- From: Justin Brookman <justin@cdt.org>
- Date: Tue, 09 Apr 2013 18:37:44 -0400
- To: public-tracking@w3.org
- Message-ID: <51649838.7000704@cdt.org>
I agree (and have previously argued) that there is a strong argument that the level of prescriptiveness for consent should be *greater* for a party seeking an exception to a stated preference expression than for the setting of that preference in the first place. But in the Washington meeting, I thought the sense of the room was that the two should at least be equivalent. Perhaps this is reflected in the minutes; I have also written approximately 100 emails on the topic, mostly in the first half of last year, which I do not have the capacity to pore through at the moment --- there may be details in there from my discussions with Roy, Shane, and others. Justin Brookman Director, Consumer Privacy Center for Democracy & Technology tel 202.407.8812 justin@cdt.org http://www.cdt.org @JustinBrookman @CenDemTech On 4/9/2013 6:30 PM, Jonathan Mayer wrote: > Justin, > > When did the group agree to link the level of generality in > requirements on browser and exception user interface? > > In my view, there's no reason browser and website requirements should > be symmetrical. Browsers and websites have very different incentives > and capabilities with respect to offering consumer transparency and > control. > > Best, > Jonathan > > On Tuesday, April 9, 2013 at 2:26 PM, Justin Brookman wrote: > >> Who is presenting the language on user interface? The group had >> previously agreed that the degree of specificity on user agent >> presentation of DNT options should also be mirrored in presentation >> requirements for exception requests. So if we're requiring "clear >> and conspicuous" presentation and an explanatory link for turning DNT >> on in the first place, we're also going to have to require the same >> for parties seeking to get permission to ignore a DNT:1 signal. >> Justin Brookman >> Director, Consumer Privacy >> Center for Democracy & Technology >> tel 202.407.8812 >> justin@cdt.org <mailto:justin@cdt.org> >> http://www.cdt.org >> @JustinBrookman >> @CenDemTech >> On 4/9/2013 4:59 PM, Peter Swire wrote: >>> >>> (Very roughly, first half on compliance spec and second half on TPE >>> spec.) >>> >>> >>> --------------------------- >>> >>> Administrative >>> >>> --------------------------- >>> >>> *_1. Confirmation of scribe_*– glad to accept volunteer -- no >>> volunteer thus far. >>> >>> *_2. Offline-caller-identification: _* >>> >>> If you intend to join the phone call, youmusteither associate your >>> phone number with your IRC username once you've joined the call >>> (command: "Zakim, [ID] is [name]" e.g., "Zakim, ??P19 is schunter" >>> in my case), or let Nick know your phone number ahead of time. If >>> you are not comfortable with the Zakim IRC syntax for associating >>> your phone number, please email your name and phone number to >>> npdoty@w3.org <mailto:npdoty@w3.org>. We want to reduce (in fact, >>> eliminate) the time spent on the call identifying phone numbers. >>> Note that if your number is not identified and you do not respond to >>> off-the-phone reminders via IRC, you will be dropped from the call. >>> >>> --------------------------- >>> >>> Compliance Spec – Peter Swire >>> >>> --------------------------- >>> >>> __ >>> >>> *_3. User education/ User interface. _* >>> >>> *Proposed Text:* >>> >>> *5. User Agent Compliance* >>> >>> A user agent /MUST/ offer a control to express a tracking preference >>> to third parties. The control /MUST/ communicate the user's >>> preference in accordance with the [/TRACKING-DNT/ >>> <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT>] >>> recommendation and otherwise comply with that recommendation. A user >>> agent /MUST NOT/ express a tracking preference for a user unless the >>> user has given express and informed consent to indicate a tracking >>> preference. >>> >>> While we do not specify how tracking preference choices are offered >>> to the user or how the preference is enabled, each implementation >>> MUST follow the following user interface guidelines: >>> >>> 1. The User Agent is responsible for determining the user >>> experience by which a tracking preference is enabled. For example, a >>> user might select a check-box in their user agent's configuration, >>> or install an extension or add-on that is specifically designed to >>> add a tracking preference expression so long as the checkbox, >>> extension or add-on otherwise follows these user interface guidelines; >>> >>> 2. The User Agent MUST ensure that the tracking preference >>> choices are communicated to users clearly and conspicuously, and >>> shown at the time and place the tracking preference choice is made >>> available to auser; >>> >>> 3. The User Agent MUST ensure that the tracking preference >>> choices accurately describe DNT, including the parties to whom DNT >>> applies, and MUST make available via a link in explanatory text >>> where DNT is enabled to provide more detailed information about DNT >>> functionality. >>> >>> Non-Normative: >>> >>> The User Agent plays a key role in enacting the DNT functionality. >>> As a result, it is appropriate for the User Agent to play an equally >>> key role in describing DNT functionality and educating users about >>> DNT in order for this standard to be meaningful. >>> >>> While the user interface guidelines do not specify the exact >>> presentation to the user, they are intended to help ensure that >>> users understand their choices with respect to DNT. For example, >>> outlining the parties (e.g., First Parties, Service Providers, Third >>> Parties) to whomDNTapplies and using language that a reasonable user >>> is likely to understand is critical for ensuring that users are in >>> position to provide their informed consent to a tracking