Re: DNT: Agenda for April 10 call

I second the idea that specific examples are useful, and regrettably I,
too, won't be able to make today's call.

Best,
Dan

On 04/09/2013 04:03 PM, Jonathan Mayer wrote:
> Alan,
>
> I'm afraid I may not be able to join the call owing to an academic
> obligation.  Could you very briefly dash off how the text would
> address current implementations?  Even something as simple as thumbs
> up/down for each browser would help a lot.
>
> Thanks,
> Jonathan
>
> On Tuesday, April 9, 2013 at 3:50 PM, Alan Chapell wrote:
>
>> Sure – will provide some additional thoughts in the morning.
>>
>> Alan
>>
>> From: Jonathan Mayer <jmayer@stanford.edu <mailto:jmayer@stanford.edu>>
>> Date: Tuesday, April 9, 2013 6:37 PM
>> To: Alan Chapell <achapell@chapellassociates.com
>> <mailto:achapell@chapellassociates.com>>
>> Cc: Justin Brookman <justin@cdt.org <mailto:justin@cdt.org>>,
>> <public-tracking@w3.org <mailto:public-tracking@w3.org>>
>> Subject: Re: DNT: Agenda for April 10 call
>>
>>     Alan,
>>
>>     I think some practical examples would greatly assist in
>>     illustrating your proposal.  Would the current versions of
>>     Internet Explorer, Chrome, Firefox, and Safari be compliant?  If
>>     not, what alterations would be required?
>>
>>     Thanks,
>>     Jonathan
>>
>>     On Tuesday, April 9, 2013 at 3:26 PM, Alan Chapell wrote:
>>
>>>     I'll be presenting the language with input from others. Once we
>>>     reach consensus on this language I'd be happy to work with you
>>>     on language for exception requests.
>>>
>>>
>>>     From: Justin Brookman <justin@cdt.org <mailto:justin@cdt.org>>
>>>     Date: Tuesday, April 9, 2013 5:26 PM
>>>     To: <public-tracking@w3.org <mailto:public-tracking@w3.org>>
>>>     Subject: Re: DNT: Agenda for April 10 call
>>>     Resent-From: <public-tracking@w3.org
>>>     <mailto:public-tracking@w3.org>>
>>>     Resent-Date: Tue, 09 Apr 2013 21:26:58 +0000
>>>
>>>         Who is presenting the language on user interface?  The group
>>>         had previously agreed that the degree of specificity on user
>>>         agent presentation of DNT options should also be mirrored in
>>>         presentation requirements for exception requests.  So if
>>>         we're requiring "clear and conspicuous" presentation and an
>>>         explanatory link for turning DNT on in the first place,
>>>         we're also going to have to require the same for parties
>>>         seeking to get permission to ignore a DNT:1 signal.
>>>
>>>         Justin Brookman
>>>         Director, Consumer Privacy
>>>         Center for Democracy & Technology
>>>         tel 202.407.8812
>>>         justin@cdt.org <mailto:justin@cdt.org>http://www.cdt.org
>>>         @JustinBrookman
>>>         @CenDemTech
>>>
>>>         On 4/9/2013 4:59 PM, Peter Swire wrote:
>>>>
>>>>         (Very roughly, first half on compliance spec and second
>>>>         half on TPE spec.)
>>>>
>>>>
>>>>         ---------------------------
>>>>
>>>>         Administrative
>>>>
>>>>         ---------------------------
>>>>
>>>>          
>>>>
>>>>         *_1. Confirmation of scribe_*– glad to accept volunteer  --
>>>>         no volunteer thus far.
>>>>
>>>>          
>>>>
>>>>         *_2. Offline-caller-identification: _*
>>>>
>>>>         If you intend to join the phone call, youmusteither
>>>>         associate your phone number with your IRC username once
>>>>         you've joined the call (command: "Zakim, [ID] is [name]"
>>>>         e.g., "Zakim, ??P19 is schunter" in my case), or let Nick
>>>>         know your phone number ahead of  time. If you are not
>>>>         comfortable with the Zakim IRC syntax for associating your
>>>>         phone number, please email your name and phone number
>>>>         to npdoty@w3.org <mailto:npdoty@w3.org>. We want to reduce
>>>>         (in fact, eliminate) the time spent on the call identifying
>>>>         phone numbers. Note that if your number is not identified
>>>>         and you do not respond to off-the-phone reminders via IRC,
>>>>         you will be dropped from the call.
>>>>
>>>>          
>>>>
>>>>         ---------------------------
>>>>
>>>>         Compliance Spec – Peter Swire
>>>>
>>>>         ---------------------------
>>>>
>>>>         _ _
>>>>
>>>>         *_3.   User education/ User interface. _*
>>>>
>>>>          
>>>>
>>>>         *Proposed Text:*
>>>>
>>>>         *5. User Agent Compliance*
>>>>
>>>>         A user agent /MUST/ offer a control to express a tracking
>>>>         preference to third parties. The control /MUST/ communicate
>>>>         the user's preference in accordance with the
>>>>         [/TRACKING-DNT/
>>>>         <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT>]
>>>>         recommendation and otherwise comply with that
>>>>         recommendation. A user agent /MUST NOT/ express a tracking
>>>>         preference for a user unless the user has given express and
