Re: ISSUE-161: Discussion of semantics and alternatives to "!" from Jonathan Mayer on 2013-04-17 (public-tracking@w3.org from April 2013)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 17 Apr 2013 15:21:05 -0700
To: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>
Cc: public-tracking@w3.org
Message-ID: <2FE2474084F446C9AF51B97355E4F35F@gmail.com>
We've been over this many times: adoption of the documents that we produce will trigger consumer protection law in many jurisdictions.  If TPE facilitates selective noncompliance or second-guessing DNT: 1, we'll undercut the enforceability of Do Not Track.

Here's my concrete counterproposal: we do not include a "!" or "D" signal.

Best,
Jonathan


On Wednesday, April 17, 2013 at 2:21 AM, Matthias Schunter (Intel Corporation) wrote:

> Hi Roy/David/Jonathan,
> 
> 
> thanks for your inputs!
> 
> I agree that
> - the semantics of "!" is well defined in the spec
> - Once a site claims "!" we can no longer impose rules (since the site claims not to abide by those rules).
> 
> I believe that for "D", things are different since "D" is part of our compliance regime.
> 
> The concern I see is that sites use "D" far too often (or even always) and thus
> having a way to "escape" the compliance rules we create. E.g., without any rules on "D", 
> a site could always respond "D" while not implementing any part of the compliance rules we create.
> I believe that this is not in the spirit of this WG.
> 
> However, I agree with Roy that preventing this is hard in a voluntary standard.
> A related goal we cannot achieve is to force people to implement DNT.
> 
> The current resolution is to require that parties who reply "D" are required to 
> document the conditions under which "D" is sent and are therefore transparent on their practices.
> 
> This documentation can then be used within dialogues (e.g., with regulators or customers or advocacy groups) that is outside the scope
> of the protocol and also outside the scope of this WG.
> 
> I believe that if we do not provide the "D", then sites will just ignore certain signals of UAs they deem non-compliant.
> This scenario is much worse since 
>  (a) users cannot learn that their signal has been ignored
>  (b) sites are not required to be transparent about their practices/conditions under which signals are ignored
> 
> ALL: We have a concrete text on the table (within the TPE spec) and the next step for people not agreeing with this text
> is to propose improvements / alternatives. Without alternatives, it is likely that this issue will eventually be closed.
> 
> 
> Regards,
> matthias
> 
> 
> 
> 
> On 17/04/2013 10:02, Roy T. Fielding wrote:
> > On Apr 17, 2013, at 12:04 AM, Jonathan Mayer wrote: 
> > > Roy, 
> > > 
> > > I entirely fail to see how the semantics of a status indicator "cannot be addressed."  Could you please explain your concern? 
> > > 
> > > Thanks, 
> > > Jonathan
> > > 
> > 
> > 
> > I don't have a concern.  The concern you expressed is a fear that 
> > sites will be allowed to express some degree of non-conformance,
> > rather than an all-or-nothing adherence to some compliance regime
> > that simply does not exist.  The place to address your concern is
> > in that compliance regime, not the protocol.
> > 
> > Some people have a desire for the server to communicate when there 
> > is a lack of conformance.  There are two solutions to that: 1) allow
> > them to do so in the protocol; 2) sit by and watch them do so
> > outside the protocol.  There is no third option of "require them
> > to always conform" because non-conformance is outside our scope.
> > 
> > Failure to provide a means for communicating "D" inside the protocol 
> > just means that it will be expressed as either a non-standard
> > extension or within the privacy policy of each site.
> > 
> > Failure to provide a means for testing ("!") inside the protocol 
> > just means everyone will invent their own means for pre-deployment
> > testing (e.g., use different field and WKR names), and then they
> > will have a legitimate excuse for implementing it wrong the first
> > few times.
> > 
> > The protocol can't place limits on how long or how often the 
> > testing periods might be, nor is there any reason to believe
> > that sites will game an explicit indication on non-conformance.
> > Compliance regimes can do that, either in the form of regulations
> > or self-regulatory guidelines.  I am not writing either one, so
> > I will not be addressing your concern in TPE.
> > 
> > Cheers, 
> > 
> > ....Roy 
> > 
>
Received on Wednesday, 17 April 2013 22:21:31 UTC