- From: Chris Mejia <chris.mejia@iab.net>
- Date: Sat, 27 Jul 2013 22:20:32 +0000
- To: "'peter.cranstone@3pmobile.com'" <peter.cranstone@3pmobile.com>, "'rigo@w3.org'" <rigo@w3.org>, "'wileys@yahoo-inc.com'" <wileys@yahoo-inc.com>
- CC: "'public-tracking@w3.org'" <public-tracking@w3.org>
Peter, Nothing from your reply below answers my concern that you intend to assert yourself (visa vi your patent claims) as a gatekeeper/toll-collector once the DNT spec is finalized and in widespread use. So please answer here publicly: do you (and/or your business partners and fellow patent holders) intend to pursue/assert your IP/patent claims in any commercial manner, after the DNT spec is finalized? In fact, your reply below breeds even more suspicion that you DO intend to pursue your IP claims to commercial benefit, after we complete the DNT spec. Below you point to so-called commercial interests of other parties related to privacy programs-- are you trying to make your own case here that it's ok for you to profit from DNT? Just be transparent about your motivations-- that's all I'm asking. What's kind of fee are you looking to charge for rights to use your IP surrounding DNT? In your reply below, and once again, you have chosen to ignore the real issues DNT faces-- rather, YOU are focusing on rhetoric that's not helpful to solving real problems. I don't speak for the DAA, a non-profit organization who's only mandate is to provide Internet users assurances about participant's data practices, but I am familiar with the program. You are only telling part of the story below, so let's get some additional facts and clarifications on the table: -DAA is a non-profit organization-- it's ongoing operations, which benefit Internet users, are funded by licensing fees; that's always been transparent-- nothing to hide there, or be ashamed of; -Your organization, 3PMobile, is a for profit business entity that has not publicly published it's business intentions regarding privacy/DNT and the patents you claim; -Any publisher that chooses to be compliant with the DAA Principles may license the AdChoices icon; -DAA license fees are waived for small publishers (exact terms available from DAA directly); -DAA has never asserted that it operates under a "creative commons" license structure; -DAA has never asserted that it runs a free program; -The modest licensing fees DAA does collect go to pay for the program development and administration costs; -Most individual contributors to the DAA program are volunteers-- their IP is freely contributed to the cause; What is the particular relevance of the other patents and patent holders you've cited? I don't see an obvious connection between them and you, so you'll have to elaborate on your point if you want it to be clear. You wrote "if a router can add a DNT signal 'as a feature' then it's just as easy to add a 'AdChoice' opt-out signal as a feature." Again, I'm not following your logic (or the tech) here. DNT is an http header signal, and the AdChoices program operates with cookies. Apples and oranges, technology wise. I don't see how a router can be configured to set cookies in the browser's cookie space? Can you please support your use-case example with a technical description of how that could be accomplished to "game" the AdChoices program? If you feel that describing how such a mechanism works would be sensitive, send me that description off the public thread please. You wrote "So far there is ZERO evidence that anyone is illegally (as per the spec) adding a DNT signal to the outgoing HTTP request." There is no DNT spec yet; it's still in development and nothing has been decided to the extent it can't change before a final spec is published. Additionally, I know of no law regarding DNT, so your use of the word "illegally" is out of context. DNT has always been promoted by W3C and members of the working group as a voluntary spec. Until you prove otherwise, your commercial motivations here are quite clear Peter-- based on the evidence of your interactions with this organization and it's members, it's quite clear to me that you are commercially motivated for a DNT standard at any cost, as I'm sure you believe it will make you a rich man. More power to you if that happens, but I'd ask that you be fully transparent about your interests until it does. And again, if you don't intend to work on or contribute substantively to solutions to the real issues that DNT faces, please find another forum for your own promotion and rhetoric-- this is a working group (emphasis on 'work'), so it's not appropriate here. Chris Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group | Interactive Advertising Bureau - IAB | chris.mejia@iab.net ----- Original Message ----- From: Peter Cranstone [mailto:peter.cranstone@3pmobile.com] Sent: Saturday, July 27, 2013 04:11 PM Eastern Standard Time To: Chris Mejia; Rigo Wenning <rigo@w3.org>; Shane Wiley <wileys@yahoo-inc.com> Cc: public-tracking@w3.org <public-tracking@w3.org> Subject: Re: ISSUE-151 Re: Change proposal: new general principle for permitted uses Chris, I took a look at the AdChoices program - interesting enough it's not free - $6,000 a year - guess the DAA want to charge for their IP. They even have a nice 'friendly' license - http://www.youradchoices.com/legal.aspx And there's also this link which points to the actual agreement: https://www.quantcast.com/learning-center/quantcast-terms/adchoices-icon-ag reement/ - certainly not creative commons. And as for patents... lets see. (Note the last two lines of the abstract) Link: http://www.google.com/patents/US20110173071 - Managing and monitoring digital advertising Abstract A computerized system and techniques facilitate the monitoring and management of online behaviorally-targeted advertising. In certain embodiments, electronic notifications related to advertising practices of members of an online advertising ecosystem are presented to users based on the discovery of elements of online content aimed at delivering targeted advertising messages to viewers of the content. The primary notice may be in the form of an icon and/or text that appears over or adjacent to an online advertisement or over or adjacent to another specified HTML element on the web page when the page loads. The secondary targeting details are displayed as a user clicks on, 'mouses over' or otherwise selects the primary component. The secondary details may include more detailed information about the ad, its source, and the behavioral targeting practices of the entities in the advertising ecosystem that were responsible for selecting and delivering the ad. Examples of such information include the name of the advertiser, the delivering ad network, intermediate ad networks, and any data providers or enhancers of the advertisement. In some cases, an optional, third-party-defined message (the third party being an advertiser, the delivering network, intermediate networks, and any data providers or enhancers), may also be shown along with links to pages on the third party's site for additional reference. Further, industry-defined messages may be provided to the consumer, with links to industry association-developed websites, such as the Better Business Bureau, the Interactive Advertising Bureau or the Digital Advertising Alliance. Of course what's fascinating about this patent is the one of the assignees is Scott Meyer - the CEO and Founder of Evidon who just acquired MobileScope, which was invented by the original architect of DNT. And then if you look at this link - http://www.flickr.com/photos/ashk4n/sets/72157629823292521/ look at the second row - middle image. There you have Evidon/MobileScope's new VPN which is adding a DNT header to the outgoing HTTP request. So that would be a 3rd party app adding a DNT header. Is that legal per the spec? Yep. As long as it's the user doing it then it's my choice. And lets close with the router issue. Again you're getting carried away - if a router can add a DNT signal 'as a feature' then it's just as easy to add a 'AdChoice' opt-out signal as a feature. So call Cisco and petition them. So far there is ZERO evidence that anyone is illegally (as per the spec) adding a DNT signal to the outgoing HTTP request. The reason nobody can prove it is because it's a binary signal - so until you add in some form of UGE then you MUST accept the signal as valid. If you start patching Apache or IIS to ignore certain UA's then you yourself are in violation of your own spec. As I've said before - DNT is already a standard in the minds of the consumer, it's already shipped, and until you can convince the browser OEMs who basically control everything to remove it, then it's there to stay. The rest as they say - is all theater. Peter On 7/27/13 12:44 PM, "Chris Mejia" <chris.mejia@iab.net> wrote: >Peter, > >Why not focus your time and energy on trying to find real solutions to the >issues we face (like Mike O'Neil's reply to this thread), rather than >battling me on "rhetoric"? Is your real motivation here to ensure that >DNT signals are sprayed indiscriminately across the Web, at all costs, >because YOU (and your friends) have a commercial interest in DNT's >"success"-- visa vi your patent/IP claims? If not, why not issue a public >license, free and clear to