Re: June Draft of the DNT compliance spec

Hi Matthias,

I'm concerned with:

"this is a very strong expression of a desire for privacy"

It represents a slippery slope, open to personal interpretation, and a certain vagueness that's hard to program for-- and thus should not be in a tech spec.  It would leave DNT compliance open for rather loose interpretation-- and that would be a problem for publishers who are left to make sense of this spec for their users.

Here's a tangible and real example/concern, to support my point:  Microsoft is currently running strong television ads in some jurisdictions around privacy.  In some spots, they connect privacy, even 'tracking protection,' to their IE10 product offering. Does that make Microsoft's IE10 a "privacy browser", and are we now ok allowing them to set/send DNT by default and be "compliant" with our spec?  I thought we already agreed, no, that's not ok.

But if we allow this to be the case, what will keep any browser company or other UA from simply saying that privacy is a key feature of their browser and then also setting DNT by default, without any real user action/understanding of the setting?  Nothing.  And then DNT:1 will become ubiquitous, it will harm industry (especially long-tail small publishers), and so on...


On Jun 13, 2013, at 10:49 AM, "Matthias Schunter (Intel Corporation)" <<>> wrote:


my 2cents:
- From a user expectation point of view, I would expect that whatever is turned on by private browsing (e.g., turning on DNT;1)
is then undone when I exit this mode (i.e., returning DNT to the prior state).

- The original intent (AFAIR) of the language I cited was to allow installation of privacy tools (such as the anonymous browsing tool "Tor")
  and - since this is a very strong expression of a desire for privacy - these tools may send DNT;1 by default.
  Naturally, these tools MUST still need to implement the exception API and provide a feature to return from DNT;1 to unset or DNT;0.


On 13/06/2013 16:27, Alan Chapell wrote:
Thanks Craig -

I probably wasn't being clear enough in my question. As I understand it, Safari turns on DNT automatically during a Private Browsing session. I'm asking if DNT remains on, or is turned off when the Private Browsing session ends.

From: Craig Spiezle <<>>
Date: Thursday, June 13, 2013 10:18 AM
To: Alan Chapell <<>>, 'Justin Brookman' <<>>, 'David Singer' <<>>
Cc: 'Shane Wiley' <<>>, 'Peter Swire' <<>>, <<>>
Subject: RE: June Draft of the DNT compliance spec
Resent-From: <<>>
Resent-Date: Thu, 13 Jun 2013 14:19:33 +0000

This is really determined by the browser vendor and or user setting if “private browsing” (InPrivate, Incognito…)  is a session based or persistent setting.

From: Alan Chapell []
Sent: Thursday, June 13, 2013 7:07 AM
To: Justin Brookman; Craig Spiezle; David Singer
Cc: 'Shane Wiley'; 'Peter Swire';<>
Subject: Re: June Draft of the DNT compliance spec

Thanks Justin. I was unaware of the Private Browsing feature.

David, does Private Browsing turn on DNT automatically during a private browsing session, and then turn it off automatically once the private browsing session is over?

From: Justin Brookman <<>>
Date: Monday, June 10, 2013 12:37 PM
To: Craig Spiezle <<>>
Cc: 'Shane Wiley' <<>>, Alan Chapell <<>>, 'Peter Swire' <<>>, <<>>
Subject: Re: June Draft of the DNT compliance spec

Previously, I thought we had agreement that selection of a special privacy-protective product or setting could imply consent to send DNT:1  This agreement is currently reflected in the TPE in Section 3:  For example, I believe that Safari turns on DNT:1 whenever someone engages "Private Browsing" mode, despite no specific language about Do Not Track:

However, that language/agreement may have been subsumed by more recent discussions.

On Jun 10, 2013, at 11:15 AM, "Craig Spiezle" <<>> wrote:

I apologize for possibly bringing up a closed issue, but do you see a distinction between a browser or a privacy / security enhancing product?   I agree with what is proposed by a browser, but see there might be other scenarios where the consumer is making an implied decision when acquiring a third party security / privacy add-on?.

