Re: ACTION-390: alternative UA affordances for DNT choice

On Friday 26 April 2013 09:44:05 Alan Chapell wrote:
> I'm not looking to establish liability. 

ok, in talking liability, I made two steps in one move. I meant 
accountability plus false claims of conformance. 

> 
> No - I want to understand who is responsible for ensuring that DNT
> functionality is clearly described in line with privacy by design
> concepts.

The legal entity making, have made or distribute the piece of code that 
creates the effect that HTTP headers contain an additional DNT header. 

> 
> >My software is
> >conformant to the the Tracking Protection Standard. 
> 
> I'm sorry Rigo, but I'm just not understanding. Who here is the
> implementer here?

The person legally responsible for the software generating the DNT 
header. This is the person that distributes or sells the software to the 
end user. But this could also be an intermediary (e.g. in a mobile 
context like in opera-mini)
> 
> >So talking about the "user" instead of the "user agent" actually does
> >the trick. 
 
> I think we're in agreement re: the User must be informed. 

Yes, the tricky part is to find the right wording to cover those we want 
to be responsible. "user agent" is "the wrong tree" as Roy would say. We 
should formulate our expectation on the user's experience (this is in 
the center of our interest) and leave the determination of the 
responsible person to the legal system. 

By having those requirements on user experience also linked in the 
section on conformance, claims of conformance (e.g. I implement W3C DNT) 
will only be true if the user is informed as required. False claims of 
conformance carry the risk of being qualified as deceptive. 

> We can word
> the requirement from the pov of the User if you'd like, but I don't
> think that changes the fact that SOME 'thing' sends a DNT header.

There is always someone who provided that software unless the user has 
programmed it herself. 

> That thing may be a browser or other User agent, a piece of software,
> a refrigerator, a carrier pigeon, etcŠ 

You don't need to mention what software not to exclude things. Just 
mention the requirements what the user should see. 

> The spec needs to have some
> requirement that those things that turn on DNT have a responsibility
> to meet some baseline standard of informed consent. 

Again my remark that informed consent cuts both ways, as a requirement 
before turning DNT:1 on, but also as requirement on the website before 
turning on the DNT:0 signal via the javascript API. 

> Otherwise, we
> don't have a standard that is meaningful for anyone.

This is why I complain about the lacking reaction on the feedback 
mechanism by the browser. While I understand that browsers are reluctant 
to commit to everything directly, things that are excluded from 
implementation up front shouldn't be in the standard. If nobody wants 
the feedback mechanism, throw it out. Without browser implementation it 
doesn't make sense as it will not replace the human readable Privacy 
Policy. 

 --Rigo

Received on Friday, 26 April 2013 17:20:01 UTC