RE: ACTION-212: Draft text on how user agents must obtain consent to turn on a DNT signal

Seems like this discussion is heading down the road of mandating what sites have to say when requesting the exception.  I think that would be a big mistake.

It will be in the site’s best interest to explain why they need the exception.  For starters, the user already turned DNT on, so they’re going to need a reason to turn it off.  But, in addition, if the user doesn’t like how the site asks for the exception, they will be less inclined to visit the site again.  And, if the site misrepresents the reason for the exception, I think that’s probably a clear case for the FTC to invoke its Sec 5 authority.  The FTC peeps can correct me if I’m wrong on that.

Also, there are a number of reasons why an exception might be needed – tracking needs to be enabled so a certain awesome feature can work, a site needs to track so it can serve OBA, or the first party wants to be able to share your data with a business partner to send you cool stuff, etc.  Creating a mandated UI for exceptions is not likely to encompass all of these varied reasons and it would not allow for sites to innovate/try new kinds of notices.  In the end, a one-size-fits-all approach here would likely confuse the user more than help.

My point is that there are lots of reasons for sites to clearly explain why they need an exception.  There’s no need to mandate anything here.  As Shane often notes, the bad actors aren’t going to be using this spec, so we shouldn’t unduly hamstring the good actors.

From: David Singer [mailto:singer@apple.com]
Sent: Friday, November 16, 2012 12:48 PM
To: Chris Pedigo
Cc: Alan Chapell; Dobbs, Brooks; public-tracking@w3.org WG
Subject: Re: ACTION-212: Draft text on how user agents must obtain consent to turn on a DNT signal


On Nov 16, 2012, at 9:29 , Chris Pedigo <CPedigo@online-publishers.org<mailto:CPedigo@online-publishers.org>> wrote:


My understanding is that only the first party would be asking for these exceptions (perhaps for itself or perhaps for certain or all third parties).  Is that correct?

It has to be a site that is visited by the user, yes, either the page or iFrame owner. So for examplesocial to get a web-wide exception, it has to invoke the script from a document loaded from its site.  Now, 1x1 iFrames are possible, of course; we're wide open to abuse here, which means we need to be pretty strict about what is required.





From: David Singer [mailto:singer@apple.com<http://apple.com/>]
Sent: Friday, November 16, 2012 12:17 PM
To: Alan Chapell
Cc: Dobbs, Brooks; public-tracking@w3.org<mailto:public-tracking@w3.org> WG
Subject: Re: ACTION-212: Draft text on how user agents must obtain consent to turn on a DNT signal


On Nov 16, 2012, at 8:37 , Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>> wrote:



David – I'm not sure I agree that the description of tracking in DNT should be left exclusively to websites.

Well, I am sure that sites can be much more precise about their actual intentions and practices when they ask for an exception than we can be in the specification. Yes, the specification can make some general statements about what might happen, but the site can be much clearer, and I think it needs to be if the user is to be informed.




But if that's what the group agrees to do, doesn't that still place the onus on the TPWG to explain to those websites how the DNT header will impact them? And doesn't that explanation require a definition of tracking?

As you know, I have volunteered a definition of tracking, but not actually for this purpose; I thought it would help if we had a definition which clearly delimited what was *out* of scope, i.e. if you're not doing things that fall into this definition, don't worry about this spec.  But we didn't go there (well, not yet).

I don't think it helps in this case, though, as it only gives a rough 'area of concern' to the user, whereas the site can be, and should be, very clear, I think.  It ought to know what it's asking for, after all.







From: David Singer <singer@apple.com<mailto:singer@apple.com>>
Date: Friday, November 16, 2012 11:16 AM
To: "Dobbs, Brooks" <brooks.dobbs@kbmg.com<mailto:brooks.dobbs@kbmg.com>>
Cc: "public-tracking@w3.org<mailto:public-tracking@w3.org> WG" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: ACTION-212: Draft text on how user agents must obtain consent to turn on a DNT signal
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Fri, 16 Nov 2012 16:18:04 +0000


On Nov 16, 2012, at 6:14 , "Dobbs, Brooks" <brooks.dobbs@kbmg.com<mailto:brooks.dobbs@kbmg.com>> wrote:



David,

You actually raise an interesting point.  What I think is being suggested is that where the election of DNT:1 is offered in a UA that a user is informed about what that means.  You make the seemingly logical retort that where the election of DNT:0 is offered (on a site) that a user is informed about what it means prior to making that election.