Conceptually let’s call the product Privacy and Data Protector which by default out of the box offers “maximized protection of your data collection and privacy”.   Could one argue that one who purchases such a product in effect is making an implied decision to use such functionality.  Better yet Ad-Block Plus?

From: Shane Wiley [<>]
Sent: Monday, June 10, 2013 7:17 AM
To: Alan Chapell; Peter Swire;<>
Subject: RE: June Draft of the DNT compliance spec

Friendly amendment suggestion:

“…unless they have otherwise obtained consent from the user to do so.”

- Shane

From: Alan Chapell []
Sent: Monday, June 10, 2013 6:31 AM
To: Peter Swire;<>
Subject: Re: June Draft of the DNT compliance spec

Thanks Peter. I'm still generally uncomfortable that DNT doesn't place requirements on First Parties.

One item of particular concern that seems to have fallen off the radar is the scenario where a party collects data in a first party context and attempts to use it in a third party context when DNT is enabled. I thought there was agreement on this issue. However, I keep raising it, and it doesn't seem to make it into the drafts. Perhaps its implied in the language "… customize the content, services, and advertising in the context of the first party experience." However, it is not clear enough, IMHO.

To address, I offer the following language to Section 4 (First Party Compliance). The new language is below.

First Parties must not use data collected while a First Party when acting as a Third-Party when DNT = 1.

Nick – if I need to open up another issue on this, please let me know. Thanks!

From: Peter Swire <<>>
Date: Monday, June 10, 2013 7:47 AM
To: "<>" <<>>
Subject: June Draft of the DNT compliance spec
Resent-From: <<>>
Resent-Date: Mon, 10 Jun 2013 11:47:58 +0000

To the Working Group:

        Attached please find a June Draft of the compliance spec.  The spec is also available at:

This draft builds directly on the Consensus Action Summary from the Sunnyvale F2F.  Working closely with W3C staff, and based on numerous discussions with members of the WG, this June Draft is my best current estimate of a document that can be the basis for a consensus document in time for Last Call.

        The June Draft includes a number of grammatical and stylistic edits to various provisions of the previous working drafts.  These sorts of edits were done in hopes of adding clarity and good writing to the provisions.  In the spirit of humility, W3C staff and I recognize that members of the WG may spot substantive objections to these stylistic edits – let us work within a constructive spirit of the working group process to examine and, where appropriate, make changes to these edits.

        The Draft also addresses the four task areas included in the Consensus Action Summary.  In proposing language in the June Draft, my intent and belief was to make good substantive judgments about an overall package that may achieve consensus, as well as item-by-item judgments about what is substantively most defensible within the context of the WG.  Clearly, the group will need to work through each piece of the text, members can suggest alternatives, and we will need to determine where and whether consensus exists.

        The June Draft contains normative text but not non-normative text.  In part, this reflects my view that we have the best chance to work constructively on a relatively short amount of normative text.  Proposed non-normative text can be proposed for provisions in time for Last Call.  As a potentially useful alternative, W3C has various mechanisms for publishing notes or other documents that illuminate a standard.  The best time for detailed discussion of most non-normative text quite possibly will be after Last Call.

        The June Draft discusses only items that the W3C WG can address.  Clearly, the actions of others on these issues may be relevant to the overall outcome.  For instance, the DAA has discussed changes to its code, including on its market research and product development exceptions.   There has been discussion of a potentially useful limit on any blocking of 3d party cookies for sites that comply withDNT.  There may also be new and useful technical measures that would be important to the future of advertising in a privacy-protective manner.  The text here, as indicated, addresses what would be within the compliance spec itself.

        W3C staff and I are working on further explanatory materials that will seek to clarify the changes here, and link the June Draft to the issues on the WG site.

        The regular call this Wednesday will be an opportunity for the Group to have an initialdiscussion of the June Draft.  To give everyone a chance to review this material, we will not be seeking to close compliance issues during this Wednesday’s calls.

        Thank you,


Prof. Peter P. Swire
C. William O'Neill Professor of Law
           Ohio State University

Beginning August 2013:
Nancy J. and Lawrence P. Huang Professor
Law and Ethics Program
Scheller College of Business
Georgia Institute of Technology

Received on Thursday, 13 June 2013 16:09:58 UTC