RE: ISSUE-45 ACTION-246: draft proposal regarding making a public compliance commitment from Shane Wiley on 2012-09-05 (public-tracking@w3.org from September 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Wed, 5 Sep 2012 13:49:57 -0700
To: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
CC: Justin Brookman <justin@cdt.org>
Message-ID: <63294A1959410048A33AEE161379C8026207179656@SP2-EX07VS02.ds.corp.yahoo.com>

Rigo,

The sticking point for me is "serve as an orientation for authorities what the industry has considered to be reasonable".  The direction and discussion lately has not moved in this direction and we're now reconsidering proposals that we thought had been agreed to in Seattle.  IF the outcome is one that "industry has considered to be reasonable" then all Servers would reply with a compliance tag of "W3C".  Allowing an option here ensures that what is actually implemented will also actually "serve as an orientation for authorities what the industry has considered to be reasonable."

- Shane

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: Wednesday, September 05, 2012 11:49 AM
To: public-tracking@w3.org
Cc: Shane Wiley; Justin Brookman
Subject: Re: ISSUE-45 ACTION-246: draft proposal regarding making a public compliance commitment

Shane, 

On Wednesday 05 September 2012 09:54:22 Shane Wiley wrote:
> Rob and Rigo - please feel to chime in here.

you were calling for it!

IMHO, we do not need a "public commitment" if we require a response header, which is a personalized commitment. And the WKL is even a public commitment. Without such a response, the DNT-header is just wishful thinking conveyed to the world. By sending 
tracking-v    = "1" 
you IMHO semantically send a variable that contains a commitment to the requirements of the Compliance Spec. 

David mainly suggests that the Server returns a (P3P :) Policy on a DNT request. And Ed says, the UA may in this case decide what to do (block, transform cookies into session cookies etc). This makes DNT as complex as P3P is. I thought the goal was to make something easy, lean and predictable that people may or may not use. So I'm siding with Justin. The DNT-Protocol is not made for policy interaction as it starts with a user-preference and would need another round trip to complete: 

User -> DNT:1
Service: -> ackFU
User: -> GET ackFU
User: (ackFU | blockU | walkU)
(I wonder what the meaning of sending DNT:1 in this protocol is)

For the EU, IMHO the compliance document still plays a role as it will serve as an orientation for authorities what the industry has considered to be reasonable. And this will influence decisions. As I said on the call, IMHO the DPAs are looking for usable data protection for the internet context. But it is also clear that if the level of protection is watered down to almost zero, they will not follow. 

Rigo

Received on Wednesday, 5 September 2012 20:50:45 UTC