- From: Rigo Wenning <rigo@w3.org>
- Date: Thu, 06 Sep 2012 21:50:54 +0200
- To: Shane Wiley <wileys@yahoo-inc.com>
- Cc: "public-tracking@w3.org" <public-tracking@w3.org>, David Wainberg <david@networkadvertising.org>, "Grimmelmann, James" <James.Grimmelmann@nyls.edu>
Shane, I'm reluctant to explain, because people feel like I sound like a broken record before the understanding comes. I had that experience in the past research projects. Keep that in mind. I doubt, we should phone. On Thursday 06 September 2012 11:13:16 Shane Wiley wrote: > Could you explain why a Server couldn't respond to a DNT:1 signal > with the compliance regime they are upholding in the context of > honoring that user's DNT:1 signal? You get the answer by translating the signals exchanged back into a human readable context. The DNT protocol starts with a user preference expression. The compliance document fills the content of that preference expression. "DNT:1" as a string is rather meaningless without the assumption that it expresses the user's expectation that a service complies with the things given in the compliance Specification. The Service can only respond ack or nack to that. Every other response is actually a new offer for a different agreement. In other words, you enter into a new negotiation. Now the Service has not accepted the terms offered by the User and offers new terms (DNT:1 OBA). In this case, the user would respond that his preference is DNT:1 GER. This will give you so many semantic mismatches that it will end in a meaningless exchange of messages. The french call it dialog of the deaf. > > If a user in the UK sends a DNT:1 signal to a Server in Ireland, > couldn't the Server reply to the DNT:1 that it is both honoring > the DNT:1 signal and following the EDAA code of conduct to do so? > How does this break EU law? What we do here is very independent of EU Law. We take EU Law into account to provide a useful tool that EU Law can take up to accomplish things in certain areas (consent expression). But DNT itself is not a means to express compliance to EU Law. Because it starts with the user preference. And because EU data protection law is too complex to express compliance in a simple tools like DNT. And because the user preference is the center of all our considerations. If compliance and followed practice is in the center of our attention, we would start the protocol by having the service stating their followed practices to the user. That's P3P. The fundamental difference is the starting point. In DNT, the service has a choice whether or not to continue the interaction under the user's preference. In a compliance regime (we follow OBA) the user has to get information to be able to chose whether to continue or not. The latter is the third step in DNT we call exception mechanism. So if you want to express compliance other than "I honor the user's well defined preference", we have to change the protocol to have the service start the exchange. We may marry both in the future. We have done P3P 10 years ago (and times have changed). Now lets do DNT and only then marry the two. David's attempt to marry them now is technologically unwise and complexes a situation that is already so complex that often even experts have trouble to fully understand what this is all about. So one thing at a time please... Rigo
Received on Thursday, 6 September 2012 19:51:21 UTC