RE: Batch closing of TPE issues (Deadline: December 03)

Hash: SHA1

+1. A DNT capable home router (whole house, multiple device) is very imaginable. It might be tricky (though not impossible) to allow exceptions using the UGE but this use case underlines the need for a non-JS mechanism to be discussed for DNT2.0


Sent: 04 December 2013 16:20
To: 'Brad Kulick'; Matthias Schunter (Intel Corporation)
Cc: (
Subject: RE: Batch closing of TPE issues (Deadline: December 03)

While it may seem to narrow down the scope to a manageable set of variables, limiting DNT to browsers only, and specifically to the browser code as shipped in a specific web browser product, neither:
Reflects reality, e.g. as
a wide range of products exist in the market today to augment the user experience – most with the explicit knowledge of the user or the party responsible (by choice of the user) for the user’s secure/private service in a particular internet service domain, and these products will implement DNT as they implement a range of other security/privacy/policy-enabling functions
there are far more Web applications in terms of number as installed on user devices, that are packaged as hybrid apps using various SDKs, and these apps are getting more general-purpose e.g. relying upon arbitrary 3rd-party content and advertising services, all the time
Is in the end any simpler, reliable, or “comprehensible” (from a UX perspective)
It is not simpler for the user to have to manage DNT preferences, distinctly in every device/app that they use.
That DNT preferences management burden across devices will lead to inconsistent settings as users will find it difficult to remember whether or how they have set DNT for each site/party across all these devices. Further, when the browser is reset, DNT preferences are likely to be lost and represent another resync burden on users, which will be inconsistently applied.
It will be much more difficult for users to understand why they have to manage these preferences (for themselves and others under their responsibility) in so many places, as compared to establishing one set of preferences that are applied by their:
Software plugins installed in all their devices
Home gateways, proxies, etc
Network service provider

If there need to be technical solutions to ensure that at some point in the preferences establishment/management process, the user or someone to whom they have delegated their privacy preferences management to, actually invoked the particular setting as expressed, then that’s fine and should be considered in a future work of W3C. In the short term, I do not see that as needed because:
many existing capabilities are invoked by agents of the user (e.g. the list above) without any technical non-repudiation assertions
these things are considered valuable by users without any specific  assertion of authenticity
web service providers are not rejecting affected transactions due to lack of trust in the source

Bryan Sullivan 

From: Brad Kulick [] 
Sent: Wednesday, December 04, 2013 7:09 AM
To: Matthias Schunter (Intel Corporation)
Cc: (
Subject: Re: Batch closing of TPE issues (Deadline: December 03)


The main concern is about creating a system that provides “certainty” to the ad ecosystem to develop trust in DNT.  To provide the best possible chance for DNT to survive and thrive as a broadly implemented standard, we should start small and in well understood and expected areas – in this case that means with Web Browsers in isolation. I acknowledge that this removes some “interesting use cases” but that is understood and purposeful to reduce the number of variables and entry points into the system. 



On Dec 3, 2013, at 2:16 AM, Matthias Schunter (Intel Corporation) wrote:

Hi Brad,

thanks a lot for this input. I will keep ISSUE-153 open for now and we 
can discuss it tomorrow.

My reading of your proposed change is that you want to ensure that only 
user agents themselves can transmit preferences. It would disallow 
anyone else to send DNT headers _even if this entity follows our 

IMHO this would exclude some interesting scenarios:
- - A plugin synchronising preferences of a user between devices / browsers.
- - A intermediary service where I can manage my privacy preferences 
(e.g., a control panel in the OS)
- - A trust management plugin for browsers where DNT;1 is only sent to 
selected blacklisted sites (or any other
  policy that is more advanced than the default policies of user agents).

For me, the requirement that all requirements must be met in order to 
gain permission to modify DNT headers is indeed important. This is 
clearly not the case for some of the tools today.

Could you elaborate your concerns, i.e., why you want to exclude other 
entities from managing preferences - even if they adhere to our 


Am 21.11.2013 22:04, schrieb Brad Kulick:

I respectfully request we keep Issue-153 open.  We’re fine with closing the rest of the issues you’ve recommended.

To Issue-153, we believe intermediaries should *not* be allowed to alter the tracking preference in version 1.0 and to reserve this interaction between the user and web browser for now.  We believe this will result in a simpler implementation path through well-known interfaces and gives everyone time to gain real-world experience to consider how best to incorporate intermediaries altering signals in transit.

In Section 3 of the TPE, we should change the following text:

“Likewise, a user agent extension or add-on MUST NOT alter the tracking preference unless the act of installing and enabling that extension or add-on is an explicit choice by the user for that tracking preference.”

- -to-

“Likewise, a user agent extension or add-on MUST NOT alter the tracking preference.”



On Nov 14, 2013, at 1:10 AM, Matthias Schunter (Intel Corporation) wrote:

Hi Folks,

while we are working on the new issues, I suggest we close the set of TPE-related issues that have been PENDING REVIEW for many months. These document the outcome of our former discussions on TPE where we reached a conclusion that resulted in text. For each of those issues, the text resolving the issue is already included into the TPE spec (and has been there for a long time).

Please: Validate that you can live with the resolution of the enclosed issues (Deadline: December 03).

In case you want to object to closing an issue, please provide the required documentation (see "the plan"), i.e., roughly you should say why the issue cannot be closed, what concern you have that is not addressed, and what alternative text you proposed to mitigate your concern.

Thanks a lot!


- --------------8<------------------
ISSUE-137: Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s)
ISSUE-153: What are the implications on software that changes requests but does not necessarily initiate them?
ISSUE-161: Do we need a tracking status value for partial compliance?
ISSUE-164: To what extent should the "same-party" attribute of tracking status resource be required
ISSUE-168: What is the correct way for sub-services to signal that they are taking advantage of a transferred exception?
ISSUE-195: Flows and signals for handling "potential" out of band consent
ISSUE-197: How do we notify the user why a Disregard signal is received?

Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.1.107.3564 -
Charset: utf-8


Received on Wednesday, 4 December 2013 17:01:47 UTC