your patent/IP claims surrounding DNT (assuming >of course that your claims are valid)? In other words, if you are truly >sincere about DNT and user privacy enhancements via this particular >mechanism, and since you have claimed ownership of certain IP related to >DNT, please go ahead and blanket indemnify anyone who sends, receives or >processes the DNT signal against any claim you and your cohorts may make >regarding your ownership of DNT related IP, now and in the future. Again, >if you really own IP related to DNT, I'm quite sure that your free and >clear licensing of that IP to the world would be useful here, helping to >ensure DNT's success-- THAT would be a useful contribution from you. > >As I have reiterated time and again, I'm all for an individual user's >informed choice to not be tracked-- that's the whole point of the >AdChoices program. I find it silly that people would go to all the >trouble to "hack" the AdChoices program in order to set all opt out >cookies available through the program at once-- we offer that same exact >function without a hack-- end result for the user is the same, all opt out >cookies are set, so why go to all the trouble of a hack around? > >As you point out, anyone can block ads-- there are certainly a number of >free and commercial ad blocker programs available on the market. While we >don't appreciate ad blockers, most publishers have tolerated their >existence until now, simply because they represent an INDIVIDUAL'S CHOICE. > But I don't think we should count on that tolerance lasting too much >longer, especially if ad blocking/thwarting continues to grow to an extent >that it materially affects the publishing business. I'm hearing more and >more publishers, especially the small ones who are materially affected by >ad blocking to such an extent that they risk going out of business, talk >about plans to block access to free content when they detect ad blockers. >While I'd prefer we didn't get to that place, it does seem like a >reasonable reaction to me. Think about the guy who sells magazines at the >subway/bus stop-- if he let people sit there and read all of the >magazines/newspapers while waiting for the train/bus without paying for >them, he'd be out of business in no time. Of course people started do >just that anyway, disrespecting his business of SELLING >magazines/newspapers (content), and instead reading without paying. The >solution to his problem, logically, was to wrap the magazines in plastic >so they could not be read without first paying. Unfortunately, if ad >blocking continues to grow, we'll probably see the same thing happen on >the Web. Instead of plastic wrappers, you'll likely see ad/pay walls >protecting content. What a shame that a few hackers might spoil something >good (ad supported content) for the rest of us. Isn't it always the case >that a few bad apples spoil the barrel. > >I'm having a hard time technically reconciling your description of how >routers could be modified to set AdChoices opt-out cookies on the user >browsers with which they interface? How exactly would that work? If >that's really a practice on the Web, it's new to me, but it would >certainly be interesting to know about. I'm not a lawyer, but it would >seem to me that there may be some real legal issues with such a practice. >If it's a real scenario, thank's for bringing it to our attention-- we'll >need to investigate. > >Going forward, I'll be happy to engage with TPWG members (you are not one, >right?-- you have refused to join the W3C/working group as I understand it >due to issues surrounding contribution of IP to the effort) who are >sincere in understanding the issues we face and want to find real >solutions. If you don't fall into that camp, don't expect more replies >from me. Again, I'm personally interested in solving problems, not >ignoring or trivializing them. > >Chris > > > > >On 7/27/13 8:43 AM, "Peter Cranstone" <peter.cranstone@3pmobile.com> >wrote: > >>Chris, >> >>Your comments regarding a meaningless signal also apply equally to the >>DAA's mechanism. Someone mentioned that it takes only 13 lines of code to >>add a DNT header. Well it only takes 1 line to game the AdChoices >>approach >>(All you have to do is know the final 'set-cookie' sequence that >>constitutes the 'opt-out' for any participating member of the DAA >>program.) Also it only takes one line of code to 'evaporate' the ads. >>From: http://my.opera.com/community/forums/topic.dml?id=1539842 Article >>Title: Blocking AdChoices on Yahoo! UK Homepage >> >> >>div.CAN_ad, div.fpad { display: none !important; } >> >> >>That's it. Combine that with the other 1 