- From: Alan Chapell <achapell@chapellassociates.com>
- Date: Tue, 09 Apr 2013 18:50:06 -0400
- To: Jonathan Mayer <jmayer@stanford.edu>
- CC: Justin Brookman <justin@cdt.org>, <public-tracking@w3.org>
- Message-ID: <CD8A134D.2E9D2%achapell@chapellassociates.com>
Sure will provide some additional thoughts in the morning. Alan From: Jonathan Mayer <jmayer@stanford.edu> Date: Tuesday, April 9, 2013 6:37 PM To: Alan Chapell <achapell@chapellassociates.com> Cc: Justin Brookman <justin@cdt.org>, <public-tracking@w3.org> Subject: Re: DNT: Agenda for April 10 call > > Alan, > > I think some practical examples would greatly assist in illustrating your > proposal. Would the current versions of Internet Explorer, Chrome, Firefox, > and Safari be compliant? If not, what alterations would be required? > > Thanks, > Jonathan > > > > > On Tuesday, April 9, 2013 at 3:26 PM, Alan Chapell wrote: > >> >> I'll be presenting the language with input from others. Once we reach >> consensus on this language I'd be happy to work with you on language for >> exception requests. >> >> >> From: Justin Brookman <justin@cdt.org> >> Date: Tuesday, April 9, 2013 5:26 PM >> To: <public-tracking@w3.org> >> Subject: Re: DNT: Agenda for April 10 call >> Resent-From: <public-tracking@w3.org> >> Resent-Date: Tue, 09 Apr 2013 21:26:58 +0000 >> >>> >>> >>> Who is presenting the language on user interface? The group had previously >>> agreed that the degree of specificity on user agent presentation of DNT >>> options should also be mirrored in presentation requirements for exception >>> requests. So if we're requiring "clear and conspicuous" presentation and an >>> explanatory link for turning DNT on in the first place, we're also going to >>> have to require the same for parties seeking to get permission to ignore a >>> DNT:1 signal. >>> >>> Justin Brookman >>> Director, Consumer Privacy >>> Center for Democracy & Technology >>> tel 202.407.8812 >>> justin@cdt.orghttp://www.cdt.org >>> @JustinBrookman >>> @CenDemTech >>> On 4/9/2013 4:59 PM, Peter Swire wrote: >>> >>>> >>>> >>>> >>>> >>>> >>>> (Very roughly, first half on compliance spec and second half on TPE spec.) >>>> >>>> >>>> >>>> >>>> >>>> >>>> --------------------------- >>>> >>>> >>>> Administrative >>>> >>>> >>>> --------------------------- >>>> >>>> >>>> >>>> >>>> >>>> 1. Confirmation of scribe glad to accept volunteer -- no volunteer thus >>>> far. >>>> >>>> >>>> >>>> >>>> >>>> 2. Offline-caller-identification: >>>> >>>> >>>> If you intend to join the phone call, youmusteither associate your phone >>>> number with your IRC username once you've joined the call (command: "Zakim, >>>> [ID] is [name]" e.g., "Zakim, ??P19 is schunter" in my case), or let Nick >>>> know your phone number ahead of time. If you are not comfortable with the >>>> Zakim IRC syntax for associating your phone number, please email your name >>>> and phone number to npdoty@w3.org. We want to reduce (in fact, eliminate) >>>> the time spent on the call identifying phone numbers. Note that if your >>>> number is not identified and you do not respond to off-the-phone reminders >>>> via IRC, you will be dropped from the call. >>>> >>>> >>>> >>>> >>>> >>>> --------------------------- >>>> >>>> >>>> Compliance Spec Peter Swire >>>> >>>> >>>> --------------------------- >>>> >>>> >>>> >>>> >>>> >>>> 3. User education/ User interface. >>>> >>>> >>>> >>>> >>>> >>>> Proposed Text: >>>> >>>> >>>> 5. User Agent Compliance >>>> >>>> >>>> A user agent MUST offer a control to express a tracking preference to third >>>> parties. The control MUST communicate the user's preference in accordance >>>> with the [TRACKING-DNT >>>> <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html >>>> #bib-TRACKING-DNT> ] recommendation and otherwise comply with that >>>> recommendation. A user agent MUST NOT express a tracking preference for a >>>> user unless the user has given express and informed consent to indicate a >>>> tracking preference. >>>> >>>> >>>> >>>> >>>> >>>> While we do not specify how tracking preference choices are offered to the >>>> user or how the preference is enabled, each implementation MUST follow the >>>> following user interface guidelines: >>>> >>>> >>>> 1. The