>>>>         informed consent to indicate a tracking preference.
>>>>
>>>>          
>>>>
>>>>         While we do not specify how tracking preference choices are
>>>>         offered to the user or how the preference is enabled, each
>>>>         implementation MUST follow the following user interface
>>>>         guidelines:
>>>>
>>>>         1.     The User Agent is responsible for determining the
>>>>         user experience by which a tracking preference is enabled.
>>>>         For example, a user might select a check-box in their user
>>>>         agent's configuration, or install an extension or add-on
>>>>         that is specifically designed to add a tracking preference
>>>>         expression so long as the checkbox, extension or add-on
>>>>         otherwise follows these user interface guidelines;
>>>>
>>>>         2.     The User Agent MUST ensure that the tracking
>>>>         preference choices are communicated to users clearly and
>>>>         conspicuously, and shown at the time and place the tracking
>>>>         preference choice is made available to auser;
>>>>
>>>>         3.     The User Agent MUST ensure that the tracking
>>>>         preference choices accurately describe DNT, including the
>>>>         parties to whom DNT applies, and MUST make available via a
>>>>         link in explanatory text where DNT is enabled to provide
>>>>         more detailed information about DNT functionality.
>>>>
>>>>          
>>>>
>>>>         Non-Normative:
>>>>
>>>>          
>>>>
>>>>         The User Agent plays a key role in enacting the DNT
>>>>         functionality. As a result, it is appropriate for the User
>>>>         Agent to play an equally key role in describing DNT
>>>>         functionality and educating users about DNT in order for
>>>>         this standard to be meaningful.
>>>>
>>>>          
>>>>
>>>>         While the user interface guidelines do not specify the
>>>>         exact presentation to the user, they are intended to help
>>>>         ensure that users understand their choices with respect to
>>>>         DNT. For example, outlining the parties (e.g., First
>>>>         Parties, Service Providers, Third Parties) to
>>>>         whomDNTapplies and using language that a reasonable user is
>>>>         likely to understand is critical for ensuring that users
>>>>         are in position to provide their informed consent to a
>>>>         tracking preference.
>>>>
>>>>          
>>>>
>>>>         Moreover, as DNT functionality is complex, it is important
>>>>         that User Agents educate users about DNT, including but not
>>>>         limited to offering a clearly described link that takes the
>>>>         user to additional information about DNT functionality. For
>>>>         example, given that some parties may chose not to comply
>>>>         with DNT, it would be helpful for browsers to educate users
>>>>         about how to check the response header and/or tokens to see
>>>>         if a server is responding with a “public commitment” of
>>>>         compliance.
>>>>
>>>>          
>>>>
>>>>         Finally, recognizing that DNT settings may be set by
>>>>         non-browser User Agents acting in violation of the user
>>>>         interface guidelines, the browsers should take reasonable
>>>>         steps to ensure that DNT settings are valid.
>>>>
>>>>          
>>>>
>>>>         *_4. ACTION-373: Append._*  Text proposed by John Simpson
>>>>         and Alan Chapell, with concurrence by Jeff Chester.
>>>>         Clarifications to list in emails by John Simpson April 8
>>>>         and Peter Swire April 9.  Peter Swire circulated a
>>>>         background memo on April 9.
>>>>
>>>>          
>>>>
>>>>         /Normative: /
>>>>
>>>>         /When DNT:1 is received:/
>>>>
>>>>         /-- A 1st Party MUST NOT combine or otherwise use
>>>>         identifiable data received from another party with data it
>>>>         has collected while a 1st Party./
>>>>
>>>>         /-- A 1st Party MUST NOT shareidentifiable data with
>>>>         another party unless the data was provided voluntarily by
>>>>         the user and is necessary to complete a business
>>>>         transaction with the user./
>>>>
>>>>         /-- A Party MUST NOT usedata gathered while a 1st Party
>>>>         when operating as a 3rd Party./
>>>>
>>>>         /Non-Normative: /
>>>>
>>>>         When DNT:1 is received, a 1st Party retains the ability to
>>>>         customize content, services, and advertising only within
>>>>         thecontext of the first party experience. A 1st party takes
>>>>         the user interaction outside of the 1st party experience if
>>>>         it receives identifiabledata from another party and uses
>>>>         that data for customization of content, services,
>>>>         oradvertising. 
>>>>
>>>>         When DNT:1 is received the 1st Party maycontinue to utilize
>>>>         user provided data in order to complete or fulfill a user
