Re: ISSUE-45 ACTION-246: draft proposal regarding making a public compliance commitment


I'm reluctant to explain, because people feel like I sound like a 
broken record before the understanding comes. I had that experience 
in the past research projects. Keep that in mind. I doubt, we should 

On Thursday 06 September 2012 11:13:16 Shane Wiley wrote:
> Could you explain why a Server couldn't respond to a DNT:1 signal
> with the compliance regime they are upholding in the context of
> honoring that user's DNT:1 signal?

You get the answer by translating the signals exchanged back into a 
human readable context. The DNT protocol starts with a user 
preference expression. The compliance document fills the content of 
that preference expression. "DNT:1" as a string is rather 
meaningless without the assumption that it expresses the user's 
expectation that a service complies with the things given in the 
compliance Specification. The Service can only respond ack or nack 
to that. Every other response is actually a new offer for a 
different agreement. In other words, you enter into a new 
negotiation. Now the Service has not accepted the terms offered by 
the User and offers new terms (DNT:1 OBA). In this case, the user 
would respond that his preference is DNT:1 GER. This will give you 
so many semantic mismatches that it will end in a meaningless 
exchange of messages. The french call it dialog of the deaf. 
> If a user in the UK sends a DNT:1 signal to a Server in Ireland,
> couldn't the Server reply to the DNT:1 that it is both honoring
> the DNT:1 signal and following the EDAA code of conduct to do so?
>  How does this break EU law?

What we do here is very independent of EU Law. We take EU Law into 
account to provide a useful tool that EU Law can take up to 
accomplish things in certain areas (consent expression). But DNT 
itself is not a means to express compliance to EU Law. Because it 
starts with the user preference. And because EU data protection law 
is too complex to express compliance in a simple tools like DNT. And 
because the user preference is the center of all our considerations. 

If compliance and followed practice is in the center of our 
attention, we would start the protocol by having the service stating 
their followed practices to the user. That's P3P. The fundamental 
difference is the starting point. In DNT, the service has a choice 
whether or not to continue the interaction under the user's 
preference. In a compliance regime (we follow OBA) the user has to 
get information to be able to chose whether to continue or not. The 
latter is the third step in DNT we call exception mechanism. 

So if you want to express compliance other than "I honor the user's 
well defined preference", we have to change the protocol to have the 
service start the exchange. We may marry both in the future. We have 
done P3P 10 years ago (and times have changed). Now lets do DNT and 
only then marry the two. David's attempt to marry them now is 
technologically unwise and complexes a situation that is already so 
complex that often even experts have trouble to fully understand 
what this is all about. So one thing at a time please... 


Received on Thursday, 6 September 2012 19:51:21 UTC