Re: ISSUE-151 Re: Change proposal: new general principle for permitted uses

Peter,

There is no agreement that the default setting for DNT = 0.  In fact, I
believe most TPWG folks have agreed that default should = unset.
Additionally, I have not seen a browser company or other UA offer DNT = 0
as a choice for users.  There is no agreed upon DNT specification today,
so let's not make assumptions about what we *think* (or hope) the spec
will be in the end-- it's been a moving target all along. Furthermore, I
have never agreed (in the 1.5-years that I have been intimately involved
with this TPWG) that 3rd parties should be responsible for "policing" the
validity of the DNT settings via user agents, rogue or otherwise. I've
pointed out all along, that false signals are the Achilles heel to DNT,
and until that problem is solved, DNT will likely remain a (practically
speaking) meaningless signal.

I cannot speak for DAA, nor do I believe DAA as an organization made that
proposal.  However, my read of the industry consensus proposal you cited
below is that it represents what companies would be willing to do for DNT
users, despite uncertainty around the validity of how DNT signals are set
(in other words, it's what they can agree to do, working in the constraint
that the signal is polluted-- and still significant costs are born with
the enablement of that proposal).  And hey, I don't think it's
particularly productive to shoot down well intentioned efforts to save
DNT-- to make it meaningful to users in the context of reality.

All of the issues you cited around the draft DNT spec seem valid-- so why
again should 3rd parties be responsible for sorting out a confusing and
faulty spec and bearing the costs of testing it every time they see a new
UA sending the signal?  Why should 3rd parties, the mom & pop websites
they represent, and the users who will be adversely affected by rising
costs (and diminishing content) of sorting this all out on the back end,
be responsible for a well intentioned, but ill-concieved specification?

Perhaps I wasn't clear before: I'm personally for a reasonable and
workable DNT spec, based on individual user choice. I wouldn't have spent
1.5-years working on this to see it go nowhere-- in fact, I only agreed to
work on this for industry, in good faith of finding a workable solution.
Please don't read anything else into my comments to Rigo in this thread.
My response to him was, the solution needs to be REASONABLE, WORKABLE, and
based on INFORMED USER CHOICE.  Of course, if we can't agree to being
reasonable, the spec isn't workable, and it's not based on informed user
choice, then I believe it's faulty. If that ends up being the case in the
end, it will likely fail, but not because of me.

You also must have missed the part where I encouraged W3C to test user
agents in order to validate the setting of DNT signals.  Serious proposal.
 Why not?

Regarding user granted exceptions (UGEs), my personal opinion is that they
represent a biased mechanism that primarily benefits big name parties over
relatively unknown smaller entities.  Users who know (and trust) the big
known players are much more likely to grant those big players exceptions
for their work in the 3rd party context.  But what about the relatively
unknown 3rd party ad networks that monetize thousands of smaller web
publishers through audience aggregation across unaffiliated sites, in an
effort to compete with the big known players-- all in honest fashion?  If
you don't understand the competition issue this creates, ping me offline
and I'll be happy to go into more detail. But I don't think this is an
equitable solution.

Finally, it pains me that people believe privacy should be a "competitive
differentiator".  It's not. Providing reasonable privacy safeguards is
something we do for all users (today), simply because it's the right thing
to do.  If a company is "competing on privacy," God help them-- no one
browses the web looking for privacy solutions-- the vast majority of
people browsing the web are looking for quality content on the Web--
content is how publishers compete.  Despite this market reality, we
provide reasonable and effective privacy protections, again, because it's
just the right thing to do for our users-- and because we are good
corporate citizens.  We also provide reasonable security and fraud
protection to users, not because we "compete" on these tenants, but
because it's the right thing to do.  If you think I'm wrong about user
desires, go look for the words "V-chip" on television set ads today.  And
don't get me wrong, privacy is important, very important-- and that's why
I want a good DNT spec.

Chris




On 7/26/13 3:11 PM, "Peter Cranstone" <peter.cranstone@3pmobile.com> wrote:

>Chris,
>
>You may be jumping the gun just a touch here. The default setting for DNT
>is '0'. The implication is that if it is turned on that a user must have
>done it, and that's what you have to go with until you can get an
>exception. You've had that in front of you for over 2 years now. It's
>hardly the time to say that we didn't understand it - when it's the core
>design you've all been discussing for so long. Sure there are hacks - but
>for 95% of the population they wouldn't know how to pull those off.
>
>Secondly as I watch the DAA come up with their approach to
>http://news.cnet.com/8301-1023_3-57595191-93/do-not-track-opt-out-icon-com
>i
>ng-to-mobile-browsers/ I have to shake my head. Exactly how does the DAA
>expect to validate in 100% of the cases that the user clicked on the icon?
>I actually tried it on my desktop browser. First of all I had to enable
>3rd party cookies and then it found 155 people tracking me which after I
>opted out resulted in a technical failure where it could not update the
>database. Result was consumer frustration and a distinct lack of trust
>with advertisers. Secondly they expect to release a mobile version next
>year. Great - exactly how do they expect to plug in to a mobile browser
>when no one else can. Secondly, if I set the app to send a DNT signal how
>will you know if I did it or I installed an app in front of the outgoing
>request to add a DNT signal.
>
>Rarely do I find myself agreeing with Rigo - but in this case I do. The
>only approach that is workable is a standard, otherwise there will be a
>fragmented marketplace with confusion and lack of trust. DNT is not going
>back in the box. It's shipped and with todays announcement by Pinterest
>http://bits.blogs.nytimes.com/2013/07/26/pinterest-allows-users-to-opt-out
>-
>of-being-tracked/ the content providers are climbing on board.
>
>Privacy is going to be a competitive differentiator going forward and
>everyone is now supporting DNT as a very simple Opt-Out mechanism. The UGE
>is critical as it will allow users to build a more trusted relationship
>with content providers based on access to their data. Currently there are
>probably half a billion browsers that support DNT and just Mozilla users
>send over 4 trillion signals a month (currently not being heard).
>
>I'd say it's a foregone conclusion that DNT is here to stay. Because as
>Aleecia says - you're not going to like the alternative which in itself
>will also require a technology solution. Right now the DAA's approach only
>has 2 million users and is basically still in alpha. It will be tough to
>gain much momentum when all the browser OEMs are already supporting a
>competing approach.
>
>But you never know.
>
>
>
>
>Peter
>
>
>
>On 7/26/13 3:40 PM, "Chris Mejia" <chris.mejia@iab.net> wrote:
>
>>Rigo, you stated: "If W3C would stop having a process and discussions
>>about a process and either throw out the industry, the consumer or the
>>privacy experts, respectively, we could advance within weeks."
>>
>>I hope you are not suggesting that the way to reach consensus is to
>>simply
>>kick out your paying members and invited experts, then do the work on
>>your
>>own?  That doesn't sound right to me...  Working group members, in both
>>camps, have brought valid concerns around process and are seeking clarity
>>and accountability from the co-chairs and staff-- I don't think it's
>>constructive to effectively respond with "put up or shut up" (I'm
>>paraphrasing, of course, but that's what I took from your reply to
>>Shane).
>>
>>Shane wrote: "DNT can be set easily by any technology with access to the
>>page request header outside of user control" and you responded "...your
>>assertion is just wrong."
>>
>>Shane is actually right, the DNT header CAN be easily set by any tech
>>with
>>access to the page request header, outside of user control (e.g. private
>>or corporate routers can do this) -- it IS a valid technical concern that
>>we currently have no way to validate how DNT was set-- whether it was an
>>informed user choice or not.  Check it out with any tech expert, Shane is
>>right.  Until this is solved, it's virtually impossible to distinguish
>>true signals through the noise of bad signals, and that's a problem for
>>DNT.
>>
>>Shane wrote: "we'll likely have a high percentage of DNT=1 traffic on the
>>internet" and you responded "Does that mean you fear that the opt-out
>>system could actually work?"
>>
>>Please define "could actually work".  If you mean high DNT rates = works,
>>then your prejudice is clear.  In this case, I guess you'd argue that low
>>DNT rates = broken.  What if only individual human users could enable DNT
>>based on sound education regarding it's enablement, and they decided not
>>to.  Would that define a broken state/mechanism to you, simply because
>>people chose not to send DNT?  Or would you say those are broken users?
>>I
>>for one advocate for USER EDUCATION and INDIVIDUAL USER CHOICE-- don't
>>you?  Btw, per the rest of your argument, there is absolutely nothing
>>today stoping German publishers from "opting-back-in" users who employ ad