line of code it takes to set the >>Yahoo 'opt-out' cookie on anyone's browserŠ and not only are you totally >>'opted out'Š even if any 'AdChoice' based ads slip through they will >>never >>appear in your browser. And YESŠ those 'TWO lines of code' could just as >>easily be 'injected' into the conversation by a ROUTER as with any >>standard Browser add-on. Exactly the same way as 'Industry' says DNT >>'false signals' are being done right now ( still unproven ). >> >>There are already (free) sites out there that will automatically supply >>your Browser with ALL of the required DAA member organization 'opt-out' >>cookiesŠ all in one fell swoopŠ automatically and WITHOUT 'user >>verification'. Here is just ONE of those 'automatically opt-out of all >>AdChoices' sitesŠ Site: GoYaBi - The First One-Click Global AdChoices >>Opt-Out for All Browsers ( Including Mobile Browsers ). >>http://m.goyabi.com/how.php >> >> >> >>So lets confront reality as it is, and not what we want it to be. >> >>There is no foolproof system/design, so my advice would be to tone down >>the 'semantic meaningless signal rhetoric' and move forward with what you >>have. The alternative is for the Ad industry to 'put up' (show a complete >>solution that solves all the problems) or accept what is already on the >>table. >> >>Rigo just tried to say that - and while I disagree with him on most >>things, I have to respect him for that. >> >> >> >> >>Peter >> >> >> >> >>On 7/26/13 5:19 PM, "Chris Mejia" <chris.mejia@iab.net> wrote: >> >>>Peter, >>> >>>There is no agreement that the default setting for DNT = 0. In fact, I >>>believe most TPWG folks have agreed that default should = unset. >>>Additionally, I have not seen a browser company or other UA offer DNT = >>>0 >>>as a choice for users. There is no agreed upon DNT specification today, >>>so let's not make assumptions about what we *think* (or hope) the spec >>>will be in the end-- it's been a moving target all along. Furthermore, I >>>have never agreed (in the 1.5-years that I have been intimately involved >>>with this TPWG) that 3rd parties should be responsible for "policing" >>>the >>>validity of the DNT settings via user agents, rogue or otherwise. I've >>>pointed out all along, that false signals are the Achilles heel to DNT, >>>and until that problem is solved, DNT will likely remain a (practically >>>speaking) meaningless signal. >>> >>>I cannot speak for DAA, nor do I believe DAA as an organization made >>>that >>>proposal. However, my read of the industry consensus proposal you cited >>>below is that it represents what companies would be willing to do for >>>DNT >>>users, despite uncertainty around the validity of how DNT signals are >>>set >>>(in other words, it's what they can agree to do, working in the >>>constraint >>>that the signal is polluted-- and still significant costs are born with >>>the enablement of that proposal). And hey, I don't think it's >>>particularly productive to shoot down well intentioned efforts to save >>>DNT-- to make it meaningful to users in the context of reality. >>> >>>All of the issues you cited around the draft DNT spec seem valid-- so >>>why >>>again should 3rd parties be responsible for sorting out a confusing and >>>faulty spec and bearing the costs of testing it every time they see a >>>new >>>UA sending the signal? Why should 3rd parties, the mom & pop websites >>>they represent, and the users who will be adversely affected by rising >>>costs (and diminishing content) of sorting this all out on the back end, >>>be responsible for a well intentioned, but ill-concieved specification? >>> >>>Perhaps I wasn't clear before: I'm personally for a reasonable and >>>workable DNT spec, based on individual user choice. I wouldn't have >>>spent >>>1.5-years working on this to see it go nowhere-- in fact, I only agreed >>>to >>>work on this for industry, in good faith of finding a workable solution. >>>Please don't read anything else into my comments to Rigo in this thread. >>>My response to him was, the solution needs to be REASONABLE, WORKABLE, >>>and >>>based on INFORMED USER CHOICE. Of course, if we can't agree to being >>>reasonable, the spec isn't workable, and it's not based on informed user >>>choice, then I believe it's faulty. If that ends up being the case in >>>the >>>end, it will likely fail, but not because of me. >>> >>>You also must have missed the part where I encouraged W3C to test user >>>agents in order to validate the setting of DNT signals. Serious >>>proposal. >>> Why not? >>> >>>Regarding user granted exceptions (UGEs), my personal opinion is that >>>they >>>represent a biased mechanism that primarily