Re: ISSUE-161: Discussion of semantics and alternatives to "!"

David, 

I disfavor having any selective noncompliance flag.  I'm open to the idea of a debugging/testing/phasing-in flag, but it would have to be narrowly scoped (e.g. specific uses and limited duration) and explicitly disallowed as a basis for claiming Do Not Track protocol or policy compliance.

Jonathan


On Thursday, April 18, 2013 at 7:23 PM, David Singer wrote:

> Hi
> 
> thanks, I think I get the sense of what you say.  Your concerns solely address "D", however, as far as I can tell.  Certainly if the document is clear that "!" is never compliant, and indicates incomplete implementation, a site can't say "we do DNT" in even the most casual language, while sending "!".
> 
> A number of times people have questioned whether transparency is desirable if existing browsers don't actually surface the information.  But that assumes (a) that they never will and (b) that a special 'privacy debugging' mode, add-on, or product will never exist and (c) privacy researchers will not investigate and report what they find.  I think all three assumptions are quite questionable.  I can certainly imagine, at some point in the future when DNT implementation is common, that browsers might surface a warning when visiting sites that pull in content from one or more servers that don't implement, or don't claim compliance (i.e. no WKR, or a response of D or !).  "Warning, you're not getting the privacy you think you are."
> 
> I share your concern about races to the bottom.
> 
> 
> On Apr 19, 2013, at 2:09 , Jonathan Mayer <jmayer@stanford.edu (mailto:jmayer@stanford.edu)> wrote:
> > David, 
> > 
> > There's a policy and law tradeoff to weigh here.
> > 
> > If we do not provide a noncompliance signal, a website may still attempt to practice selective noncompliance.  It would have to be extraordinarily careful, however, to not run afoul of consumer protection law (including the Federal Trade Commission and state attorneys general authorities against "unfairness" and "deception").  In particular, such a website could not represent that it supports Do Not Track (and enjoy the benefits of that representation) without careful and pervasive caveats.
> > 
> > If we do provide a noncompliance signal, websites can trivially practice selective noncompliance and claim to both support Do Not Track and have transparency measures in place.  I, for one, seriously doubt the actual value of a noncompliance signal to users.  How will browsers surface the signal?  What choices will users have?  Will countermeasures be imposed by default?
> > 
> > In sum, the former scenario implicates fewer but more meaningful Do Not Track implementations, while the latter could give rise to more but more meaningless implementations.  I'm particularly concerned about a race to the bottom with the latter, once it becomes clear that the penalties for selective noncompliance are nonexistent.  The former seems far preferable to me.
> > 
> > Jonathan
> > 
> > 
> > On Wednesday, April 17, 2013 at 6:25 PM, David Singer wrote:
> > 
> > > 
> > > On Apr 18, 2013, at 6:21 , Jonathan Mayer <jmayer@stanford.edu (mailto:jmayer@stanford.edu)> wrote:
> > > > We've been over this many times: adoption of the documents that we produce will trigger consumer protection law in many jurisdictions.  If TPE facilitates selective noncompliance or second-guessing DNT: 1, we'll undercut the enforceability of Do Not Track.
> > > > 
> > > > Here's my concrete counterproposal: we do not include a "!" or "D" signal.
> > > 
> > > So, to be clear, you're OK with sites like Yahoo! (a) selectively ignoring DNT and (b) not even signaling to users that their signal is being ignored?
> > > 
> > > And, you are OK with sites to write in some human-readable (but perhaps unread) text somewhere "we're in the process of deploying DNT but we're not done yet" and not reveal that in a machine-readable, transparent, way?
> > > 
> > > I thought user transparency was desirable, myself.  You surprise me.
> > > 
> > > In these cases we need to be very clear that (a) "!" is an explicit non-claim of compliance and (b) the compliance of "D" cannot be determined.
> > > 
> > > Clearly, if someone requires you to comply with DNT and you signal "!", you're not meeting their requirement.  If you signal "D", they may or may not consider your reason to ignore justified and satisfactory;  one example I have given is a hypothetical court-order that you track all visitors to demonstrate compliance to some court ruling.  Under those circumstances, you signal "D" and probably won't get into trouble (at least in the jurisdiction of the court).
> > > 
> > > 
> > > 
> > > > 
> > > > Best,
> > > > Jonathan
> > > > 
> > > > 