>>>>         initiated business transaction such as fulfilling an order
>>>>         for goods or a subscription.
>>>>
>>>>         When DNT:1 is received and a Party has become a 3rd Party
>>>>         it is interacting with the user outside of the 1st Party
>>>>         experience.  Using data gathered while a 1st party is
>>>>         incompatible with interaction as a third party.
>>>>
>>>>          
>>>>
>>>>         Chris Pedigo gave five examples on data append in
>>>>         September, 2012, which are useful to consider in light of
>>>>         the proposed language:
>>>>
>>>>         http://www.w3.org/2011/tracking-protection/track/actions/229
>>>>
>>>>          
>>>>
>>>>         ---------------------------
>>>>
>>>>         TPE Spec – Matthias Schunter
>>>>
>>>>         ---------------------------
>>>>
>>>>         *_5. Restructuring the response indicators._*We currently
>>>>         discuss thefollowing three fields:
>>>>
>>>>          
>>>>
>>>>         - Optional Prefix "!" (I do not conform and I do not claim
>>>>         that whatever letters follow this sign are correct)
>>>>
>>>>         - Tracking Status
>>>>
>>>>            1, 3, ...
>>>>
>>>>         - Permitted uses:
>>>>
>>>>            C(onsent), ...
>>>>
>>>>          
>>>>
>>>>         *_6.  ISSUE-187 Discuss Site Requirements Consent_*
>>>>
>>>>         One general concern related to exceptions in general was
>>>>         that sites register exceptions while neither the browser
>>>>         (in the old model) nor the site (in the new model) gather
>>>>         consent in a reliable way. Our current TPE spec states in
>>>>         Section 6.3.1:
>>>>
>>>>         The call to store an exception /MUST/ reflect the user's
>>>>         intention to grant an exception, at the time of the call.
>>>>         This intention /MUST/ be determined by the site prior to
>>>>         each call to store an exception, at the time of the call.
>>>>         (This allows the user to change their mind, and delete a
>>>>         stored exception, which might then trigger the site to
>>>>         explain, and ask for, the exception again). It is the
>>>>         responsibility solely of the site making the call to
>>>>         determine that a call to record an exception reflects the
>>>>         user's informed consent at the time of the call.
>>>>
>>>>          
>>>>
>>>>         Jonathan proposed these three requirements that refine this
>>>>         language and that I would like to gather feedback on:
>>>>
>>>>         1) Actual presentation: The choice mechanism MUST be
>>>>         actually presented to the user.  It MUST NOT be on a linked
>>>>         page, such as a terms of service or privacy policy.
>>>>
>>>>          
>>>>
>>>>         2) Independent choice: The choice mechanism MUST be
>>>>         presented independent of other choices.  It MUST NOT be
>>>>         bundled with other user preferences.
>>>>
>>>>          
>>>>
>>>>         3) No default permission: The choice mechanism MUST NOT
>>>>         have the user permission preference selected by default.
>>>>
>>>>          
>>>>
>>>>         (Fromhttp://lists.w3.org/Archives/Public/public-tracking/2012Apr/0004.html
>>>>         )
>>>>
>>>>          
>>>>
>>>>         *_7. Steps towards the next working draft._*
>>>>
>>>>          
>>>>
>>>>         Discuss what needs to be updated before publishing our next
>>>>         TPE working draft.
>>>>
>>>>          
>>>>
>>>>         I have previously preferred distinguishing "who I am" from
>>>>         "how I am operating", and I feel that have C and ! as
>>>>         'status' indicators rather than qualifiers means that I can
>>>>         no longer tell whether I am interacting with someone who
>>>>         adheres to 1st or 3rdparty constraints.  So I agree, rather
>>>>         than C or ! as the first character, I think that
>>>>
>>>>          
>>>>
>>>>         1C -- content produced under first party rules with consent
>>>>
>>>>         3C -- third party under 3rd party rules with consent
>>>>
>>>>          
>>>>
>>>>         *_8. Announce next meeting & adjourn_*
>>>>
>>>>          
>>>>
>>>>          
>>>>
>>>>         ================ Infrastructure =================
>>>>
>>>>          
>>>>
>>>>         Zakim teleconference bridge:
>>>>
>>>>         VoIP:    sip:zakim@voip.w3.org
>>>>         <file://localhost/sip/zakim@voip.w3.org>
>>>>
>>>>         Phone +1.617.761.6200 passcode TRACK (87225)
>>>>
>>>>         IRC Chat: irc.w3.org <http://irc.w3.org/>, port 6665, #dnt
>>>>
>>>>          
>>>>
>>>>         *****
>>>>
>>>>
>>>>
>>>>         Professor Peter P. Swire
>>>>         C. William O'Neill Professor of Law
>>>>             Ohio State University
>>>>         240.994.4142
>>>>         www.peterswire.net <http://www.peterswire.net>
>>>
>>
>


-- 
Dan Auerbach
Staff Technologist
Electronic Frontier Foundation
dan@eff.org
415 436 9333 x134

Received on Wednesday, 10 April 2013 14:24:24 UTC