Re: ISSUE-151 Re: Change proposal: new general principle for permitted uses

Peter, see my last email to you on this thread.  Let's understand your
particular motivations here.




On 7/27/13 11:31 AM, "Peter Cranstone" <peter.cranstone@3pmobile.com>
wrote:

>Chris,
>
>There is no need for a UA accreditation registry. There are 5 major
>browsers:
>
>1. I.E./Mobile
>2. Chrome/Mobile
>3. Firefox/Mobile
>4. Safari/Mobile
>5. Opera/Mobile
>
>All support DNT:1 - all come with DNT disabled. All are shipping in the
>marketplace right now. There's nothing to check - if you support DNT and
>see a signal then it must be valid. If you don't believe it then you
>should generate a request for a UGE. Currently that's only supported in
>I.E. 11
>
>The only other possible approach that people might be considering is
>probably the 'Evidon/MobileScope to Power Data Control and Performance for
>Mobile Apps' idea. One of the developers is Ashkan Soltani - FTC tech
>advisor, Wall Street Journal consultant, and one of the original
>architects of DNT.
>
>I cannot see the Browser OEMs going with that idea as basically it's
>nothing more than a VPN which runs all your data through the Evidon
>servers (No way the Search engines are going to support that). Of course
>if they add the DNT signal there then there also in violation of the spec.
>The other problem with VPNs and mobile is the config. You need one for
>wifi and then another for cellular and good luck getting that working on
>Android or Windows Mobile. No consumer is going to configure all of that
>'stuff'.
>
>The reason that DNT is here to stay in it's current format is for the
>following reasons:
>
>1. It's simple - just check a box. Joe & Jane Consumer can do that
>2. Every browser already supports it - in essence it's already the DEFACTO
>standard
>3. It's been distributed to over 1/2 a billion devices. By the end of next
>year it will be close to 1.5 billion
>
>In short it has momentum, the consumer understands it and it's simple. And
>that's why it's already a standard - https://dnt-dashboard.mozilla.org &
>and that's just one browser.
>
>
>
>
>Peter
>
>
>
>
>On 7/27/13 11:49 AM, "Chris Mejia" <chris.mejia@iab.net> wrote:
>
>>Mike,
>>
>>Thanks for your thoughtful reply-- I appreciate that you are trying to
>>solve the problem.  I'll certainly look into the method you describe, but
>>I'm afraid the overhead (page load time, ad load time) may be
>>prohibitive;
>>it's something we'd need to check/test at the very least.  Whatever we
>>propose should not degrade consumer experience.  Have you tested this?
>>
>>I'd also like for the TPWG to explore my idea of DNT UA accreditation and
>>registry; granted it may not solve all problems, but I think it would
>>certainly narrow the scope of issues.  If DNT is so important to the
>>marketplace, why not ensure it's success.
>>
>>Chris
>>
>>
>>
>>
>>On 7/27/13 2:47 AM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote:
>>
>>>Chris,
>>>
>>>Even in the unlikely event of the W3C taking on this role (of UA vetting
>>>registrar) it would not solve the verifiable DNT problem. DNT could be
>>>still
>>>set by routers, drivers, proxies, browser extensions etc. and the
>>>third-party advertiser would not detect that.
>>>
>>>If the problem is making sure that the user has been properly
>>>informed/canvassed the solution may lie with the UGE mechanism.
>>>Publishers
>>>need advertising revenue so they will want script to call the UGE API.
>>>If
>>>that finds the API is not supported or that it reports a different value
>>>for
>>>DNT from the header signal we could give them a way to report that so
>>>their
>>>third-parties can take appropriate action.
>>>
>>>The reporting could be via cross-domain messaging but that would need JS
>>>to
>>>receive it, and difficult to verify.  Maybe this is yet another suitable
>>>case for transparent DNT override using a cookie with a well-known name
>>>(and
>>>site-specific cloning of cookies to third-parties).
>>>
>>>To recap, what I suggested was a particularly named cookie e.g. W3CTP=X
>>>which would always override the value of DNT. If it is placed (in
>>>set-cookie
>>>or document.cookies) it is cloned to site-specific third-parties
>>>qualified
>>>by the domain cookie attribute.
>>>
>>>It would signal consent (W3CTP=C=1) or its absence (W3CTP=C=0) . If it
>>>was
>>>not there DNT would rule. If DNT was not there local law would prevail.
>>>The
>>>UA could use it to revoke OOBC in the same UI as DNT UGE.
