Re: ISSUE-45 ACTION-246: draft proposal regarding making a public compliance commitment


I always appreciate your thoughtful analyses. However, this analysis 
assumes DNT is a mechanism for negotiating consent. I do not see it that 
way. It is, rather, a mechanism for communicating a user's preference. 
DNT:1 is a user's preference, not an offer in a contract negotiation. 
The communication back regarding how the server honors that preference 
(or doesn't) provides transparency, and, as raised in ISSUE-45, a 
"regulatory hook."


On 9/6/12 3:50 PM, Rigo Wenning wrote:
> Shane,
> I'm reluctant to explain, because people feel like I sound like a
> broken record before the understanding comes. I had that experience
> in the past research projects. Keep that in mind. I doubt, we should
> phone.
> On Thursday 06 September 2012 11:13:16 Shane Wiley wrote:
>> Could you explain why a Server couldn't respond to a DNT:1 signal
>> with the compliance regime they are upholding in the context of
>> honoring that user's DNT:1 signal?
> You get the answer by translating the signals exchanged back into a
> human readable context. The DNT protocol starts with a user
> preference expression. The compliance document fills the content of
> that preference expression. "DNT:1" as a string is rather
> meaningless without the assumption that it expresses the user's
> expectation that a service complies with the things given in the
> compliance Specification. The Service can only respond ack or nack
> to that. Every other response is actually a new offer for a
> different agreement. In other words, you enter into a new
> negotiation. Now the Service has not accepted the terms offered by
> the User and offers new terms (DNT:1 OBA). In this case, the user
> would respond that his preference is DNT:1 GER. This will give you
> so many semantic mismatches that it will end in a meaningless
> exchange of messages. The french call it dialog of the deaf.
>> If a user in the UK sends a DNT:1 signal to a Server in Ireland,
>> couldn't the Server reply to the DNT:1 that it is both honoring
>> the DNT:1 signal and following the EDAA code of conduct to do so?
>>   How does this break EU law?
> What we do here is very independent of EU Law. We take EU Law into
> account to provide a useful tool that EU Law can take up to
> accomplish things in certain areas (consent expression). But DNT
> itself is not a means to express compliance to EU Law. Because it
> starts with the user preference. And because EU data protection law
> is too complex to express compliance in a simple tools like DNT. And
> because the user preference is the center of all our considerations.
> If compliance and followed practice is in the center of our
> attention, we would start the protocol by having the service stating
> their followed practices to the user. That's P3P. The fundamental
> difference is the starting point. In DNT, the service has a choice
> whether or not to continue the interaction under the user's
> preference. In a compliance regime (we follow OBA) the user has to
> get information to be able to chose whether to continue or not. The
> latter is the third step in DNT we call exception mechanism.
> So if you want to express compliance other than "I honor the user's
> well defined preference", we have to change the protocol to have the
> service start the exchange. We may marry both in the future. We have
> done P3P 10 years ago (and times have changed). Now lets do DNT and
> only then marry the two. David's attempt to marry them now is
> technologically unwise and complexes a situation that is already so
> complex that often even experts have trouble to fully understand
> what this is all about. So one thing at a time please...
> Rigo

Received on Thursday, 6 September 2012 20:08:38 UTC