Re: ACTION-258: Propose 'should' for same-party and why

On Apr 25, 2013, at 11:05 AM, Rigo Wenning wrote:

> On Tuesday 23 April 2013 16:27:55 Roy T. Fielding wrote:
>>> No response, no commitment, no commitment no value for the DNT
>>> header  (other than nice decoration).
>> 
>> That is entirely incoherent.  A purchase involves an exchange of
>> value for value -- no purchase occurs if the exchange is never made.
>> A validly configured user preference is just information -- nothing
>> more or less -- and does not require any exchange of value.  In fact,
>> the entire premise of DNT is to ask servers to voluntary discard
>> valuable data based on that preference.  There is no exchange,
>> no purchase, and no agreement or contract that binds the parties.
>> The only legal constructs relevant to DNT are independent of DNT:
>> privacy regulations regarding the processing of personal data and
>> business regulations regarding fair and non-deceptive practices.
> 
> You're arguing for DNT:1 spawning routers! They don't need to interact.

I am doing nothing of the sort -- your premise on the need to interact
is false.  It has no basis in law or tech.  Please stop repeating it.

> And the DNT:1 header without feedback is not enforceable at all. I can 
> always tell you: "Please wear a helmet". This doesn't force you to wear 
> a helmet, not even to respond to my preference.

We have these things called "helmet laws" in the US.  They enforce
the wearing of helmets under certain circumstances.  They are not
an agreement.  They do not require interaction.  They do not force
you to wear helmets -- they just define it as illegal and give some
entity the ability to cite failures to comply and some other entity
the ability to compel fines as a result.

We also have laws against commercial practices that are unfair or
deceptive.  We have this FTC thing that cites failures and extracts
binding agreements/fines via the legal process.  It seems to be effective.

> This is just the initial 
> 30 line DNT:1 implementation as it has no legal value at all. If this is 
> true, what have we done in the past one and a half year? Why do we need 
> a protocol at all? Instead, you write "I do DNT" on one page on your 
> site and expose yourself to the thunderstorm of DNT:1 headers.

Yes, I have explained that numerous times already. There is
no need for a response in order for the protocol to be effective.
There is no need in the EU because personal data is already covered
by "must have consent" laws, which are enforced by DPAs.
There is no need in the US because the FTC is capable of enforcing
commitments given in privacy policies.

The justifications we have right now for a response are so that
extension developers can produce automated tools for visualizing
the machine-readable responses, and so others can use automated
tools to discover the extent to which sites have indicated at
least an awareness of DNT.  Those justifications alone were
sufficient for industry to accept the burden of responding even
though it is known that almost all of those responses will be
ignored.

I personally think it is a stupid idea to do any of these
responses within the normal protocol stream (the TSR is only
reasonable because it can be requested independent of the stream).
It is stupid to require an immediate response when the protocol is
demanding non-technical long-term adherence to policies that are
far outside the scope of a single request dialog.  It is stupid
to send a customized response per user or user agent when when
all the user wants is to not be tracked by parties unknown.
It is stupid to differentiate the response into first and third
parties when nobody in this process (not even the user) knows or
even cares whether the source and destination of any given link
shares the same legal owner.  All of those things are ridiculously
burdensome, wasteful, and have drawn out this process ad nauseum,
and they are all because the people in this working group do not
trust industry to do something as simple as voluntarily adhering
to a user preference.

I don't have a problem with the lack of trust.  Most of industry
hasn't earned it.  However, I do have a problem with trying to
legislate within a self-selected forum for voluntary standards.
It doesn't make any sense.  The WG should have shot down every
one of these "compliance" requirements that are not responsive
to the user's preference, but rather to the WG's fears.

Let us write a voluntary protocol that clearly expresses some
preference, with ALL of the necessary terms clearly defined so
that users are not being misled about what is being communicated.
Let others worry about enforcing the adoption or adherence to
that protocol once it has been defined.

> The 
> overhead is only justified if there is a feedback. Feedback is legally 
> needed. If browser do not record/parse feedback, they do not implement 
> DNT IMHO. 

Browsers claim to implement HTTP today, even though none of them
are compliant to the actual standard. I don't expect a better
result from DNT; they don't even explain what it means.  The best
I can do is identify when the protocol is violated and implement
workarounds to make up for their errors.  I try to do so in ways
that they notice, and hopefully fix.  Most do.  Some don't.

....Roy

Received on Thursday, 25 April 2013 22:11:24 UTC