Yes, exactly.  The user is being asked to permit 'tracking', and that site absolutely needs to explain what it is going to do with that permission.



The unfortunate problem is that it is difficult to communicate that which is not defined by the spec.  Unlike DNT:1, we don't say what DNT: 0 means other than to say "The user prefers to allow [undefined] on the target site."

All the more reason that the site had better explain in clear terms what it intends to do, because no one else can.



Also given that, in the minds of the average consumer, "target site" is likely to be be confused with the 1st party, there is not much that can be taken for guidance here.

Yes, it is also necessary for the site in question clearly to identify itself and the scope of the permission, I agree.




-Brooks

--

Brooks Dobbs, CIPP | Chief Privacy Officer |KBM Group | Part of the Wunderman Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com<http://kbmg.com/>
brooks.dobbs@kbmg.com<x-msg://779/brooks.dobbs@kbmg.com>

<image[368].png>

This email – including attachments – may contain confidential information. If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender immediately and delete the message.

From: David Singer <singer@apple.com<mailto:singer@apple.com>>
Date: Thursday, November 15, 2012 6:46 PM
To: "public-tracking@w3.org<mailto:public-tracking@w3.org> WG" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: ACTION-212: Draft text on how user agents must obtain consent to turn on a DNT signal
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Thursday, November 15, 2012 6:46 PM


On Nov 14, 2012, at 9:31 , Justin Brookman <justin@cdt.org<mailto:justin@cdt.org>> wrote:



“The User Agent MUST make available explanatory text to provide more detailed information about DNT functionality within easy and direct access for the particular environment prior to DNT being enabled.”

and all sites will, of course, be mandated to do the same or better for exception requests?





Ah, thanks for the update.




Justin Brookman

Director, Consumer Privacy

Center for Democracy & Technology

1634 I Street NW, Suite 1100

Washington, DC 20006

tel 202.407.8812

fax 202.637.0969

justin@cdt.org<mailto:justin@cdt.org>http://www.cdt.org<http://www.cdt.org/>

@CenDemTech

@JustinBrookman
On 11/14/2012 12:23 PM, Shane Wiley wrote:
Justin,

The updated text submitted 2 weeks ago removed the “link” reference and instead speaks to “informing users” more broadly prior to the activation of DNT (DNT:1).

- Shane

From: Justin Brookman [mailto:justin@cdt.org]
Sent: Wednesday, November 14, 2012 9:20 AM
To: public-tracking@w3.org<mailto:public-tracking@w3.org> Group WG
Subject: Re: ACTION-212: Draft text on how user agents must obtain consent to turn on a DNT signal

Obviously, a browser cannot misrepresent what the setting does.  If I order the Thundercats shirt from Etsy and get a Jem and the Holograms tank top instead, I have a right to be upset.  I also have a fairly bulletproof argument that Etsy deceived me and must give me my money back.  If a browser turns on DNT upon the prompt, "click here to make all your privacy problems go away," they will be under significant pressure to change this language.  Isn't this what happened with browsers' private browsing mode?  People complained quite loudly that the setting overpromised, and the browsers responded by including detailed disclosures about what the setting does and doesn't do.

Shane's proposed language already requires a link to disclosure about what DNT does; again, this itself seems fairly prescriptive and I'm not aware of any other privacy setting where detailed explanatory information is required by a technical standard.  But I can live with it.  I would have thought that the browsers would not want to be told precisely how to present information to their users about Do Not Track (or any other feature), but if you're fine providing a link to NAI's arguments against DNT when DNT is turned on, and a link to Jeff Chester's arguments against tracking whenever a site requests a DNT exception, perhaps my concern is miscalibrated :)

I know that's not what you're looking for, but what is the alternative?  I could easily nitpick the language that Chrome provides to users when they turn on DNT --- is the answer an W3C-mandated user interface or specific list of data points to message to the user?




