Re: ISSUE-151 Re: Change proposal: new general principle for permitted uses

Hi Alan,

On Jul 28, 2013, at 1:56 PM, Alan Chapell <achapell@chapellassociates.com> wrote:

> Hi Aleecia - 
> 
> I don't recall a 5% figure, although with so many #'s being tossed around
> and so many people consistently talking over each other, I can't say for
> sure. Personally, one of the things that I was hoping is that DNT might
> also allow browsers to feel confortable allowing third-party cookies by
> default with DNT up and running, and that this might balance things out in
> favor of informed choice. But 5% enactment of DNT hasn't been part of my
> core assumptions - particularly given entities setting DNT by default
> and/or without adequately explaining what DNT actually does.

As I understand, the 5% was an estimate based on the percentage of users who change any browser settings / preferences whatsoever in practice, as discussed in meetings outside the W3C.

As you say, I would also like browsers to set third party cookies from sites honoring DNT (which implies DNT has real privacy protections of some sort.) However, historically that was not a point of discussion back when we were working through the issues around "unset."

> In any event, by the face to face at MSFT (15 months ago?) I recall there
> was a recognition across the wg that the DNT #'s were likely to be much
> higher - particularly in light of some of the comments made at that f2f
> re: the impact that DNT would have on third parties.

Yes, by then we had more data. (Your estimate is pretty good. 13 months ago. I cannot tell if it feels longer or shorter, just a blur of tired.)

> With respect to the EU, I believe there was an understanding that DNT
> unset might = DNT:1 in the minds of EU regulators. But I didn't believe
> that would be a forgone conclusion. In other words, I disagree that DNT by
> default in the EU was part of everyone's assumption. And even if DNT by
> default becomes the law of the land in the EU, I'm not sure how that cuts
> against an argument of User choice outside of the EU. If the EU regulators
> believe that default-on for DNT strikes the right balance, there's not
> much I can do about that. But it certainly doesn't mean that I've somehow
> conceded the idea of a user making an informed choice in the U.S.

Actually, on the contrary, this has been locked down for a very long time. It's documented in the TPE in what may be cryptic language to newcomers:

	"In the absence of regulatory, legal, or other requirements, servers MAY interpret the lack of an expressed tracking preference as they find most appropriate for the given user, particularly when considered in light of the user's privacy expectations and cultural circumstances."

That was the way we wrote down DNT unset means DNT:1 in EU and DNT:0 in US and who knows what in other regions. It is, indeed, the conclusion we reached. We talked about this as the "tri-part state." Unless the chairs choose to reopen, this issue is long since closed.

> When you say "US users have turned on DNT in their browsers at a truly
> surprising rate" - does that math take into account the 100 million
> worldwide AVG customers, for many of whom AVG has turned on DNT by default?

Of course; adoption rates were deemed "too high" before AVG became involved at all. (As you may already know but I did not for a week after the press release, AVG sends DNT:1 for *new* users, not for their pre-existing user base. The 100 million is not immediately relevant; what matters is how many customers they're adding per month. Part of AVG's argument is that new customers are buying or upgrading for new features, including DNT, and thereby making a choice for privacy. Agree or disagree as you like with whether that is a sufficient threshold for user choice, but I'm going to try to keep the numbers straight.)

My point was that AVG is not the actual issue we face. Even without any actors other than the browsers, even if IE required multiple menu clicks, even if we limit the scope to just a subset of websites (no mobile apps, no SPDY, if we toss out these prior decisions as was once attempted,) it just doesn't matter. The rate of DNT adoption is, we are told, too high for businesses to be able to absorb. So if we had the ability to sift "this DNT signal is good, that DNT signal is bad" with magic telepathic powers, we are still in the soup: the base rate from browsers is higher than companies say they can live with. 

If we cannot address that basic issue of financial viability, we are wasting our collective time. It is not because of principled concerns about user choice, it's just math. So let's deal with this reality. Now what, folks?

	Aleecia

Received on Monday, 29 July 2013 00:20:16 UTC