Re: ISSUE-45 ACTION-246: draft proposal regarding making a public compliance commitment

(wow, you guys can write a lot of emails while I am trying to keep up on editing and other tasks! :-()

On Sep 5, 2012, at 9:22 , Ed Felten <ed@felten.com> wrote:

> It wouldn't make sense to allow servers to create their own definitions of compliance, and at the same time to require UAs to treat all of those definitions as equivalent.   
> 

I agree.  I think our specification should 'stand alone' and the signals, responses, and so on, should make statements merely within the context of the W3C documents.  It is up to regulators to tell companies how they indicate compliance with (presumably voluntary) regulations.  (I say 'presumably voluntary' because if the regulation is mandatory, then your continued operation in that jurisdiction is enough to indicate compliance.)


I don't mind it if the server wants to make an *additional* statement (not only do I comply with the specification, but also the requirements of <these jurisdiction or organizations>), but I am not sure I see any value in that being machine-readable, and it could become unmanageable.  Why is this not a matter for public statements, privacy policies, and so on?


The only reason I have heard for any weaker semantics to the WKR and response header is for some way for a site to say "we're working on this and we're not done yet" (which is quite reasonable).  For that, it's dead simple to add a qualifier to indicate "work-in-progress permission".


On Sep 5, 2012, at 13:01 , Shane Wiley <wileys@yahoo-inc.com> wrote:

> John,
>  
> I agree the charter has cornered the working group into developing a compliance and scope document but it doesn’t force us to mandate application of the TPE against that document – hence the request for an optional field to convey to users which compliance standard a Server is following.  While I’m still hopeful we arrive at a W3C C&S document that will be highly implemented (and continue to personally invest considerable time and energy towards that goal), there are already significant issues developing and the C&S document isn’t addressing EU concerns directly.  If the W3C C&S document is one that we feel industry will voluntarily implement (this is a voluntary standard) then there should be little concern here.

Of course the W3C document is a voluntary standard, but it should be 'self-standing' and clear what it means.  That's why the TPE and compliance are tied together (and why compliance should be a flexible but simple concept).

Other organizations are free to develop additional or competing specifications, of course.  And I am sure we would be open to explicit requests to be able to signal specific additional compliance, once we got them and understood them.



If we allow servers to respond "I mean DNT as defined in Zimbabwe" then we need to allow user-agents to ask "I mean don't track me as tracking is defined in Somalia (where enforcement is the local militia)".  We really really don't want such a complex negotiation.  Truly.


> Thanks so much for this. You've pointed out an important misunderstanding that may have fanned the flames of concern over this proposal. As often happens, I was not as clear as I could have been. The intent was definitely not a proliferation of tokens to indicate a variety of practices, but rather a limited set to identify a small number of flavors of DNT. Also, it was not intended to allow a single organization to claim multiple versions of DNT (except in the case where they might be operating in multiple jurisdictions and would need to distinguish for various users and/or sites). So, yes, your conjecture about a more limited set is absolutely right on. And it would not be a general purpose tool, as it would be solely related to expressing and honoring a user's DNT choice.

Can I clarify:  did you mean (as some are opposing) that this extra signal supply an *alternative* to the compliance in the W3C document, or as *additional* signal of precise (other body) or regulatory compliance?  I think if it serves as the latter, having the server indicate "to be absolutely clear, I not only comply with W3C DNT, but also with what the IAB additionally specifies and clarifies, and with the requirements that EU law places on that signal", I think a lot of us could calm down, and it would probably be OK.

(As a spec writer, I note we'd have to find a registration authority for the tokens to denotate these additional documents, or use a non-registration form (which tend to be things like URLs, and long).)


David Singer
Multimedia and Software Standards, Apple Inc.

Received on Friday, 7 September 2012 18:16:19 UTC