User Agent is responsible for determining the user experience by >>>> which a tracking preference is enabled. For example, a user might select a >>>> check-box in their user agent's configuration, or install an extension or >>>> add-on that is specifically designed to add a tracking preference >>>> expression so long as the checkbox, extension or add-on otherwise follows >>>> these user interface guidelines; >>>> >>>> >>>> 2. The User Agent MUST ensure that the tracking preference choices are >>>> communicated to users clearly and conspicuously, and shown at the time and >>>> place the tracking preference choice is made available to auser; >>>> >>>> >>>> 3. The User Agent MUST ensure that the tracking preference choices >>>> accurately describe DNT, including the parties to whom DNT applies, and >>>> MUST make available via a link in explanatory text where DNT is enabled to >>>> provide more detailed information about DNT functionality. >>>> >>>> >>>> >>>> >>>> >>>> Non-Normative: >>>> >>>> >>>> >>>> >>>> >>>> The User Agent plays a key role in enacting the DNT functionality. As a >>>> result, it is appropriate for the User Agent to play an equally key role in >>>> describing DNT functionality and educating users about DNT in order for >>>> this standard to be meaningful. >>>> >>>> >>>> >>>> >>>> >>>> While the user interface guidelines do not specify the exact presentation >>>> to the user, they are intended to help ensure that users understand their >>>> choices with respect to DNT. For example, outlining the parties (e.g., >>>> First Parties, Service Providers, Third Parties) to whomDNTapplies and >>>> using language that a reasonable user is likely to understand is critical >>>> for ensuring that users are in position to provide their informed consent >>>> to a tracking preference. >>>> >>>> >>>> >>>> >>>> >>>> Moreover, as DNT functionality is complex, it is important that User Agents >>>> educate users about DNT, including but not limited to offering a clearly >>>> described link that takes the user to additional information about DNT >>>> functionality. For example, given that some parties may chose not to comply >>>> with DNT, it would be helpful for browsers to educate users about how to >>>> check the response header and/or tokens to see if a server is responding >>>> with a ³public commitment² of compliance. >>>> >>>> >>>> >>>> >>>> >>>> Finally, recognizing that DNT settings may be set by non-browser User >>>> Agents acting in violation of the user interface guidelines, the browsers >>>> should take reasonable steps to ensure that DNT settings are valid. >>>> >>>> >>>> >>>> >>>> >>>> 4. ACTION-373: Append. Text proposed by John Simpson and Alan Chapell, >>>> with concurrence by Jeff Chester. Clarifications to list in emails by John >>>> Simpson April 8 and Peter Swire April 9. Peter Swire circulated a >>>> background memo on April 9. >>>> >>>> >>>> >>>> >>>> >>>> Normative: >>>> >>>> >>>> When DNT:1 is received: >>>> >>>> >>>> -- A 1st Party MUST NOT combine or otherwise use identifiable data received >>>> from another party with data it has collected while a 1st Party. >>>> >>>> >>>> -- A 1st Party MUST NOT shareidentifiable data with another party unless >>>> the data was provided voluntarily by the user and is necessary to complete >>>> a business transaction with the user. >>>> >>>> >>>> -- A Party MUST NOT usedata gathered while a 1st Party when operating as a >>>> 3rd Party. >>>> >>>> >>>> Non-Normative: >>>> >>>> >>>> When DNT:1 is received, a 1st Party retains the ability to customize >>>> content, services, and advertising only within thecontext of the first >>>> party experience. A 1st party takes the user interaction outside of the 1st >>>> party experience if it receives identifiabledata from another party and >>>> uses that data for customization of content, services, oradvertising. >>>> >>>> >>>> When DNT:1 is received the 1st Party maycontinue to utilize user provided >>>> data in order to complete or fulfill a user initiated >>>> business transaction such as fulfilling an order for goods or a >>>> subscription. >>>> >>>> >>>> When DNT:1 is received and a Party has become a 3rd Party it is interacting >>>> with the user outside