dnt preference management (was Re: Batch closing of TPE related issues)

On Jun 18, 2013, at 7:41 AM, "SULLIVAN, BRYAN L" <bs3131@att.com> wrote:

> More below.
> 
> Thanks,
> Bryan Sullivan
> 
>> On Jun 14, 2013, at 5:18 PM, "Nicholas Doty" <npdoty@w3.org> wrote:
>> 
>> Hi Bryan,
>> 
>> On Jun 12, 2013, at 8:51 AM, "SULLIVAN, BRYAN L" <bs3131@att.com> wrote:
>> 
>>> On Jun 12, 2013, at 4:07 PM, "Nicholas Doty" <npdoty@w3.org> wrote:
>>> 
>>>> I didn't understand ISSUE-192 to be about the capability for revocation of user-granted exceptions within the browser, but a question as to whether the API for storing user-granted exceptions in the user agent should include capabilities for cookie semantics, including timed expiration or secure-only. I agree with the resolution that it doesn't seem at this time like those capabilities are needed. To Rob's point, I don't think ISSUE-192 addresses the question of user control of revoking user-granted exceptions; we should go ahead and close it.
>>>> 
>>>> When the idea of user-granted exceptions as stored in the browser (rather than consent mediated by the browser) was first proposed, I did try to express concern about the confusing situation of simultaneously using stored user-granted exceptions and out-of-band consent. One key advantage of having user-granted exceptions stored by the user agent is that the user can inspect them in a single place and revoke granted permissions at a time of their choosing. If users revoke these exceptions but the consent is also stored through some out-of-band means and so the user continues to be told that they have consented to being tracked in a specific context, it would be surprising to the user and it might become difficult to opt-back-out.
>>>> 
>>> <Bryan> perhaps, Nick. But that "single place" advantage is only applicable if (1) you don't consider that the user will likely be accessing services via many devices and multiple browsers; (2) the UI/UX across UAs is fairly consistent, with UAs here meaning any Webview-enabled hybrid app also - a very unlikely scenario IMO.
>> 
>> (Apologies if I'm repeating comments from earlier, but maybe they were on a call or in person, rather than in email.) 
>> 
>> It's true that users' ability to review user-agent managed DNT exceptions in a single place may depend on user agent implementations. It's possible that some users and some user agents will enable syncing of DNT preferences and stored DNT exceptions across devices -- as you've pointed out, the user agent itself could be in the cloud. There may also be cases where users don't sync these preferences by choice; we have seen evidence of users separating browsing activity by browser out of privacy concerns, and that users have different privacy concerns in different contexts (like their mobile phone versus their work desktop).
>> 
>> To your point (2), it may be that the UX of DNT preferences and exception handling will vary to some extent across browsers (that's our intention in not overspecifying UI). It seems to me unlikely that that variation will be larger than the variation of preference configuration across all Web sites and third party services.
>> 
>> For both of these reasons, the storage of DNT preferences in the browser has advantages for users. If users had to revoke each exception in more than one place, in their UA(s) and each site itself, it would remove one of the major advantages we identified with having user-agent stored exceptions.
>> 
> <Bryan> I'm still unconvinced, and think that conversely due to both of your answers that the DNT UX will not scale (I.e. be usable across the diversity of devices, browsers, and hybrid apps that most users have) unless there is overt support in the spec for distributed/cloud-based user-agent implementations (for DNT prefs mgmt/expression at least), and that the fragmentation in prefs mgmt UI across UAs is somehow addressed. I have no faith in the scalability of the UX without some progress in the latter especially, but I also don't think such defragmentation will be achievable through devices/browsers/apps alone. Managing DNT prefs will be a messy, high-overhead affair leading people to wholesale opt-out (bad for us all), unless there is effective cloud/network-based support for it.

Hi Bryan,

Are there specific changes you had in mind where the spec would need to be overt in supporting synchronizing preferences through the cloud or across devices?

As I understand it, the other cases where existing browsers sync data across devices (bookmarks, stored passwords, browsing history, browser settings), there isn't anything explicit in the relevant HTML, JS or HTTP specs that enable that syncing, browser vendors are just implementing that as a tool for users of their software.

Thanks,
Nick

Received on Friday, 21 June 2013 00:13:46 UTC