- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 25 Apr 2013 15:11:02 -0700
- To: Rigo Wenning <rigo@w3.org>
- Cc: "public-tracking@w3.org Working Group" <public-tracking@w3.org>
On Apr 25, 2013, at 11:05 AM, Rigo Wenning wrote: > On Tuesday 23 April 2013 16:27:55 Roy T. Fielding wrote: >>> No response, no commitment, no commitment no value for the DNT >>> header (other than nice decoration). >> >> That is entirely incoherent. A purchase involves an exchange of >> value for value -- no purchase occurs if the exchange is never made. >> A validly configured user preference is just information -- nothing >> more or less -- and does not require any exchange of value. In fact, >> the entire premise of DNT is to ask servers to voluntary discard >> valuable data based on that preference. There is no exchange, >> no purchase, and no agreement or contract that binds the parties. >> The only legal constructs relevant to DNT are independent of DNT: >> privacy regulations regarding the processing of personal data and >> business regulations regarding fair and non-deceptive practices. > > You're arguing for DNT:1 spawning routers! They don't need to interact. I am doing nothing of the sort -- your premise on the need to interact is false. It has no basis in law or tech. Please stop repeating it. > And the DNT:1 header without feedback is not enforceable at all. I can > always tell you: "Please wear a helmet". This doesn't force you to wear > a helmet, not even to respond to my preference. We have these things called "helmet laws" in the US. They enforce the wearing of helmets under certain circumstances. They are not an agreement. They do not require interaction. They do not force you to wear helmets -- they just define it as illegal and give some entity the ability to cite failures to comply and some other entity the ability to compel fines as a result. We also have laws against commercial practices that are unfair or deceptive. We have this FTC thing that cites failures and extracts binding agreements/fines via the legal process. It seems to be effective. > This is just the initial > 30 line DNT:1 implementation as it has no legal value at all. If this is > true, what have we done in the past one and a half year? Why do we need > a protocol at all? Instead, you write "I do DNT" on one page on your > site and expose yourself to the thunderstorm of DNT:1 headers. Yes, I have explained that numerous times already. There is no need for a response in order for the protocol to be effective. There is no need in the EU because personal data is already covered by "must have consent" laws, which are enforced by DPAs. There is no need in the US because the FTC is capable of enforcing commitments given in privacy policies. The justifications we have right now for a response are so that extension developers can produce automated tools for visualizing the machine-readable responses, and so others can use automated tools to discover the extent to which sites have indicated at least an awareness of DNT. Those justifications alone were sufficient for industry to accept the burden of responding even though it is known that almost all of those responses will be ignored. I personally think it is a stupid idea to do any of these responses within the normal protocol stream (the TSR is only reasonable because it can be requested independent of the stream). It is stupid to require an immediate response when the protocol is demanding non-technical long-term adherence to policies that are far outside the scope of a single request dialog. It is stupid to send a customized response per user or user agent when when all the user wants is to not be tracked by parties unknown. It is stupid to differentiate the response into first and third parties when nobody in this process (not even the user) knows or even cares whether the source and destination of any given link shares the same legal owner. All of those things are ridiculously burdensome, wasteful, and have drawn out this process ad nauseum, and they are all because the people in this working group do not trust industry to do something as simple as voluntarily adhering to a user preference. I don't have a problem with the lack of trust. Most of industry hasn't earned it. However, I do have a problem with trying to legislate within a self-selected forum for voluntary standards. It doesn't make any sense. The WG should have shot down every one of these "compliance" requirements that are not responsive to the user's preference, but rather to the WG's fears. Let us write a voluntary protocol that clearly expresses some preference, with ALL of the necessary terms clearly defined so that users are not being misled about what is being communicated. Let others worry about enforcing the adoption or adherence to that protocol once it has been defined. > The > overhead is only justified if there is a feedback. Feedback is legally > needed. If browser do not record/parse feedback, they do not implement > DNT IMHO. Browsers claim to implement HTTP today, even though none of them are compliant to the actual standard. I don't expect a better result from DNT; they don't even explain what it means. The best I can do is identify when the protocol is violated and implement workarounds to make up for their errors. I try to do so in ways that they notice, and hopefully fix. Most do. Some don't. ....Roy
Received on Thursday, 25 April 2013 22:11:24 UTC