W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

Re: ISSUE-45 ACTION-246: draft proposal regarding making a public compliance commitment

From: Ed Felten <ed@felten.com>
Date: Thu, 6 Sep 2012 17:59:57 -0400
Message-ID: <CANZBoGiuuHCUQon-G-NyeP1aXY+i-u-OUziVJf0xnW0-NBpU-g@mail.gmail.com>
To: David Wainberg <david@networkadvertising.org>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>
It seems to me that a DNT standard that allows an arbitrary variety of
server compliance regimes may end up as a de facto negotiation
protocol--but one that serves the interests of servers poorly.   Assuming
that the user finds some server responses to be "good enough" and others
not, the user (or UA on the user's behalf) might refrain from interacting
with servers that send "not good enough" responses, or might treat those
servers differently e.g. by blocking their third-party cookies.   This
scenario amounts to a sort of negotiation between the user and the site.
 But the negotiation uses a protocol in which the server has to guess which
compliance regime the user will find to be "good enough", because the
protocol gives the user no obvious way to tell the server what the user
considers to be "good enough".   All the server knows when it gets DNT:1 is
that the user is asking for some unspecified kind of compliance regime.

On the other hand, if we stick with a single meaning of compliance, defined
by the standard, then it is clear what the user is asking for when they
send DNT:1.

(To be clear, I am not arguing that the WG should try to turn DNT into a
negotiation protocol.)

On Thu, Sep 6, 2012 at 4:08 PM, David Wainberg <david@networkadvertising.org
> wrote:

> Rigo,
> I always appreciate your thoughtful analyses. However, this analysis
> assumes DNT is a mechanism for negotiating consent. I do not see it that
> way. It is, rather, a mechanism for communicating a user's preference.
> DNT:1 is a user's preference, not an offer in a contract negotiation. The
> communication back regarding how the server honors that preference (or
> doesn't) provides transparency, and, as raised in ISSUE-45, a "regulatory
> hook."
> -David
> On 9/6/12 3:50 PM, Rigo Wenning wrote:
>> Shane,
>> I'm reluctant to explain, because people feel like I sound like a
>> broken record before the understanding comes. I had that experience
>> in the past research projects. Keep that in mind. I doubt, we should
>> phone.
>> On Thursday 06 September 2012 11:13:16 Shane Wiley wrote:
>>> Could you explain why a Server couldn't respond to a DNT:1 signal
>>> with the compliance regime they are upholding in the context of
>>> honoring that user's DNT:1 signal?
>> You get the answer by translating the signals exchanged back into a
>> human readable context. The DNT protocol starts with a user
>> preference expression. The compliance document fills the content of
>> that preference expression. "DNT:1" as a string is rather
>> meaningless without the assumption that it expresses the user's
>> expectation that a service complies with the things given in the
>> compliance Specification. The Service can only respond ack or nack
>> to that. Every other response is actually a new offer for a
>> different agreement. In other words, you enter into a new
>> negotiation. Now the Service has not accepted the terms offered by
>> the User and offers new terms (DNT:1 OBA). In this case, the user
>> would respond that his preference is DNT:1 GER. This will give you
>> so many semantic mismatches that it will end in a meaningless
>> exchange of messages. The french call it dialog of the deaf.
>>> If a user in the UK sends a DNT:1 signal to a Server in Ireland,
>>> couldn't the Server reply to the DNT:1 that it is both honoring
>>> the DNT:1 signal and following the EDAA code of conduct to do so?
>>>   How does this break EU law?
>> What we do here is very independent of EU Law. We take EU Law into
>> account to provide a useful tool that EU Law can take up to
>> accomplish things in certain areas (consent expression). But DNT
>> itself is not a means to express compliance to EU Law. Because it
>> starts with the user preference. And because EU data protection law
>> is too complex to express compliance in a simple tools like DNT. And
>> because the user preference is the center of all our considerations.
>> If compliance and followed practice is in the center of our
>> attention, we would start the protocol by having the service stating
>> their followed practices to the user. That's P3P. The fundamental
>> difference is the starting point. In DNT, the service has a choice
>> whether or not to continue the interaction under the user's
>> preference. In a compliance regime (we follow OBA) the user has to
>> get information to be able to chose whether to continue or not. The
>> latter is the third step in DNT we call exception mechanism.
>> So if you want to express compliance other than "I honor the user's
>> well defined preference", we have to change the protocol to have the
>> service start the exchange. We may marry both in the future. We have
>> done P3P 10 years ago (and times have changed). Now lets do DNT and
>> only then marry the two. David's attempt to marry them now is
>> technologically unwise and complexes a situation that is already so
>> complex that often even experts have trouble to fully understand
>> what this is all about. So one thing at a time please...
>> Rigo
Received on Thursday, 6 September 2012 22:00:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:39:00 UTC