W3C home > Mailing lists > Public > public-tracking@w3.org > July 2013

RE: ISSUE-151 Re: Change proposal: new general principle for permitted uses

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sat, 27 Jul 2013 10:47:37 +0100
To: "'Chris Mejia'" <chris.mejia@iab.net>, "'Rigo Wenning'" <rigo@w3.org>, "'Shane Wiley'" <wileys@yahoo-inc.com>
Cc: <public-tracking@w3.org>, <rob@blaeu.com>
Message-ID: <00bb01ce8aae$54b31c50$fe1954f0$@baycloud.com>
Chris,

Even in the unlikely event of the W3C taking on this role (of UA vetting
registrar) it would not solve the verifiable DNT problem. DNT could be still
set by routers, drivers, proxies, browser extensions etc. and the
third-party advertiser would not detect that.

If the problem is making sure that the user has been properly
informed/canvassed the solution may lie with the UGE mechanism. Publishers
need advertising revenue so they will want script to call the UGE API. If
that finds the API is not supported or that it reports a different value for
DNT from the header signal we could give them a way to report that so their
third-parties can take appropriate action.

The reporting could be via cross-domain messaging but that would need JS to
receive it, and difficult to verify.  Maybe this is yet another suitable
case for transparent DNT override using a cookie with a well-known name (and
site-specific cloning of cookies to third-parties).

To recap, what I suggested was a particularly named cookie e.g. W3CTP=X
which would always override the value of DNT. If it is placed (in set-cookie
or document.cookies) it is cloned to site-specific third-parties qualified
by the domain cookie attribute.

It would signal consent (W3CTP=C=1) or its absence (W3CTP=C=0) . If it was
not there DNT would rule. If DNT was not there local law would prevail. The
UA could use it to revoke OOBC in the same UI as DNT UGE.

This gives a solution for EU ePrivacy, COPPA signalling, transparent OOBC
and illicit DNT detection (W3CTP=DNT=I) It has built-in support for sunset
revocation using the expires attribute and  also allows third-parties to
transparently signal OOB consent without JS or needing to rely on the
first-party (this last may be contentious).

Mike




-----Original Message-----
From: Chris Mejia [mailto:chris.mejia@iab.net] 
Sent: 26 July 2013 22:41
To: Rigo Wenning; Shane Wiley
Cc: public-tracking@w3.org
Subject: Re: ISSUE-151 Re: Change proposal: new general principle for
permitted uses

Rigo, you stated: "If W3C would stop having a process and discussions about
a process and either throw out the industry, the consumer or the privacy
experts, respectively, we could advance within weeks."

I hope you are not suggesting that the way to reach consensus is to simply
kick out your paying members and invited experts, then do the work on your
own?  That doesn't sound right to me...  Working group members, in both
camps, have brought valid concerns around process and are seeking clarity
and accountability from the co-chairs and staff-- I don't think it's
constructive to effectively respond with "put up or shut up" (I'm
paraphrasing, of course, but that's what I took from your reply to Shane).

Shane wrote: "DNT can be set easily by any technology with access to the
page request header outside of user control" and you responded "...your
assertion is just wrong."

Shane is actually right, the DNT header CAN be easily set by any tech with
access to the page request header, outside of user control (e.g. private or
corporate routers can do this) -- it IS a valid technical concern that we
currently have no way to validate how DNT was set-- whether it was an
informed user choice or not.  Check it out with any tech expert, Shane is
right.  Until this is solved, it's virtually impossible to distinguish true
signals through the noise of bad signals, and that's a problem for DNT.

Shane wrote: "we'll likely have a high percentage of DNT=1 traffic on the
internet" and you responded "Does that mean you fear that the opt-out system
could actually work?"

Please define "could actually work".  If you mean high DNT rates = works,
then your prejudice is clear.  In this case, I guess you'd argue that low
DNT rates = broken.  What if only individual human users could enable DNT
based on sound education regarding it's enablement, and they decided not to.
Would that define a broken state/mechanism to you, simply because people
chose not to send DNT?  Or would you say those are broken users?  I for one
advocate for USER EDUCATION and INDIVIDUAL USER CHOICE-- don't you?  Btw,
per the rest of your argument, there is absolutely nothing today stoping
German publishers from "opting-back-in" users who employ ad blockers;
likewise, there is absolutely nothing preventing the same publishers from
only serving their content to those users who do not use ad blockers.  DNT
doesn't solve this problem, so let's not conflate issues.