> > > > On Wednesday, April 17, 2013 at 2:21 AM, Matthias Schunter (Intel Corporation) wrote:
> > > > 
> > > > > Hi Roy/David/Jonathan,
> > > > > 
> > > > > 
> > > > > thanks for your inputs!
> > > > > 
> > > > > I agree that
> > > > > - the semantics of "!" is well defined in the spec
> > > > > - Once a site claims "!" we can no longer impose rules (since the site claims not to abide by those rules).
> > > > > 
> > > > > I believe that for "D", things are different since "D" is part of our compliance regime.
> > > > > 
> > > > > The concern I see is that sites use "D" far too often (or even always) and thus
> > > > > having a way to "escape" the compliance rules we create. E.g., without any rules on "D", 
> > > > > a site could always respond "D" while not implementing any part of the compliance rules we create.
> > > > > I believe that this is not in the spirit of this WG.
> > > > > 
> > > > > However, I agree with Roy that preventing this is hard in a voluntary standard.
> > > > > A related goal we cannot achieve is to force people to implement DNT.
> > > > > 
> > > > > The current resolution is to require that parties who reply "D" are required to 
> > > > > document the conditions under which "D" is sent and are therefore transparent on their practices.
> > > > > 
> > > > > This documentation can then be used within dialogues (e.g., with regulators or customers or advocacy groups) that is outside the scope
> > > > > of the protocol and also outside the scope of this WG.
> > > > > 
> > > > > I believe that if we do not provide the "D", then sites will just ignore certain signals of UAs they deem non-compliant.
> > > > > This scenario is much worse since 
> > > > >  (a) users cannot learn that their signal has been ignored
> > > > >  (b) sites are not required to be transparent about their practices/conditions under which signals are ignored
> > > > > 
> > > > > ALL: We have a concrete text on the table (within the TPE spec) and the next step for people not agreeing with this text
> > > > > is to propose improvements / alternatives. Without alternatives, it is likely that this issue will eventually be closed.
> > > > > 
> > > > > 
> > > > > Regards,
> > > > > matthias
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > On 17/04/2013 10:02, Roy T. Fielding wrote:
> > > > > > On Apr 17, 2013, at 12:04 AM, Jonathan Mayer wrote: 
> > > > > > > Roy, 
> > > > > > > 
> > > > > > > I entirely fail to see how the semantics of a status indicator "cannot be addressed."  Could you please explain your concern? 
> > > > > > > 
> > > > > > > Thanks, 
> > > > > > > Jonathan
> > > > > > > 
> > > > > > 
> > > > > > 
> > > > > > I don't have a concern.  The concern you expressed is a fear that 
> > > > > > sites will be allowed to express some degree of non-conformance,
> > > > > > rather than an all-or-nothing adherence to some compliance regime
> > > > > > that simply does not exist.  The place to address your concern is
> > > > > > in that compliance regime, not the protocol.
> > > > > > 
> > > > > > Some people have a desire for the server to communicate when there 
> > > > > > is a lack of conformance.  There are two solutions to that: 1) allow
> > > > > > them to do so in the protocol; 2) sit by and watch them do so
> > > > > > outside the protocol.  There is no third option of "require them
> > > > > > to always conform" because non-conformance is outside our scope.
> > > > > > 
> > > > > > Failure to provide a means for communicating "D" inside the protocol 
> > > > > > just means that it will be expressed as either a non-standard
> > > > > > extension or within the privacy policy of each site.
> > > > > > 
> > > > > > Failure to provide a means for testing ("!") inside the protocol 
> > > > > > just means everyone will invent their own means for pre-deployment
> > > > > > testing (e.g., use different field and WKR names), and then they
> > > > > > will have a legitimate excuse for implementing it wrong the first
> > > > > > few times.
> > > > > > 
> > > > > > The protocol can't place limits on how long or how often the 
> > > > > > testing periods might be, nor is there any reason to believe
> > > > > > that sites will game an explicit indication on non-conformance.
> > > > > > Compliance regimes can do that, either in the form of regulations
> > > > > > or self-regulatory guidelines.  I am not writing either one, so
> > > > > > I will not be addressing your concern in TPE.
> > > > > > 
> > > > > > Cheers, 
> > > > > > 
> > > > > > ....Roy 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > > David Singer
> > > Multimedia and Software Standards, Apple Inc.
> > > 
> > > 
> > > 
> > > 
> > 
> 
> David Singer
> Multimedia and Software Standards, Apple Inc.
> 
> 
> 
> 

Received on Friday, 19 April 2013 04:03:14 UTC