Re: ISSUE-45 ACTION-246 Clarified proposal on compliance statements


On Tuesday 09 October 2012 16:01:21 Ed Felten wrote:
> Second, do you envision some body that decides which compliance
> tokens are valid?   If so, who might that be?   If not, how do
> you prevent people from making up their own new compliance
> tokens?

I love registries (many in the Team don't like them) because they 
are the point where the Internet enables one to print money. So I 
would suggest W3C sets up such a registry of DNT tokens and takes 
the same price as the browsers take for SSL root certification. That 
prevents a proliferation of tokens and solves W3C's short term 
financial issues. </joke>

Accepting other tokens just means that any kind of entity can set up 
their own. There is no quality requirement or consumer participation 
requirement whatsoever. 

Additionally, having multiple compliance tokens creates the risk of 
races to the bottom or races to the top. We had discussions about 
the status response called "N". And the industry was raving against 
that because it creates "SuperDNT". Taking this thought further, Rob 
could just make an EU-DNT and require it for all safe-harbour 
companies. Such a thing would not be a "SuperDNT", but a "HyperDNT" 
as it would participate in the safe harbour enforcement regime. 

So to all of those who are looking for the tech-specification with 
their own regime, let me tell them that there is a real and present 
risk that using W3C only to point to one's own compliance regime can 
seriously backfire. Having one compliance specification means we 
know what we get and we all found out under a fair process (I don't 
want to dismiss the DAA process, but it wasn't global). Lacking 
this, it may go terribly wrong for one or the other side. I would be 
really reluctant to go down that route. 



Received on Tuesday, 16 October 2012 16:49:20 UTC