Your wrote "the issue is the unrest in the marketplace."

I don't see any evidence of widespread "unrest" in the marketplace; quite
the contrary, as evidenced by growing web statistics.  Take online
purchasing as an indicator of market health; the year over year growth of
online purchasing is staggering-- I don't believe anyone will argue
otherwise.  So, if there were so much "unrest" in the online marketplace as
you propose, would you expect that consumers would still choose to make
their purchases more and more online?  I wouldn't-- it's not logical.  Our
industry has invested heavily in brokering trust with our users and this is
clearly evidenced in the numbers-- we don't need DNT to "fix"
anything-- broadly speaking, user trust already exists despite your best
efforts to convince the marketplace otherwise.  Now of course there are some
individuals (a relatively small number, comparatively speaking) that don't
trust.  Our industry, and browsers alike, have gladly provided those
INDIVIDUAL USERS the mechanism to opt out-- no problem, we respect an
INDIVIDUAL's right to CHOOSE.

Shane wrote "This means sites will need to ask users if they set the DNT
signal and/or ask for a UGE for a large majority of visitors" and you
responded "You don't. You just test the user agent... And you need a lawyer
to tell you what to do? Come on!"

You may be on to something here Rigo.  If the W3C TPWG can not come up with
a real technical solution to this problem (something that works in
real-time, on a 100% of server calls), I propose that the W3C take on the
infrastructure and costs associated with providing a "DNT user agent vetting
registry service".  The TPWG can set requirements for user agents, then YOU
(W3C) test the user agents, posting the results to a globally accessible
registry.  Companies can then poll this registry (daily) for updates, and
will only honor DNT when it's been determined that a user agent has met the
required criteria for setting DNT: an informed user choice.  User agents
that want to send DNT should apply for certification from the W3C, and if
they meet the requirements, be added to the registry.
 In providing this service, you should agree to an industry & consumer
advocate oversight committee to monitor your work, as well as regular
independent 3rd party audit/accreditation of your service (may I suggest
MRC-- they are good at this).  Easy, right?  And you need a technologist to
tell you what to do? Come on :)

Shane wrote "This is an "opt-in" paradigm - which we agreed in the beginning
was inappropriate (DNT=<null>, user makes an explicit choice)"
and you responded "Who is responsible for DNT:1 spitting routers? W3C?"

Yes, W3C is responsible, it's your spec.  See "DNT user agent vetting
registry service" (above) for next steps on cleaning up the marketplace mess
that's been created.

You wrote "If you can't distinguish between a browser and a router, I wonder
about the quality of all that tracking anyway."

Rigo, this is why you are a lawyer, and not a technologist. Technically
speaking, we are not talking about distinguishing between browsers and
routers, we are are talking about distinguishing between validly set DNT
signals and ones that aren't.  You'd need to understand how HTTP header
injection works to fully appreciate the technical problem. The best
technologists on both sides of this debate have not been able to reconcile
this issue. Neither have the lawyers.

You wrote "I do not believe, given the dynamics of the Web and the Internet,
that we can predict the percentage of DNT headers for the next 3 years; let
alone the percentage of valid DNT headers."

True, no one has working crystal ball technology that I'm aware of, but we
do know that despite there being no agreed upon specification in the
marketplace, user agents are sending DNT header signals today.  No matter
how many signals are sent, if you want DNT signals to be meaningful to
users, industry adoption is key.  Please stop asserting that our technical
and business concerns are trivial or ill informed-- they are not.  Most of
your replies below are not helping us get closer to a workable DNT
solution-- you are only further exacerbating our concerns.

Chris 




On 7/25/13 12:40 AM, "Rigo Wenning" <rigo@w3.org> wrote:

>On Thursday 25 July 2013 04:39:35 Shane Wiley wrote:
>> Rigo,
>> 
>> I feel like we're talking past one another.
>
>We are not. The DAA tells the world that "the World Wide Consortium 
>sputters and spits trying to negotiate a Do Not Track standard to 
>protect consumer privacy online, the digital advertising business is 
>forging ahead with expanding its self-regulation program to mobile 
>devices."
>http://www.adweek.com/news/technology/ad-industry-expands-privacy-self-
>reg
>ulation-mobile-151386
>
>This is unfair. If W3C would stop having a process and discussions 
>about a process and either throw out the industry, the consumer or the 
>privacy experts, respectively, we could advance within weeks. No more 
>sputters and spits.
>
>> 
>> 1.  DNT can be set easily by any technology with access to the page 
>> request header outside of user control
>
>The french call that "dialogue de sourds", the dialog of the deaf. If 
>you can test the presence of an UGE mechanism, your assertion is just 
>wrong. Repeating it doesn't make it become true.
>
>> 2.  This means we'll likely
>> have a high percentage of DNT=1 traffic on the internet (some say as 
>> high as 80%)
>
>Does that mean you fear that the opt-out system could actually work? 
>And that you are deeply concerned that users could opt-back in? If we 
>stall, you can time-travel into the next 5 years and talk to the people 
>from German IT-publisher Heise: They lost large parts of their revenue 
>due to blocking tools. It will be 80% of blocking tools instead of
DNT-Headers.
>They would LOVE to have a way to opt their audience back in. IMHO, if 
>the industry ignores the golden bridge of DNT, they will have to cross 
>the rocky valley a few years later. As I said, the issue is the unrest 
>in the marketplace, that people will buy whatever promises them more 
>privacy, even a DNT-spitting router. To your point: you may see 80% of
>DNT:1 headers, but how many of them will be valid according to the W3C 
>Specifications?
>
>> 3.  This means sites will need to ask users if they set the DNT 
>> signal and/or ask for a UGE for a large majority of visitors
>
>As I explained: You don't. You just test the user agent. We both know 
>that DNT has two technological enemies: 1/ Cookies + implied consent 
>and 2/ DNT:1 spitting routers and dumb extensions. Now the united 
>internet expertise in this group can't distinguish between those and a 
>valid browser? And you need a lawyer to tell you what to do? Come on!
>
>> 4.  This is an "opt-in" paradigm - which we agreed in the beginning 
>> was inappropriate (DNT=<null>, user makes an explicit choice)
>
>Who is responsible for DNT:1 spitting routers? W3C? Is this conformant 
>to the current state of our specifications? Nobody in this group wants
>DNT:1 spitting routers. That's why we have ISSUE-151.
>> 
>> To adopt DNT under the Swire/W3C Staff Proposal (aka June Draft), 
>> industry would be agreeing to shift to an opt-in model vs. agreeing 
>> to support a more hardened opt-out choice for users that is stored in 
>> the web browser safely away from cookie clearing activities (which 
>> remove opt-out cookies today unless the user has installed an opt-out 
>> preservation tool).  This is a significant shift and will not likely 
>> be supported by industry.  Hence the reason we're pushing back so 
>> hard on the current situation.
>
>Your assertion of an opt-in model is a myth and a perceived danger, not 
>a real shift in the Specification. The routers are shifting, not the 
>Specification. This is just the first sign of market unrest. If you 
>can't distinguish between a browser and a router, I wonder about the 
>quality of all that tracking anyway. Are we discussing giant dumps of 
>rubbish quality data? If so, consumers and privacy experts may relax a 
>bit. For the moment, they assume that you can do profiles and things 
>and distinguish between users and their devices etc.
>> 
>> I believe I'm being as fair, open, and honest about the core issue.
>
>And I do not question that. We even agree that there is an issue. And 
>we have a number for that issue. I tell you that your conclusions and 
>suggestions will lead to a totally nullified DNT, not worth our time.
>And I encourage you to consider a reasonable solution to the problem, 
>not a short-circuiting of the system with an industry-opt-out behind.
>
>> Hopefully we can work together to look for solutions to this 
>> unfortunate outcome (unfortunate for industry as I can imagine some 
>> on the advocate side would be very happy with an opt-in world).
>
>Again, opt-in/out is a myth. DNT installs a control, a switch. This is 
>much more than opt-in/out. BTW, I do not believe, given the dynamics of 
>the Web and the Internet, that we can predict the percentage of DNT 
>headers for the next 3 years; let alone the percentage of valid DNT 
>headers.
>
>Finally, the only ways a company can be forced to honor a DNT:1 header
>is: 
>1/ By our feedback making a promise it does 2/ By a self-regulation 
>like DAA or Truste or Europrise 3/ By law
>
>I would be totally surprised by a law that would force you to accept 
>"any" DNT:1 header.
>
>So lets work on distinguishing the good from the bad headers. We had 
>very good discussions in Sunnyvale with the browser makers. They are 
>also interested in a solution. There must be a way.
>
> --Rigo
>
>
Received on Saturday, 27 July 2013 09:48:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:17 UTC