of the 1st Party experience. Using data gathered >>>> while a 1st party is incompatible with interaction as a >>>> third party. >>>> >>>> >>>> >>>> >>>> >>>> Chris Pedigo gave five examples on data append in September, 2012, which >>>> are useful to consider in light of the proposed language: >>>> >>>> >>>> http://www.w3.org/2011/tracking-protection/track/actions/229 >>>> >>>> >>>> >>>> >>>> >>>> --------------------------- >>>> >>>> >>>> TPE Spec Matthias Schunter >>>> >>>> >>>> --------------------------- >>>> >>>> >>>> 5. Restructuring the response indicators. We currently discuss thefollowing >>>> three fields: >>>> >>>> >>>> >>>> >>>> >>>> - Optional Prefix "!" (I do not conform and I do not claim that whatever >>>> letters follow this sign are correct) >>>> >>>> >>>> - Tracking Status >>>> >>>> >>>> 1, 3, ... >>>> >>>> >>>> - Permitted uses: >>>> >>>> >>>> C(onsent), ... >>>> >>>> >>>> >>>> >>>> >>>> 6. ISSUE-187 Discuss Site Requirements Consent >>>> >>>> >>>> One general concern related to exceptions in general was that sites >>>> register exceptions while neither the browser (in the old model) nor the >>>> site (in the new model) gather consent in a reliable way. Our current TPE >>>> spec states in Section 6.3.1: >>>> >>>> >>>> The call to store an exception MUST reflect the user's intention to grant >>>> an exception, at the time of the call. This intention MUST be determined by >>>> the site prior to each call to store an exception, at the time of the call. >>>> (This allows the user to change their mind, and delete a stored exception, >>>> which might then trigger the site to explain, and ask for, the exception >>>> again). It is the responsibility solely of the site making the call to >>>> determine that a call to record an exception reflects the user's informed >>>> consent at the time of the call. >>>> >>>> >>>> >>>> >>>> >>>> Jonathan proposed these three requirements that refine this language and >>>> that I would like to gather feedback on: >>>> >>>> >>>> 1) Actual presentation: The choice mechanism MUST be actually presented to >>>> the user. It MUST NOT be on a linked page, such as a terms of service or >>>> privacy policy. >>>> >>>> >>>> >>>> >>>> >>>> 2) Independent choice: The choice mechanism MUST be presented independent >>>> of other choices. It MUST NOT be bundled with other user preferences. >>>> >>>> >>>> >>>> >>>> >>>> 3) No default permission: The choice mechanism MUST NOT have the user >>>> permission preference selected by default. >>>> >>>> >>>> >>>> >>>> >>>> (From http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0004.html >>>> <http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0004.html> ) >>>> >>>> >>>> >>>> >>>> >>>> 7. Steps towards the next working draft. >>>> >>>> >>>> >>>> >>>> >>>> Discuss what needs to be updated before publishing our next TPE working >>>> draft. >>>> >>>> >>>> >>>> >>>> >>>> I have previously preferred distinguishing "who I am" from "how I am >>>> operating", and I feel that have C and ! as 'status' indicators rather than >>>> qualifiers means that I can no longer tell whether I am interacting with >>>> someone who adheres to 1st or 3rdparty constraints. So I agree, rather >>>> than C or ! as the first character, I think that >>>> >>>> >>>> >>>> >>>> >>>> 1C -- content produced under first party rules with consent >>>> >>>> >>>> 3C -- third party under 3rd party rules with consent >>>> >>>> >>>> >>>> >>>> >>>> 8. Announce next meeting & adjourn >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ================ Infrastructure ================= >>>> >>>> >>>> >>>> >>>> >>>> Zakim teleconference bridge: >>>> >>>> >>>> VoIP: sip:zakim@voip.w3.org <file://localhost/sip/zakim@voip.w3.org> >>>> >>>> >>>> Phone +1.617.761.6200 passcode TRACK (87225) >>>> >>>> >>>> IRC Chat: irc.w3.org <http://irc.w3.org/> , port 6665, #dnt >>>> >>>> >>>> >>>> >>>> >>>> ***** >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Professor Peter P. Swire >>>> >>>> >>>> C. William O'Neill Professor of Law >>>> >>>> Ohio State University >>>> >>>> 240.994.4142 >>>> >>>> www.peterswire.net <http://www.peterswire.net> >>>> >>>> >>>> >>>> >>>> >>> >>> >> > > >
Received on Tuesday, 9 April 2013 22:50:38 UTC