benefits big name parties >>>over >>>relatively unknown smaller entities. Users who know (and trust) the big >>>known players are much more likely to grant those big players exceptions >>>for their work in the 3rd party context. But what about the relatively >>>unknown 3rd party ad networks that monetize thousands of smaller web >>>publishers through audience aggregation across unaffiliated sites, in an >>>effort to compete with the big known players-- all in honest fashion? >>>If >>>you don't understand the competition issue this creates, ping me offline >>>and I'll be happy to go into more detail. But I don't think this is an >>>equitable solution. >>> >>>Finally, it pains me that people believe privacy should be a >>>"competitive >>>differentiator". It's not. Providing reasonable privacy safeguards is >>>something we do for all users (today), simply because it's the right >>>thing >>>to do. If a company is "competing on privacy," God help them-- no one >>>browses the web looking for privacy solutions-- the vast majority of >>>people browsing the web are looking for quality content on the Web-- >>>content is how publishers compete. Despite this market reality, we >>>provide reasonable and effective privacy protections, again, because >>>it's >>>just the right thing to do for our users-- and because we are good >>>corporate citizens. We also provide reasonable security and fraud >>>protection to users, not because we "compete" on these tenants, but >>>because it's the right thing to do. If you think I'm wrong about user >>>desires, go look for the words "V-chip" on television set ads today. >>>And >>>don't get me wrong, privacy is important, very important-- and that's >>>why >>>I want a good DNT spec. >>> >>>Chris >>> >>> >>> >>> >>>On 7/26/13 3:11 PM, "Peter Cranstone" <peter.cranstone@3pmobile.com> >>>wrote: >>> >>>>Chris, >>>> >>>>You may be jumping the gun just a touch here. The default setting for >>>>DNT >>>>is '0'. The implication is that if it is turned on that a user must >>>>have >>>>done it, and that's what you have to go with until you can get an >>>>exception. You've had that in front of you for over 2 years now. It's >>>>hardly the time to say that we didn't understand it - when it's the >>>>core >>>>design you've all been discussing for so long. Sure there are hacks - >>>>but >>>>for 95% of the population they wouldn't know how to pull those off. >>>> >>>>Secondly as I watch the DAA come up with their approach to >>>>http://news.cnet.com/8301-1023_3-57595191-93/do-not-track-opt-out-icon- >>>>c >>>>o >>>>m >>>>i >>>>ng-to-mobile-browsers/ I have to shake my head. Exactly how does the >>>>DAA >>>>expect to validate in 100% of the cases that the user clicked on the >>>>icon? >>>>I actually tried it on my desktop browser. First of all I had to enable >>>>3rd party cookies and then it found 155 people tracking me which after >>>>I >>>>opted out resulted in a technical failure where it could not update the >>>>database. Result was consumer frustration and a distinct lack of trust >>>>with advertisers. Secondly they expect to release a mobile version next >>>>year. Great - exactly how do they expect to plug in to a mobile browser >>>>when no one else can. Secondly, if I set the app to send a DNT signal >>>>how >>>>will you know if I did it or I installed an app in front of the >>>>outgoing >>>>request to add a DNT signal. >>>> >>>>Rarely do I find myself agreeing with Rigo - but in this case I do. The >>>>only approach that is workable is a standard, otherwise there will be a >>>>fragmented marketplace with confusion and lack of trust. DNT is not >>>>going >>>>back in the box. It's shipped and with todays announcement by Pinterest >>>>http://bits.blogs.nytimes.com/2013/07/26/pinterest-allows-users-to-opt- >>>>o >>>>u >>>>t >>>>- >>>>of-being-tracked/ the content providers are climbing on board. >>>> >>>>Privacy is going to be a competitive differentiator going forward and >>>>everyone is now supporting DNT as a very simple Opt-Out mechanism. The >>>>UGE >>>>is critical as it will allow users to build a more trusted relationship >>>>with content providers based on access to their data. Currently there >>>>are >>>>probably half a billion browsers that support DNT and just Mozilla >>>>users >>>>send over 4 trillion signals a month (currently not being heard). >>>> >>>>I'd say it's a foregone conclusion that DNT is here to stay. Because as >>>>Aleecia says - you're not going to like the alternative which in itself >>>>will also require a technology solution. Right now the DAA's approach >>>>only >>>>has 2 million users and is basically still in alpha. It will be tough >>>>to >>>>gain much momentum when all the browser OEMs are already supporting a >>>>competing approach. >>>> >>>>But you never know. >>>> >>>> >>>> >>>> >>>>Peter >>>> >>>> >>>> >>>>On 7/26/13 3:40 PM, "Chris Mejia" <chris.mejia@iab.net> wrote: >>>> >>>>>Rigo, you stated: "If W3C would stop having a process and discussions >>>>>about a process and either throw out the industry, the consumer or the >>>>>privacy experts, respectively, we could advance within weeks." >>>>> >>>>>I hope you are not suggesting that the way to reach consensus is to >>>>>simply >>>>>kick out your paying members and invited experts, then do the work on >>>>>your >>>>>own? That doesn't sound right to me... Working group members, in >>>>>both >>>>>camps, have brought valid concerns around process and are seeking >>>>>clarity >>>>>and accountability from the co-chairs and staff-- I don't think it's >>>>>constructive to effectively respond with "put up or shut up" (I'm >>>>>paraphrasing, of course, but that's what I took from your reply to >>>>>Shane). >>>>> >>>>>Shane wrote: "DNT can be set easily by any technology with access to >>>>>the >>>>>page request header outside of user control" and you responded >>>>>"...your >>>>>assertion is just wrong." >>>>> >>>>>Shane is actually right, the DNT header CAN be easily set by any tech >>>>>with >>>>>access to the page request header, outside of user control (e.g. >>>>>private >>>>>or corporate routers can do this) -- it IS a valid technical concern >>>>>that >>>>>we currently have no way to validate how DNT was set-- whether it was >>>>>an >>>>>informed user choice or not. Check it out with any tech expert, Shane >>>>>is >>>>>right. Until this is solved, it's virtually impossible to distinguish >>>>>true signals through the noise of bad signals, and that's a problem >>>>>for >>>>>DNT. >>>>> >>>>>Shane wrote: "we'll likely have a high percentage of DNT=1 traffic on >>>>>the >>>>>internet" and you responded "Does that mean you fear that the opt-out >>>>>system could actually work?" >>>>> >>>>>Please define "could actually work". If you mean high DNT rates = >>>>>works, >>>>>then your prejudice is clear. In this case, I guess you'd argue that >>>>>low >>>>>DNT rates = broken. What if only individual human users could enable >>>>>DNT >>>>>based on sound education regarding it's enablement, and they decided >>>>>not >>>>>to. Would that define a broken state/mechanism to you, simply because >>>>>people chose not to send DNT? Or would you say those are broken >>>>>users? >>>>>I >>>>>for one advocate for USER EDUCATION and INDIVIDUAL USER CHOICE-- don't >>>>>you? Btw, per the rest of your argument, there is absolutely nothing >>>>>today stoping German publishers from "opting-back-in" users who employ >>>>>ad >>>>>blockers; likewise, there is absolutely nothing preventing the same >>>>>publishers from only serving their content to those users who do not >>>>>use >>>>>ad blockers. DNT doesn't solve this problem, so let's not conflate >>>>>issues. >>>>> >>>>>Your wrote "the issue is the unrest in the marketplace." >>>>> >>>>>I don't see any evidence of widespread "unrest" in the marketplace; >>>>>quite >>>>>the contrary, as evidenced by growing web statistics. Take online >>>>>purchasing as an indicator of market health; the year over year growth >>>>>of >>>>>online purchasing is staggering-- I don't believe anyone will argue >>>>>otherwise. So, if there were so much "unrest" in the online >>>>>marketplace >>>>>as you propose, would you expect that consumers would still choose to >>>>>make >>>>>their purchases more and more online? I wouldn't-- it's not logical. >>>>>Our >>>>>industry has invested heavily in brokering trust with our users and >>>>>this >>>>>is clearly evidenced in the numbers-- we don't need DNT to "fix" >>>>>anything-- broadly speaking, user trust already exists despite your >>>>>best >>>>>efforts to convince the marketplace otherwise. Now of course there >>>>>are >>>>>some individuals (a relatively small number, comparatively speaking) >>>>>that >>>>>don't trust. Our industry, and browsers alike, have gladly provided >>>>>those >>>>>INDIVIDUAL USERS the mechanism to opt out-- no problem, we respect an >>>>>INDIVIDUAL's right to CHOOSE. >>>>> >>>>>Shane wrote "This means sites will need to ask users if they set the >>>>>DNT >>>>>signal and/or ask for a UGE for a large majority of visitors" and you >>>>>responded "You don't. You just test the user agent... And you need a >>>>>lawyer to tell you what to do? Come on!" >>>>> >>>>>You may be on to something here Rigo. If the W3C TPWG can not come up >>>>>with a real technical solution to this problem (something that works >>>>>in >>>>>real-time, on a 100% of server calls), I propose that the W3C take on >>>>>the >>>>>infrastructure and costs associated with providing a "DNT user agent >>>>>vetting registry service". The TPWG can set requirements for user >>>>>agents, >>>>>then YOU (W3C) test the user agents, posting the results to a globally >>>>>accessible registry. Companies can then poll this registry (daily) >>>>>for >>>>>updates, and will only honor DNT when it's been determined that a user >>>>>agent has met the required criteria for setting DNT: an informed user >>>>>choice. User agents that want to send DNT should apply for >>>>>certification >>>>>from the W3C, and if they meet the requirements, be added to the >>>>>registry. >>>>> In providing this service, you should agree to an industry & consumer >>>>>advocate oversight committee to monitor your work, as well as regular >>>>>independent 3rd party audit/accreditation of your service (may I >>>>>suggest >>>>>MRC-- they are good at this). Easy, right? And you need a >>>>>technologist >>>>>to tell you what to do? Come on :) >>>>> >>>>>Shane wrote "This is an "opt-in" paradigm - which we agreed in the >>>>>beginning was inappropriate (DNT=<null>, user makes an explicit >>>>>choice)" >>>>>and you responded "Who is responsible for DNT:1 spitting routers? >>>>>W3C?" >>>>> >>>>>Yes, W3C is responsible, it's your spec. See "DNT user agent vetting >>>>>registry service" (above) for next steps on cleaning up the >>>>>marketplace >>>>>mess that's been created. >>>>> >>>>>You wrote "If you can't distinguish between a browser and a router, I >>>>>wonder about the quality of all that tracking anyway." >>>>> >>>>>Rigo, this is why you are a lawyer, and not a technologist. >>>>>Technically >>>>>speaking, we are not talking about distinguishing between browsers and >>>>>routers, we are are talking about distinguishing between validly set >>>>>DNT >>>>>signals and ones that aren't. You'd need to understand how HTTP >>>>>header >>>>>injection works to fully appreciate the technical problem. The best >>>>>technologists on both sides of this debate have not been able to >>>>>reconcile >>>>>this issue. Neither have the lawyers. >>>>> >>>>>You wrote "I do not believe, given the dynamics of the Web and the >>>>>Internet, that we can predict the percentage of DNT headers for the >>>>>next >>>>>3 >>>>>years; let alone the percentage of valid DNT headers." >>>>> >>>>>True, no one has working crystal ball technology that I'm aware of, >>>>>but >>>>>we >>>>>do know that despite there being no agreed upon specification in the >>>>>marketplace, user agents are sending DNT header signals today. No >>>>>matter >>>>>how many signals are sent, if you want DNT signals to be meaningful to >>>>>users, industry adoption is key. Please stop asserting that our >>>>>technical >>>>>and business concerns are trivial or ill informed-- they are not. >>>>>Most >>>>>of >>>>>your replies below are not helping us get closer to a workable DNT >>>>>solution-- you are only further exacerbating our concerns. >>>>> >>>>>Chris >>>>> >>>>> >>>>> >>>>> >>>>>On 7/25/13 12:40 AM, "Rigo Wenning" <rigo@w3.org> wrote: >>>>> >>>>>>On Thursday 25 July 2013 04:39:35 Shane Wiley wrote: >>>>>>> Rigo, >>>>>>> >>>>>>> I feel like we're talking past one another. >>>>>> >>>>>>We are not. The DAA tells the world that "the World Wide Consortium >>>>>>sputters and spits trying to negotiate a Do Not Track standard to >>>>>>protect consumer privacy online, the digital advertising business is >>>>>>forging ahead with expanding its self-regulation program to mobile >>>>>>devices." >>>>>>http://www.adweek.com/news/technology/ad-industry-expands-privacy-sel >>>>>>f >>>>>>- >>>>>>r >>>>>>e >>>>>>g >>>>>>ulation-mobile-151386 >>>>>> >>>>>>This is unfair. If W3C would stop having a process and discussions >>>>>>about >>>>>>a process and either throw out the industry, the consumer or the >>>>>>privacy >>>>>>experts, respectively, we could advance within weeks. No more >>>>>>sputters >>>>>>and spits. >>>>>> >>>>>>> >>>>>>> 1. DNT can be set easily by any technology with access to the page >>>>>>> request header outside of user control >>>>>> >>>>>>The french call that "dialogue de sourds", the dialog of the deaf. If >>>>>>you can test the presence of an UGE mechanism, your assertion is just >>>>>>wrong. Repeating it doesn't make it become true. >>>>>> >>>>>>> 2. This means we'll likely >>>>>>> have a high percentage of DNT=1 traffic on the internet (some say >>>>>>>as >>>>>>> high as 80%) >>>>>> >>>>>>Does that mean you fear that the opt-out system could actually work? >>>>>>And >>>>>>that you are