>>>
>>>This gives a solution for EU ePrivacy, COPPA signalling, transparent
>>>OOBC
>>>and illicit DNT detection (W3CTP=DNT=I) It has built-in support for
>>>sunset
>>>revocation using the expires attribute and  also allows third-parties to
>>>transparently signal OOB consent without JS or needing to rely on the
>>>first-party (this last may be contentious).
>>>
>>>Mike
>>>
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: Chris Mejia [mailto:chris.mejia@iab.net]
>>>Sent: 26 July 2013 22:41
>>>To: Rigo Wenning; Shane Wiley
>>>Cc: public-tracking@w3.org
>>>Subject: Re: ISSUE-151 Re: Change proposal: new general principle for
>>>permitted uses
>>>
>>>Rigo, you stated: "If W3C would stop having a process and discussions
>>>about
>>>a process and either throw out the industry, the consumer or the privacy
>>>experts, respectively, we could advance within weeks."
>>>
>>>I hope you are not suggesting that the way to reach consensus is to
>>>simply
>>>kick out your paying members and invited experts, then do the work on
>>>your
>>>own?  That doesn't sound right to me...  Working group members, in both
>>>camps, have brought valid concerns around process and are seeking
>>>clarity
>>>and accountability from the co-chairs and staff-- I don't think it's
>>>constructive to effectively respond with "put up or shut up" (I'm
>>>paraphrasing, of course, but that's what I took from your reply to
>>>Shane).
>>>
>>>Shane wrote: "DNT can be set easily by any technology with access to the
>>>page request header outside of user control" and you responded "...your
>>>assertion is just wrong."
>>>
>>>Shane is actually right, the DNT header CAN be easily set by any tech
>>>with
>>>access to the page request header, outside of user control (e.g. private
>>>or
>>>corporate routers can do this) -- it IS a valid technical concern that
>>>we
>>>currently have no way to validate how DNT was set-- whether it was an
>>>informed user choice or not.  Check it out with any tech expert, Shane
>>>is
>>>right.  Until this is solved, it's virtually impossible to distinguish
>>>true
>>>signals through the noise of bad signals, and that's a problem for DNT.
>>>
>>>Shane wrote: "we'll likely have a high percentage of DNT=1 traffic on
>>>the
>>>internet" and you responded "Does that mean you fear that the opt-out
>>>system
>>>could actually work?"
>>>
>>>Please define "could actually work".  If you mean high DNT rates =
>>>works,
>>>then your prejudice is clear.  In this case, I guess you'd argue that
>>>low
>>>DNT rates = broken.  What if only individual human users could enable
>>>DNT
>>>based on sound education regarding it's enablement, and they decided not
>>>to.
>>>Would that define a broken state/mechanism to you, simply because people
>>>chose not to send DNT?  Or would you say those are broken users?  I for
>>>one
>>>advocate for USER EDUCATION and INDIVIDUAL USER CHOICE-- don't you?
>>>Btw,
>>>per the rest of your argument, there is absolutely nothing today stoping
>>>German publishers from "opting-back-in" users who employ ad blockers;
>>>likewise, there is absolutely nothing preventing the same publishers
>>>from
>>>only serving their content to those users who do not use ad blockers.
>>>DNT
>>>doesn't solve this problem, so let's not conflate issues.
>>>
>>>Your wrote "the issue is the unrest in the marketplace."
>>>
>>>I don't see any evidence of widespread "unrest" in the marketplace;
>>>quite
>>>the contrary, as evidenced by growing web statistics.  Take online
>>>purchasing as an indicator of market health; the year over year growth
>>>of
>>>online purchasing is staggering-- I don't believe anyone will argue
>>>otherwise.  So, if there were so much "unrest" in the online marketplace
>>>as
>>>you propose, would you expect that consumers would still choose to make
>>>their purchases more and more online?  I wouldn't-- it's not logical.
>>>Our
>>>industry has invested heavily in brokering trust with our users and this
>>>is
>>>clearly evidenced in the numbers-- we don't need DNT to "fix"
>>>anything-- broadly speaking, user trust already exists despite your best
>>>efforts to convince the marketplace otherwise.  Now of course there are
>>>some
>>>individuals (a relatively small number, comparatively speaking) that
>>>don't
>>>trust.  Our industry, and browsers alike, have gladly provided those
>>>INDIVIDUAL USERS the mechanism to opt out-- no problem, we respect an
>>>INDIVIDUAL's right to CHOOSE.
>>>
>>>Shane wrote "This means sites will need to ask users if they set the DNT
>>>signal and/or ask for a UGE for a large majority of visitors" and you
>>>responded "You don't. You just test the user agent... And you need a
>>>lawyer
>>>to tell you what to do? Come on!"