preference. >>> >>> Moreover, as DNT functionality is complex, it is important that User >>> Agents educate users about DNT, including but not limited to >>> offering a clearly described link that takes the user to additional >>> information about DNT functionality. For example, given that some >>> parties may chose not to comply with DNT, it would be helpful for >>> browsers to educate users about how to check the response header >>> and/or tokens to see if a server is responding with a “public >>> commitment” of compliance. >>> >>> Finally, recognizing that DNT settings may be set by non-browser >>> User Agents acting in violation of the user interface guidelines, >>> the browsers should take reasonable steps to ensure that DNT >>> settings are valid. >>> >>> *_4. ACTION-373: Append._* Text proposed by John Simpson and Alan >>> Chapell, with concurrence by Jeff Chester. Clarifications to list in >>> emails by John Simpson April 8 and Peter Swire April 9.Peter Swire >>> circulated a background memo on April 9. >>> >>> /Normative: / >>> >>> /When DNT:1 is received:/ >>> >>> /-- A 1st Party MUST NOT combine or otherwise use identifiable data >>> received from another party with data it has collected while a 1st >>> Party./ >>> >>> /-- A 1st Party MUST NOT shareidentifiable data with another party >>> unless the data was provided voluntarily by the user and is >>> necessary to complete a business transaction with the user./ >>> >>> /-- A Party MUST NOT usedata gathered while a 1st Party when >>> operating as a 3rd Party./ >>> >>> /Non-Normative: / >>> >>> When DNT:1 is received, a 1st Party retains the ability to customize >>> content, services, and advertising only within thecontext of the >>> first party experience. A 1st party takes the user interaction >>> outside of the 1st party experience if it receives identifiabledata >>> from another party and uses that data for customization of content, >>> services, oradvertising. >>> >>> When DNT:1 is received the 1st Party maycontinue to utilize user >>> provided data in order to complete or fulfill a user initiated >>> business transaction such as fulfilling an order for goods or a >>> subscription. >>> >>> When DNT:1 is received and a Party has become a 3rd Party it is >>> interacting with the user outside of the 1st Party experience. >>> Using data gathered while a 1st party is incompatible with >>> interaction as a third party. >>> >>> Chris Pedigo gave five examples on data append in September, 2012, >>> which are useful to consider in light of the proposed language: >>> >>> http://www.w3.org/2011/tracking-protection/track/actions/229 >>> >>> --------------------------- >>> >>> TPE Spec – Matthias Schunter >>> >>> --------------------------- >>> >>> *_5. Restructuring the response indicators._*We currently discuss >>> thefollowing three fields: >>> >>> - Optional Prefix "!" (I do not conform and I do not claim that >>> whatever letters follow this sign are correct) >>> >>> - Tracking Status >>> >>> 1, 3, ... >>> >>> - Permitted uses: >>> >>> C(onsent), ... >>> >>> *_6.ISSUE-187 Discuss Site Requirements Consent_* >>> >>> One general concern related to exceptions in general was that sites >>> register exceptions while neither the browser (in the old model) nor >>> the site (in the new model) gather consent in a reliable way. Our >>> current TPE spec states in Section 6.3.1: >>> >>> The call to store an exception /MUST/ reflect the user's intention >>> to grant an exception, at the time of the call. This intention >>> /MUST/ be determined by the site prior to each call to store an >>> exception, at the time of the call. (This allows the user to change >>> their mind, and delete a stored exception, which might then trigger >>> the site to explain, and ask for, the exception again). It is the >>> responsibility solely of the site making the call to determine that >>> a call to record an exception reflects the user's informed consent >>> at the time of the call. >>> >>> Jonathan proposed these three requirements that refine this language >>> and that I would like to gather feedback on: >>> >>> 1) Actual presentation: The choice mechanism MUST be actually >>> presented to the user.It MUST NOT be on a linked page, such as a >>> terms of service or privacy policy. >>> >>> 2) Independent choice: The choice mechanism MUST be presented >>> independent of other choices.It MUST NOT be bundled with other user >>> preferences. >>> >>> 3) No default permission: The choice mechanism MUST NOT have the >>> user permission preference selected by default. >>> >>> (Fromhttp://lists.w3.org/Archives/Public/public-tracking/2012Apr/0004.html >>> ) >>> >>> *_7. Steps towards the next working draft._* >>> >>> Discuss what needs to be updated before publishing our next TPE >>> working draft. >>> >>> I have previously preferred distinguishing "who I am" from "how I am >>> operating", and I feel that have C and ! as 'status' indicators >>> rather than qualifiers means that I can no longer tell whether I am >>> interacting with someone who adheres to 1st or 3rdparty >>> constraints.So I agree, rather than C or ! as the first character, I >>> think that >>> >>> 1C -- content produced under first party rules with consent >>> >>> 3C -- third party under 3rd party rules with consent >>> >>> *_8. Announce next meeting & adjourn_* >>> >>> ================ Infrastructure ================= >>> >>> Zakim teleconference bridge: >>> >>> VoIP: sip:zakim@voip.w3.org <file://localhost/sip/zakim@voip.w3.org> >>> >>> Phone +1.617.761.6200 passcode TRACK (87225) >>> >>> IRC Chat: irc.w3.org <http://irc.w3.org/>, port 6665, #dnt >>> >>> ***** >>> >>> >>> >>> Professor Peter P. Swire >>> C. William O'Neill Professor of Law >>> Ohio State University >>> 240.994.4142 >>> www.peterswire.net <http://www.peterswire.net> >> >
Received on Tuesday, 9 April 2013 22:38:13 UTC