>>blockers; likewise, there is absolutely nothing preventing the same
>>publishers from only serving their content to those users who do not use
>>ad blockers.  DNT doesn't solve this problem, so let's not conflate
>>issues.
>>
>>Your wrote "the issue is the unrest in the marketplace."
>>
>>I don't see any evidence of widespread "unrest" in the marketplace; quite
>>the contrary, as evidenced by growing web statistics.  Take online
>>purchasing as an indicator of market health; the year over year growth of
>>online purchasing is staggering-- I don't believe anyone will argue
>>otherwise.  So, if there were so much "unrest" in the online marketplace
>>as you propose, would you expect that consumers would still choose to
>>make
>>their purchases more and more online?  I wouldn't-- it's not logical.
>>Our
>>industry has invested heavily in brokering trust with our users and this
>>is clearly evidenced in the numbers-- we don't need DNT to "fix"
>>anything-- broadly speaking, user trust already exists despite your best
>>efforts to convince the marketplace otherwise.  Now of course there are
>>some individuals (a relatively small number, comparatively speaking) that
>>don't trust.  Our industry, and browsers alike, have gladly provided
>>those
>>INDIVIDUAL USERS the mechanism to opt out-- no problem, we respect an
>>INDIVIDUAL's right to CHOOSE.
>>
>>Shane wrote "This means sites will need to ask users if they set the DNT
>>signal and/or ask for a UGE for a large majority of visitors" and you
>>responded "You don't. You just test the user agent... And you need a
>>lawyer to tell you what to do? Come on!"
>>
>>You may be on to something here Rigo.  If the W3C TPWG can not come up
>>with a real technical solution to this problem (something that works in
>>real-time, on a 100% of server calls), I propose that the W3C take on the
>>infrastructure and costs associated with providing a "DNT user agent
>>vetting registry service".  The TPWG can set requirements for user
>>agents,
>>then YOU (W3C) test the user agents, posting the results to a globally
>>accessible registry.  Companies can then poll this registry (daily) for
>>updates, and will only honor DNT when it's been determined that a user
>>agent has met the required criteria for setting DNT: an informed user
>>choice.  User agents that want to send DNT should apply for certification
>>from the W3C, and if they meet the requirements, be added to the
>>registry.
>> In providing this service, you should agree to an industry & consumer
>>advocate oversight committee to monitor your work, as well as regular
>>independent 3rd party audit/accreditation of your service (may I suggest
>>MRC-- they are good at this).  Easy, right?  And you need a technologist
>>to tell you what to do? Come on :)
>>
>>Shane wrote "This is an "opt-in" paradigm - which we agreed in the
>>beginning was inappropriate (DNT=<null>, user makes an explicit choice)"
>>and you responded "Who is responsible for DNT:1 spitting routers? W3C?"
>>
>>Yes, W3C is responsible, it's your spec.  See "DNT user agent vetting
>>registry service" (above) for next steps on cleaning up the marketplace
>>mess that's been created.
>>
>>You wrote "If you can't distinguish between a browser and a router, I
>>wonder about the quality of all that tracking anyway."
>>
>>Rigo, this is why you are a lawyer, and not a technologist. Technically
>>speaking, we are not talking about distinguishing between browsers and
>>routers, we are are talking about distinguishing between validly set DNT
>>signals and ones that aren't.  You'd need to understand how HTTP header
>>injection works to fully appreciate the technical problem. The best
>>technologists on both sides of this debate have not been able to
>>reconcile
>>this issue. Neither have the lawyers.
>>
>>You wrote "I do not believe, given the dynamics of the Web and the
>>Internet, that we can predict the percentage of DNT headers for the next
>>3
>>years; let alone the percentage of valid DNT headers."
>>
>>True, no one has working crystal ball technology that I'm aware of, but
>>we
>>do know that despite there being no agreed upon specification in the
>>marketplace, user agents are sending DNT header signals today.  No matter
>>how many signals are sent, if you want DNT signals to be meaningful to
>>users, industry adoption is key.  Please stop asserting that our
>>technical
>>and business concerns are trivial or ill informed-- they are not.  Most
>>of
>>your replies below are not helping us get closer to a workable DNT
>>solution-- you are only further exacerbating our concerns.
>>
>>Chris 
>>
>>
>>
>>
>>On 7/25/13 12:40 AM, "Rigo Wenning" <rigo@w3.org> wrote:
>>
>>>On Thursday 25 July 2013 04:39:35 Shane Wiley wrote:
>>>> Rigo,
>>>> 
>>>> I feel like we're talking past one another.
>>>
>>>We are not. The DAA tells the world that "the World Wide Consortium
>>>sputters and spits trying to negotiate a Do Not Track standard to
>>>protect consumer privacy online, the digital advertising business is
>>>forging ahead with expanding its self-regulation program to mobile
>>>devices."
>>>http://www.adweek.com/news/technology/ad-industry-expands-privacy-self-r