Justin Brookman

Director, Consumer Privacy

Center for Democracy & Technology

1634 I Street NW, Suite 1100

Washington, DC 20006

tel 202.407.8812

fax 202.637.0969

justin@cdt.org<mailto:justin@cdt.org>

http://www.cdt.org<http://www.cdt.org/>

@CenDemTech

@JustinBrookman
On 11/13/2012 11:23 PM, Ian Fette (イアンフェッティ) wrote:
I have to say that this has been one of my favorite emails this week w.r.t. the Thundercats t-shirt. That said, being serious for a moment, I think part of it is that we still haven't settled on what the thing should be called. It's currently DNT but I believe we agreed that it was a placeholder and would re-visit the name once we had figured out what we managed to actually build.

Saying "Click here to turn on Do Not Track" is a lot like saying "Click here to get a free pony and see puppies." It sounds great and I can't imagine why any user wouldn't say "yes" given the text. The problem is that the user isn't really getting ponies, puppies, or a world in which their web browsing behaviour is magically kept private by re-inventing the way the Internet works. Even if we applied DNT to all first parties as well, there's still exceptions such as security, financial reporting etc that will result in their browsing history being kept by third parties, which is probably not what I would expect if you told me that I was "not being tracked."

I don't think it's unreasonable to ask that if websites are being told "the user has a preference for X" that we at least do some diligence to explore ways to make sure that what the sites are being told is the user's preference actually matches a decision the user would make. Asking the user "Do you want a pony" and then telling the website "The user wants you to mail them a Thundercats t-shirt" makes about as much sense as asking a user "Do you want to send a Do-Not-Track header to websites you visit" and expecting websites to believe the user made any sort of informed decision about the issues touched on in the spec.

My $0.024

On Tue, Nov 13, 2012 at 2:34 PM, Justin Brookman <justin@cdt.org<mailto:justin@cdt.org>> wrote:
The working group has been using the term explicit and informed consent<http://www.w3.org/2011/tracking-protection/track/issues/143> to ensure that a user understands that they are performing a certain action (e.g., turning on DNT, or granting an exception to DNT), not to mandate a description of all the potential consequences of this action.  If I give my explicit and informed consent to Etsy to spend $500 on a one-of-a-kind Thundercats t-shirt, that should not require that Etsy provide me with information about the need to save for retirement or the fact that a Thundercats t-shirt may decrease my odds of attracting a suitable mate.

Would you support a parallel requirement that any request for a user-granted exception be accompanied by a link to a list of the parade of horribles that privacy advocates could generate about why they are concerned about third-party data collection?  Remember, the group previously agreed that we are going to be equally prescriptive when it comes to specifying how "explicit and informed" consent must be for both turning on DNT and granting exceptions to the signal.  That agreement was designed in part as a buffering mechanism against these sorts of impractical and heavy handed requirements.





Justin Brookman

Director, Consumer Privacy

Center for Democracy & Technology

1634 I Street NW, Suite 1100

Washington, DC 20006

tel 202.407.8812<tel:202.407.8812>

fax 202.637.0969<tel:202.637.0969>

justin@cdt.org<mailto:justin@cdt.org>

http://www.cdt.org<http://www.cdt.org/>

@CenDemTech

@JustinBrookman
On 11/13/2012 4:46 PM, David Wainberg wrote:
Hi Justin,

On 11/13/12 2:06 PM, Justin Brookman wrote:



but requiring disclosure about an unproven parade of horribles in advance is not something that a technical standards setting body should be contemplating.
I believe we've already agreed that the DNT signal should reflect the user's explicit and informed consent. Doesn't the informed piece of that equation require explanation of the effects of DNT? But I can see that if you do not believe that provisions in this spec will have negative effects for the internet and internet users, then you wouldn't see the need for informing users of such negative effects. So, what do we need to do to convince you? Once we're on common ground about that, then maybe we can have a more productive conversation about how best to inform users.

-David








David Singer
Multimedia and Software Standards, Apple Inc.


David Singer
Multimedia and Software Standards, Apple Inc.


David Singer
Multimedia and Software Standards, Apple Inc.


David Singer
Multimedia and Software Standards, Apple Inc.

Received on Friday, 16 November 2012 18:05:59 UTC