Re: Change proposal: new general principle for permitted uses

On Wednesday 24 July 2013 17:59:33 Shane Wiley wrote:
> I believe the TPE UGE is a valid mechanism/approach but the underlying
> issue here is more significant. 

Thanks for the flowers. I was arguing this all along. Please help me and 
tell the browsers that you'll use UGE, because otherwise, they won't 
implement. 

> When the working group first came
> together, we had a key discussion about opt-in vs. opt-out. 

I think we had a large misunderstanding. I never accepted the opt-in vs 
opt-out paradigm you're depicting. If  you have a control in the 
browser, you have a control in the browser. A "control" is a switch. We 
all agreed that the switch should be should be on "0". 

> We
> unanimously agreed that an opt-out paradigm was more appropriate and
> adopted the requirement that users must explicitly activate the DNT
> signal.  

This is not the question because we agreed already on this. The question 
is rather how to identify the bad actors that set DNT:1 without user 
interaction and a ticket box in a visible install procedure is still 
rather harmless. 

> 
> The technical reality that its far too easy to activate a DNT signal
> outside of user action and there are few options to correct this
> behavior is undermining our agreed up position. 

You mean there is too much intelligence in the network happening. One of 
the core IETF principles I learned some time ago is to keep the network 
neutral and have the ends being intelligent. 

> Any application or
> network device that has access to modify the page request header is
> incentivized to add the bare minimum ~13 lines of code as a "privacy
> friendly" product feature so they can list this among the benefits of
> their product without truly supporting the entire standard (default
> on - of course).  

If you have a better suggestion than testing for UGE (which will not be 
feasible in 30 lines of code), abandon DNT or return to P3P, I'm all 
ears. The problem of high value of "privacy friendly" tools in the 
market place did not come over night. There is a reason. Fending off may 
cure the symptoms for a moment, but is not removing the reasons. 

> This comes with no risk of enforcement in requiring
> that product change its approach to come into compliance with the W3C
> DNT standard. 

You see a red traffic light, you can't see whether there is some weirdo 
with a tele-command operating that traffic-light. But you have a valid 
test without user interaction. So your statement above is wrong if you 
accept UGE as a test. 

> Where does this leave us?  No way to confirm (outside
> of interruption) if a user has truly activated any DNT signal
> anywhere.

wrong, you have UGE without user interaction. You can test whether a 
client supports UGE without setting it and without needing user 
interaction. Sites can load 451 images for one page to get all the 
trackers on. And they can't make one! javascript call? Ok, you lose 
people like me who are surfing with javascript turned off. Dam it, I 
will have to live with you ignoring my DNT header... :) 

> 
> So we have several choices:
> 
> - Correct the technical implementation such that we lock down that
> ability for other parties to inject an invalid signal
> (certs/signatures?) 

I would favor that! Definitely. Especially as this would solve some of 
the security problems of the Web on its way. 

> - Move to a de-identification approach (data
> hygiene) and pair AdChoices w/ DNT to cover all possible uses (part
> of the industry proposal although admittedly assembled in haste and
> not as clear as it needed to be) 

You mean abandon DNT. But what else to do? Arms race? P3P? Cookies + 
implied consent with banners like UK? DAA opt-out? The fact that there 
is too much opt out and the fact that we can't determine whether we want 
all that opt-out is not a reason to stretch the semantics of the word 
"identified" and "de-identified" and to mainly disregard the browser 
control to only follow a cookie based opt out. Then we simply need no 
DNT. But the weaknesses of the cookie based opt-outs were such that 
people wanted to make DNT. Ok, take TPE and glue arbitrary rules to it. 
This will mean everybody is now entitled to stretch semantics. Already 
in the midterm, there will be so many differing semantics for the DNT 
signal that the entire thing becomes meaningless. Again, we can spare a 
lot of time and effort of getting there by going public with saying: 
Privacy doesn't work, get away with it. But I don't know if the public 
wants to hear that message. 

> - Flip on the original agreement
> within the working group and move to a de-facto opt-in world across
> the board (we've seen how well that played out in the EU)

Implied consent will die, sooner or later. This is a pyrrhic victory. 
Ok, you can wait until then to act again. My vision is a bit more long 
term. In the UK, you have de-facto not even an opt-out anymore as either 
you use the site (with all tracking) or you go elsewhere. This is just 
one step towards the arms race. If most companies believe we are better 
off with an arms race between trackers and browsers, much of DNT will 
lose its reason to be. 
> 
> It appears the W3C Staff/Swire Proposal clearly supported the 3rd
> option as I know that group understands the underlying tech issue
> here.
"It appears" is a careful wording. 

1/ I don't see this assertion being supported by the June Draft. I would 
like to get the words you're deriving that from. I don't think the June 
Draft is allowing for implied consent. Or what did you mean with 
original agreement? The only agreement that counts at the end of the day 
is if we get consensus on a Recommendation. Note that I acknowledge the 
pain points you mention and nothing in my email is construed to question 
your belief in "original agreements". Everybody in the Group wants the 
"user decision" and we found a good way to avoid the "DNT-routers". 

2/ You argue for a self fulfilling prophecy by excluding UGE testing 
from your three options. But you ack UGE testing in the beginning of 
your email. This gives me a logic that I can't parse. 

 --Rigo

Received on Wednesday, 24 July 2013 20:43:10 UTC