RE: June Draft of the DNT compliance spec

Fair point, but I think we need to look as some criteria

.         What is the primary utility of a product / add on?

.         How is it acquire / installed ? (pre-installed vs. purchase or


In the case of a pre-installed browser one might suggest the primary purpose
is web browsing and searching, so for one pre-configured with DNT=1 in the
US is not compliant.  It would be hard to conceive the purchase of such a
device was driven by a browser setting.   Conversely if one chooses to
install a browser or add-on, not pre-installed on their device in part due
to the prominent positioning of these privacy focused features(s) on by
default one could argue they made an explicit decision.





From: Chris Mejia [] 
Sent: Thursday, June 13, 2013 9:09 AM
To: Matthias Schunter (Intel Corporation)
Subject: Re: June Draft of the DNT compliance spec


Hi Matthias,


I'm concerned with:


"this is a very strong expression of a desire for privacy"

It represents a slippery slope, open to personal interpretation, and a
certain vagueness that's hard to program for-- and thus should not be in a
tech spec.  It would leave DNT compliance open for rather loose
interpretation-- and that would be a problem for publishers who are left to
make sense of this spec for their users.


Here's a tangible and real example/concern, to support my point:  Microsoft
is currently running strong television ads in some jurisdictions around
privacy.  In some spots, they connect privacy, even 'tracking protection,'
to their IE10 product offering. Does that make Microsoft's IE10 a "privacy
browser", and are we now ok allowing them to set/send DNT by default and be
"compliant" with our spec?  I thought we already agreed, no, that's not ok.


But if we allow this to be the case, what will keep any browser company or
other UA from simply saying that privacy is a key feature of their browser
and then also setting DNT by default, without any real user
action/understanding of the setting?  Nothing.  And then DNT:1 will become
ubiquitous, it will harm industry (especially long-tail small publishers),
and so on... 




On Jun 13, 2013, at 10:49 AM, "Matthias Schunter (Intel Corporation)"
<> wrote:


my 2cents: 
- From a user expectation point of view, I would expect that whatever is
turned on by private browsing (e.g., turning on DNT;1) 
is then undone when I exit this mode (i.e., returning DNT to the prior

- The original intent (AFAIR) of the language I cited was to allow
installation of privacy tools (such as the anonymous browsing tool "Tor")
  and - since this is a very strong expression of a desire for privacy -
these tools may send DNT;1 by default.
  Naturally, these tools MUST still need to implement the exception API and
provide a feature to return from DNT;1 to unset or DNT;0.


On 13/06/2013 16:27, Alan Chapell wrote:

Thanks Craig - 


I probably wasn't being clear enough in my question. As I understand it,
Safari turns on DNT automatically during a Private Browsing session. I'm
asking if DNT remains on, or is turned off when the Private Browsing session



From: Craig Spiezle <>
Date: Thursday, June 13, 2013 10:18 AM
To: Alan Chapell <>, 'Justin Brookman'
<>, 'David Singer' <>
Cc: 'Shane Wiley' <>, 'Peter Swire'
<>, <>
Subject: RE: June Draft of the DNT compliance spec
Resent-From: <>
Resent-Date: Thu, 13 Jun 2013 14:19:33 +0000


This is really determined by the browser vendor and or user setting if
"private browsing" (InPrivate, Incognito.)  is a session based or persistent


From: Alan Chapell [] 
Sent: Thursday, June 13, 2013 7:07 AM
To: Justin Brookman; Craig Spiezle; David Singer
Cc: 'Shane Wiley'; 'Peter Swire';
Subject: Re: June Draft of the DNT compliance spec


Thanks Justin. I was unaware of the Private Browsing feature. 


David, does Private Browsing turn on DNT automatically during a private
browsing session, and then turn it off automatically once the private
browsing session is over?




From: Justin Brookman <>
Date: Monday, June 10, 2013 12:37 PM
To: Craig Spiezle <>
Cc: 'Shane Wiley' <>, Alan Chapell
<>, 'Peter Swire' <>,
Subject: Re: June Draft of the DNT compliance spec


Previously, I thought we had agreement that selection of a special
privacy-protective product or setting could imply consent to send DNT:1
This agreement is currently reflected in the TPE in Section 3:
ing.  For example, I believe that Safari turns on DNT:1 whenever someone
engages "Private Browsing" mode, despite no specific language about Do Not


However, that language/agreement may have been subsumed by more recent


On Jun 10, 2013, at 11:15 AM, "Craig Spiezle" <> wrote:

I apologize for possibly bringing up a closed issue, but do you see a
distinction between a browser or a privacy / security enhancing product?   I
agree with what is proposed by a browser, but see there might be other
scenarios where the consumer is making an implied decision when acquiring a
third party security / privacy add-on?.