>>>
>>>You may be on to something here Rigo.  If the W3C TPWG can not come up
>>>with
>>>a real technical solution to this problem (something that works in
>>>real-time, on a 100% of server calls), I propose that the W3C take on
>>>the
>>>infrastructure and costs associated with providing a "DNT user agent
>>>vetting
>>>registry service".  The TPWG can set requirements for user agents, then
>>>YOU
>>>(W3C) test the user agents, posting the results to a globally accessible
>>>registry.  Companies can then poll this registry (daily) for updates,
>>>and
>>>will only honor DNT when it's been determined that a user agent has met
>>>the
>>>required criteria for setting DNT: an informed user choice.  User agents
>>>that want to send DNT should apply for certification from the W3C, and
>>>if
>>>they meet the requirements, be added to the registry.
>>> In providing this service, you should agree to an industry & consumer
>>>advocate oversight committee to monitor your work, as well as regular
>>>independent 3rd party audit/accreditation of your service (may I suggest
>>>MRC-- they are good at this).  Easy, right?  And you need a technologist
>>>to
>>>tell you what to do? Come on :)
>>>
>>>Shane wrote "This is an "opt-in" paradigm - which we agreed in the
>>>beginning
>>>was inappropriate (DNT=<null>, user makes an explicit choice)"
>>>and you responded "Who is responsible for DNT:1 spitting routers? W3C?"
>>>
>>>Yes, W3C is responsible, it's your spec.  See "DNT user agent vetting
>>>registry service" (above) for next steps on cleaning up the marketplace
>>>mess
>>>that's been created.
>>>
>>>You wrote "If you can't distinguish between a browser and a router, I
>>>wonder
>>>about the quality of all that tracking anyway."
>>>
>>>Rigo, this is why you are a lawyer, and not a technologist. Technically
>>>speaking, we are not talking about distinguishing between browsers and
>>>routers, we are are talking about distinguishing between validly set DNT
>>>signals and ones that aren't.  You'd need to understand how HTTP header
>>>injection works to fully appreciate the technical problem. The best
>>>technologists on both sides of this debate have not been able to
>>>reconcile
>>>this issue. Neither have the lawyers.
>>>
>>>You wrote "I do not believe, given the dynamics of the Web and the
>>>Internet,
>>>that we can predict the percentage of DNT headers for the next 3 years;
>>>let
>>>alone the percentage of valid DNT headers."
>>>
>>>True, no one has working crystal ball technology that I'm aware of, but
>>>we
>>>do know that despite there being no agreed upon specification in the
>>>marketplace, user agents are sending DNT header signals today.  No
>>>matter
>>>how many signals are sent, if you want DNT signals to be meaningful to
>>>users, industry adoption is key.  Please stop asserting that our
>>>technical
>>>and business concerns are trivial or ill informed-- they are not.  Most
>>>of
>>>your replies below are not helping us get closer to a workable DNT
>>>solution-- you are only further exacerbating our concerns.
>>>
>>>Chris 
>>>
>>>
>>>
>>>
>>>On 7/25/13 12:40 AM, "Rigo Wenning" <rigo@w3.org> wrote:
>>>
>>>>On Thursday 25 July 2013 04:39:35 Shane Wiley wrote:
>>>>> Rigo,
>>>>> 
>>>>> I feel like we're talking past one another.
>>>>
>>>>We are not. The DAA tells the world that "the World Wide Consortium
>>>>sputters and spits trying to negotiate a Do Not Track standard to
>>>>protect consumer privacy online, the digital advertising business is
>>>>forging ahead with expanding its self-regulation program to mobile
>>>>devices."
>>>>http://www.adweek.com/news/technology/ad-industry-expands-privacy-self-
>>>>reg
>>>>ulation-mobile-151386
>>>>
>>>>This is unfair. If W3C would stop having a process and discussions
>>>>about a process and either throw out the industry, the consumer or the
>>>>privacy experts, respectively, we could advance within weeks. No more
>>>>sputters and spits.
>>>>
>>>>> 
>>>>> 1.  DNT can be set easily by any technology with access to the page
>>>>> request header outside of user control
>>>>
>>>>The french call that "dialogue de sourds", the dialog of the deaf. If
>>>>you can test the presence of an UGE mechanism, your assertion is just
>>>>wrong. Repeating it doesn't make it become true.
