FW: Intermediaries interfering with DNT decision making

The exception API could be amended slightly to make the UA pop up a UI if
DNT is unset. In jurisdictions needing explicit consent (like EU),
publishers could be required by regulators to use that form of the API (i.e.
if DNT is unset then ask the user how they want to handle it, e.g. leave it
unset or specify 1 or 0). 

This would give EU regulators the ability to use DNT as a consent mechanism
(which could even be page specific) which would be very helpful for
publishers here, and may give Microsoft a way to defuse the argument. As
part of their install the default homepage could implement the (amended)
exception API.

Mike


-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com] 
Sent: 13 September 2012 00:19
To: rob@blaeu.com
Cc: public-tracking@w3.org
Subject: Re: Intermediaries interfering with DNT decision making

On Sep 12, 2012, at 2:03 PM, Rob van Eijk wrote:

> From an EU perspective, the legal analysis of the express flow of IE-10 at
install/update is not part of the scope of the DNT standard. If the express
flow meets the criteria of consent in the EU, it will be a valid expression
of user's consent, likewise if it does not meet the criteria of consent in
the EU, it won't.

The criteria for consent in the EU is pretty clear that a user never
informed of the choice has never given consent.  Would you disagree?
It is also pretty clear, at least by the WP statements, that the consent has
to be explicit.

> It is not up to a server to do it's own legal assertion of the validity of
a user's whishes. My conclusion is, that based on the DNT standard alone, it
is impossible to claim that IE-10 is a non-comliant UA, stemming from a DNT
setting that is on by default.

Then why do we have any requirements in the specification?  If it is WG
opinion that a user agent can do whatever it likes and the server just has
to accept it as fact, then we are done here.  DNT is DOA.

> The current text was indeed intended for user agents. No disagreement
there. I propose to extend it to servers as well. In a dialogue there are
two roles: senders and receivers. User agents and servers switch these roles
frequently in a dialoque. I do not see a possibility for a meaningful DNT
dialogue between user agent and server if the server that claims to be DNT
compliant can drop a DNT signal at will.

I agree with that.

> An HTTP endpoint must also be held accountable to the DNT signal. I think
it is important to not loose sight of an important function of DNT, which is
that DNT is an important technical buildingblock for a meaningful DNT dialog
between user agent and server. That dialogue starts with the expression of a
user's personal preference and includes the respons on a server without
discriminating user agents able to talk DNT.

I agree with that also.  It depends on the user's personal preference, and
servers will not indicate compliance with a standard that allows user agents
to lie about the user's preference.  The goal here, naturally, is to find a
way for servers to comply that doesn't require further legislation.

> Bottom line is that in my opinion a server must respect the DNT signal, if
it stems from a user agent capable of talking DNT. Asserting IE-10's legal
validity of a valid expression of the user's whishes is irrelevant.

A general purpose user agent that has not asked the user for their
preference is not capable of talking DNT.  HTTP semantics are important, and
the only way to ensure that user agents respect them is if the server has
the ability to say "no, you'll have to indicate preferences via some other
means because your UA is broken".
Otherwise, every UA will be broken in short order.

....Roy

Received on Thursday, 13 September 2012 11:07:57 UTC