Conceptually let's call the product Privacy and Data Protector which by
default out of the box offers "maximized protection of your data collection
and privacy".   Could one argue that one who purchases such a product in
effect is making an implied decision to use such functionality.  Better yet
Ad-Block Plus?    






From: Shane Wiley [mailto:wileys@ <>] 
Sent: Monday, June 10, 2013 7:17 AM
To: Alan Chapell; Peter Swire;  <>
Subject: RE: June Draft of the DNT compliance spec


Friendly amendment suggestion:


".unless they have otherwise obtained consent from the user to do so."


- Shane


From: Alan Chapell [ <>] 
Sent: Monday, June 10, 2013 6:31 AM
To: Peter Swire;  <>
Subject: Re: June Draft of the DNT compliance spec


Thanks Peter. I'm still generally uncomfortable that DNT doesn't place
requirements on First Parties. 


One item of particular concern that seems to have fallen off the radar is
the scenario where a party collects data in a first party context and
attempts to use it in a third party context when DNT is enabled. I thought
there was agreement on this issue. However, I keep raising it, and it
doesn't seem to make it into the drafts. Perhaps its implied in the language
". customize the content, services, and advertising in the context of the
first party experience." However, it is not clear enough, IMHO.


To address, I offer the following language to Section 4 (First Party
Compliance). The new language is below.


First Parties must not use data collected while a First Party when acting as
a Third-Party when DNT = 1. 



Nick - if I need to open up another issue on this, please let me know.



From: Peter Swire < <>>
Date: Monday, June 10, 2013 7:47 AM
To: " <>" <
Subject: June Draft of the DNT compliance spec
Resent-From: < <>>
Resent-Date: Mon, 10 Jun 2013 11:47:58 +0000


To the Working Group:


        Attached please find a June Draft of the compliance spec.  The spec
is also available at:




This draft builds directly on the Consensus Action Summary from the
Sunnyvale F2F.  Working closely with W3C staff, and based on numerous
discussions with members of the WG, this June Draft is my best current
estimate of a document that can be the basis for a consensus document in
time for Last Call.


        The June Draft includes a number of grammatical and stylistic edits
to various provisions of the previous working drafts.  These sorts of edits
were done in hopes of adding clarity and good writing to the provisions.  In
the spirit of humility, W3C staff and I recognize that members of the WG may
spot substantive objections to these stylistic edits - let us work within a
constructive spirit of the working group process to examine and, where
appropriate, make changes to these edits.


        The Draft also addresses the four task areas included in the
Consensus Action Summary.  In proposing language in the June Draft, my
intent and belief was to make good substantive judgments about an overall
package that may achieve consensus, as well as item-by-item judgments about
what is substantively most defensible within the context of the WG.
Clearly, the group will need to work through each piece of the text, members
can suggest alternatives, and we will need to determine where and whether
consensus exists.


        The June Draft contains normative text but not non-normative text.
In part, this reflects my view that we have the best chance to work
constructively on a relatively short amount of normative text.  Proposed
non-normative text can be proposed for provisions in time for Last Call.  As
a potentially useful alternative, W3C has various mechanisms for publishing
notes or other documents that illuminate a standard.  The best time for
detailed discussion of most non-normative text quite possibly will be after
Last Call.


        The June Draft discusses only items that the W3C WG can address.
Clearly, the actions of others on these issues may be relevant to the
overall outcome.  For instance, the DAA has discussed changes to its code,
including on its market research and product development exceptions.   There
has been discussion of a potentially useful limit on any blocking of 3d
party cookies for sites that comply withDNT.  There may also be new and
useful technical measures that would be important to the future of
advertising in a privacy-protective manner.  The text here, as indicated,
addresses what would be within the compliance spec itself.


        W3C staff and I are working on further explanatory materials that
will seek to clarify the changes here, and link the June Draft to the issues
on the WG site.


        The regular call this Wednesday will be an opportunity for the Group
to have an initialdiscussion of the June Draft.  To give everyone a chance
to review this material, we will not be seeking to close compliance issues
during this Wednesday's calls.


        Thank you,






Prof. Peter P. Swire

C. William O'Neill Professor of Law

           Ohio State University




Beginning August 2013:

Nancy J. and Lawrence P. Huang Professor

Law and Ethics Program

Scheller College of Business

Georgia Institute of Technology




Received on Thursday, 13 June 2013 17:34:50 UTC