>>>e
>>>g
>>>ulation-mobile-151386
>>>
>>>This is unfair. If W3C would stop having a process and discussions about
>>>a process and either throw out the industry, the consumer or the privacy
>>>experts, respectively, we could advance within weeks. No more sputters
>>>and spits. 
>>>
>>>> 
>>>> 1.  DNT can be set easily by any technology with access to the page
>>>> request header outside of user control
>>>
>>>The french call that "dialogue de sourds", the dialog of the deaf. If
>>>you can test the presence of an UGE mechanism, your assertion is just
>>>wrong. Repeating it doesn't make it become true.
>>>
>>>> 2.  This means we'll likely
>>>> have a high percentage of DNT=1 traffic on the internet (some say as
>>>> high as 80%) 
>>>
>>>Does that mean you fear that the opt-out system could actually work? And
>>>that you are deeply concerned that users could opt-back in? If we stall,
>>>you can time-travel into the next 5 years and talk to the people from
>>>German IT-publisher Heise: They lost large parts of their revenue due to
>>>blocking tools. It will be 80% of blocking tools instead of DNT-Headers.
>>>They would LOVE to have a way to opt their audience back in. IMHO, if
>>>the industry ignores the golden bridge of DNT, they will have to cross
>>>the rocky valley a few years later. As I said, the issue is the unrest
>>>in the marketplace, that people will buy whatever promises them more
>>>privacy, even a DNT-spitting router. To your point: you may see 80% of
>>>DNT:1 headers, but how many of them will be valid according to the W3C
>>>Specifications?
>>>
>>>> 3.  This means sites will need to ask users if they set
>>>> the DNT signal and/or ask for a UGE for a large majority of visitors
>>>
>>>As I explained: You don't. You just test the user agent. We both know
>>>that DNT has two technological enemies: 1/ Cookies + implied consent and
>>>2/ DNT:1 spitting routers and dumb extensions. Now the united internet
>>>expertise in this group can't distinguish between those and a valid
>>>browser? And you need a lawyer to tell you what to do? Come on!
>>>
>>>> 4.  This is an "opt-in" paradigm - which we agreed in the beginning
>>>> was inappropriate (DNT=<null>, user makes an explicit choice)
>>>
>>>Who is responsible for DNT:1 spitting routers? W3C? Is this conformant
>>>to the current state of our specifications? Nobody in this group wants
>>>DNT:1 spitting routers. That's why we have ISSUE-151.
>>>> 
>>>> To adopt DNT under the Swire/W3C Staff Proposal (aka June Draft),
>>>> industry would be agreeing to shift to an opt-in model vs. agreeing
>>>> to support a more hardened opt-out choice for users that is stored in
>>>> the web browser safely away from cookie clearing activities (which
>>>> remove opt-out cookies today unless the user has installed an opt-out
>>>> preservation tool).  This is a significant shift and will not likely
>>>> be supported by industry.  Hence the reason we're pushing back so
>>>> hard on the current situation.
>>>
>>>Your assertion of an opt-in model is a myth and a perceived danger, not
>>>a real shift in the Specification. The routers are shifting, not the
>>>Specification. This is just the first sign of market unrest. If you
>>>can't distinguish between a browser and a router, I wonder about the
>>>quality of all that tracking anyway. Are we discussing giant dumps of
>>>rubbish quality data? If so, consumers and privacy experts may relax a
>>>bit. For the moment, they assume that you can do profiles and things and
>>>distinguish between users and their devices etc.
>>>> 
>>>> I believe I'm being as fair, open, and honest about the core issue.
>>>
>>>And I do not question that. We even agree that there is an issue. And we
>>>have a number for that issue. I tell you that your conclusions and
>>>suggestions will lead to a totally nullified DNT, not worth our time.
>>>And I encourage you to consider a reasonable solution to the problem,
>>>not a short-circuiting of the system with an industry-opt-out behind.
>>>
>>>> Hopefully we can work together to look for solutions to this
>>>> unfortunate outcome (unfortunate for industry as I can imagine some
>>>> on the advocate side would be very happy with an opt-in world).
>>>
>>>Again, opt-in/out is a myth. DNT installs a control, a switch. This is
>>>much more than opt-in/out. BTW, I do not believe, given the dynamics of
>>>the Web and the Internet, that we can predict the percentage of DNT
>>>headers for the next 3 years; let alone the percentage of valid DNT
>>>headers. 
>>>
>>>Finally, the only ways a company can be forced to honor a DNT:1 header
>>>is: 
>>>1/ By our feedback making a promise it does
>>>2/ By a self-regulation like DAA or Truste or Europrise
>>>3/ By law
>>>
>>>I would be totally surprised by a law that would force you to accept
>>>"any" DNT:1 header.
>>>
>>>So lets work on distinguishing the good from the bad headers. We had
>>>very good discussions in Sunnyvale with the browser makers. They are
>>>also interested in a solution. There must be a way.
>>>
>>> --Rigo
>>>
>>>
>>
>>
>

Received on Friday, 26 July 2013 23:24:33 UTC