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking > Definitions and Compliance]**** > **** > http://www.w3.org/2011/tracking-protection/track/issues/150**** > **** > Raised by: Aleecia McDonald**** > On product: Tracking Definitions and Compliance**** > **** > Due to multiple addons that support Do Not Track, there could be > conflicts. For example, a user could turn off DNT (not unset, actually off, > sending DNT:0) in Firefox, yet install Abine's "Do Not Track Plus" addon > (which sends DNT:1). More fun, users could have three different addons, > each with a different value. Do we have either best practices or > requirements for user agents here?**** > **** > Created from original issue-148, with actions taken by ifette and jmayer > to write proposals.**** > **** > **** > **** > **** > > ** ** > ** ** > ** ** > ** ** > ** ** > > > -- Heather West | Google Policy | heatherwest@google.com | 202-643-6381
Received on Thursday, 31 May 2012 23:00:35 UTC