>>>>
>>>>> 2.  This means we'll likely
>>>>> have a high percentage of DNT=1 traffic on the internet (some say as
>>>>> high as 80%)
>>>>
>>>>Does that mean you fear that the opt-out system could actually work?
>>>>And that you are deeply concerned that users could opt-back in? If we
>>>>stall, you can time-travel into the next 5 years and talk to the people
>>>>from German IT-publisher Heise: They lost large parts of their revenue
>>>>due to blocking tools. It will be 80% of blocking tools instead of
>>>DNT-Headers.
>>>>They would LOVE to have a way to opt their audience back in. IMHO, if
>>>>the industry ignores the golden bridge of DNT, they will have to cross
>>>>the rocky valley a few years later. As I said, the issue is the unrest
>>>>in the marketplace, that people will buy whatever promises them more
>>>>privacy, even a DNT-spitting router. To your point: you may see 80% of
>>>>DNT:1 headers, but how many of them will be valid according to the W3C
>>>>Specifications?
>>>>
>>>>> 3.  This means sites will need to ask users if they set the DNT
>>>>> signal and/or ask for a UGE for a large majority of visitors
>>>>
>>>>As I explained: You don't. You just test the user agent. We both know
>>>>that DNT has two technological enemies: 1/ Cookies + implied consent
>>>>and 2/ DNT:1 spitting routers and dumb extensions. Now the united
>>>>internet expertise in this group can't distinguish between those and a
>>>>valid browser? And you need a lawyer to tell you what to do? Come on!
>>>>
>>>>> 4.  This is an "opt-in" paradigm - which we agreed in the beginning
>>>>> was inappropriate (DNT=<null>, user makes an explicit choice)
>>>>
>>>>Who is responsible for DNT:1 spitting routers? W3C? Is this conformant
>>>>to the current state of our specifications? Nobody in this group wants
>>>>DNT:1 spitting routers. That's why we have ISSUE-151.
>>>>> 
>>>>> To adopt DNT under the Swire/W3C Staff Proposal (aka June Draft),
>>>>> industry would be agreeing to shift to an opt-in model vs. agreeing
>>>>> to support a more hardened opt-out choice for users that is stored in
>>>>> the web browser safely away from cookie clearing activities (which
>>>>> remove opt-out cookies today unless the user has installed an opt-out
>>>>> preservation tool).  This is a significant shift and will not likely
>>>>> be supported by industry.  Hence the reason we're pushing back so
>>>>> hard on the current situation.
>>>>
>>>>Your assertion of an opt-in model is a myth and a perceived danger, not
>>>>a real shift in the Specification. The routers are shifting, not the
>>>>Specification. This is just the first sign of market unrest. If you
>>>>can't distinguish between a browser and a router, I wonder about the
>>>>quality of all that tracking anyway. Are we discussing giant dumps of
>>>>rubbish quality data? If so, consumers and privacy experts may relax a
>>>>bit. For the moment, they assume that you can do profiles and things
>>>>and distinguish between users and their devices etc.
>>>>> 
>>>>> I believe I'm being as fair, open, and honest about the core issue.
>>>>
>>>>And I do not question that. We even agree that there is an issue. And
>>>>we have a number for that issue. I tell you that your conclusions and
>>>>suggestions will lead to a totally nullified DNT, not worth our time.
>>>>And I encourage you to consider a reasonable solution to the problem,
>>>>not a short-circuiting of the system with an industry-opt-out behind.
>>>>
>>>>> Hopefully we can work together to look for solutions to this
>>>>> unfortunate outcome (unfortunate for industry as I can imagine some
>>>>> on the advocate side would be very happy with an opt-in world).
>>>>
>>>>Again, opt-in/out is a myth. DNT installs a control, a switch. This is
>>>>much more than opt-in/out. BTW, I do not believe, given the dynamics of
>>>>the Web and the Internet, that we can predict the percentage of DNT
>>>>headers for the next 3 years; let alone the percentage of valid DNT
>>>>headers.
>>>>
>>>>Finally, the only ways a company can be forced to honor a DNT:1 header
>>>>is: 
>>>>1/ By our feedback making a promise it does 2/ By a self-regulation
>>>>like DAA or Truste or Europrise 3/ By law
>>>>
>>>>I would be totally surprised by a law that would force you to accept
>>>>"any" DNT:1 header.
>>>>
>>>>So lets work on distinguishing the good from the bad headers. We had
>>>>very good discussions in Sunnyvale with the browser makers. They are
>>>>also interested in a solution. There must be a way.
>>>>
>>>> --Rigo
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>

Received on Saturday, 27 July 2013 18:51:16 UTC