deeply concerned that users could opt-back in? If we >>>>>>stall, >>>>>>you can time-travel into the next 5 years and talk to the people from >>>>>>German IT-publisher Heise: They lost large parts of their revenue due >>>>>>to >>>>>>blocking tools. It will be 80% of blocking tools instead of >>>>>>DNT-Headers. >>>>>>They would LOVE to have a way to opt their audience back in. IMHO, if >>>>>>the industry ignores the golden bridge of DNT, they will have to >>>>>>cross >>>>>>the rocky valley a few years later. As I said, the issue is the >>>>>>unrest >>>>>>in the marketplace, that people will buy whatever promises them more >>>>>>privacy, even a DNT-spitting router. To your point: you may see 80% >>>>>>of >>>>>>DNT:1 headers, but how many of them will be valid according to the >>>>>>W3C >>>>>>Specifications? >>>>>> >>>>>>> 3. This means sites will need to ask users if they set >>>>>>> the DNT signal and/or ask for a UGE for a large majority of >>>>>>>visitors >>>>>> >>>>>>As I explained: You don't. You just test the user agent. We both know >>>>>>that DNT has two technological enemies: 1/ Cookies + implied consent >>>>>>and >>>>>>2/ DNT:1 spitting routers and dumb extensions. Now the united >>>>>>internet >>>>>>expertise in this group can't distinguish between those and a valid >>>>>>browser? And you need a lawyer to tell you what to do? Come on! >>>>>> >>>>>>> 4. This is an "opt-in" paradigm - which we agreed in the beginning >>>>>>> was inappropriate (DNT=<null>, user makes an explicit choice) >>>>>> >>>>>>Who is responsible for DNT:1 spitting routers? W3C? Is this >>>>>>conformant >>>>>>to the current state of our specifications? Nobody in this group >>>>>>wants >>>>>>DNT:1 spitting routers. That's why we have ISSUE-151. >>>>>>> >>>>>>> To adopt DNT under the Swire/W3C Staff Proposal (aka June Draft), >>>>>>> industry would be agreeing to shift to an opt-in model vs. agreeing >>>>>>> to support a more hardened opt-out choice for users that is stored >>>>>>>in >>>>>>> the web browser safely away from cookie clearing activities (which >>>>>>> remove opt-out cookies today unless the user has installed an >>>>>>>opt-out >>>>>>> preservation tool). This is a significant shift and will not >>>>>>>likely >>>>>>> be supported by industry. Hence the reason we're pushing back so >>>>>>> hard on the current situation. >>>>>> >>>>>>Your assertion of an opt-in model is a myth and a perceived danger, >>>>>>not >>>>>>a real shift in the Specification. The routers are shifting, not the >>>>>>Specification. This is just the first sign of market unrest. If you >>>>>>can't distinguish between a browser and a router, I wonder about the >>>>>>quality of all that tracking anyway. Are we discussing giant dumps of >>>>>>rubbish quality data? If so, consumers and privacy experts may relax >>>>>>a >>>>>>bit. For the moment, they assume that you can do profiles and things >>>>>>and >>>>>>distinguish between users and their devices etc. >>>>>>> >>>>>>> I believe I'm being as fair, open, and honest about the core issue. >>>>>> >>>>>>And I do not question that. We even agree that there is an issue. And >>>>>>we >>>>>>have a number for that issue. I tell you that your conclusions and >>>>>>suggestions will lead to a totally nullified DNT, not worth our time. >>>>>>And I encourage you to consider a reasonable solution to the problem, >>>>>>not a short-circuiting of the system with an industry-opt-out behind. >>>>>> >>>>>>> Hopefully we can work together to look for solutions to this >>>>>>> unfortunate outcome (unfortunate for industry as I can imagine some >>>>>>> on the advocate side would be very happy with an opt-in world). >>>>>> >>>>>>Again, opt-in/out is a myth. DNT installs a control, a switch. This >>>>>>is >>>>>>much more than opt-in/out. BTW, I do not believe, given the dynamics >>>>>>of >>>>>>the Web and the Internet, that we can predict the percentage of DNT >>>>>>headers for the next 3 years; let alone the percentage of valid DNT >>>>>>headers. >>>>>> >>>>>>Finally, the only ways a company can be forced to honor a DNT:1 >>>>>>header >>>>>>is: >>>>>>1/ By our feedback making a promise it does >>>>>>2/ By a self-regulation like DAA or Truste or Europrise >>>>>>3/ By law >>>>>> >>>>>>I would be totally surprised by a law that would force you to accept >>>>>>"any" DNT:1 header. >>>>>> >>>>>>So lets work on distinguishing the good from the bad headers. We had >>>>>>very good discussions in Sunnyvale with the browser makers. They are >>>>>>also interested in a solution. There must be a way. >>>>>> >>>>>> --Rigo >>>>>> >>>>>> >>>>> >>>>> >>>> >>> >>
Received on Saturday, 27 July 2013 22:21:44 UTC