Re: June Change Proposal, user agent compliance, ISSUE-172, ISSUE-194 from Alan Chapell on 2013-06-26 (public-tracking@w3.org from June 2013)

From: Alan Chapell <achapell@chapellassociates.com>
Date: Wed, 26 Jun 2013 08:17:52 -0400
To: Justin Brookman <jbrookman@cdt.org>, "public-tracking@w3.org Group" <public-tracking@w3.org>
Message-ID: <CDF051A9.34258%achapell@chapellassociates.com>
Justin,

I disagree. As of mid-March when it was agreed that UA disclosures would be
revisited, the "explicit choice for privacy language" was only ok if the
browser/plug-in/UA also was able to meet the disclosure guidelines.

I do agree that disclosure requirements for UGE/OOBC should mirror the UA
disclosure requirements.
 
From:  Justin Brookman <jbrookman@cdt.org>
Date:  Tuesday, June 25, 2013 2:43 PM
To:  "public-tracking@w3.org Group" <public-tracking@w3.org>
Subject:  June Change Proposal, user agent compliance, ISSUE-172, ISSUE-194
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Tue, 25 Jun 2013 18:43:44 +0000

> I believe that that June draft is overly prescriptive on user agent
> compliance, and backtracks on a previous group decision to allow user agents
> to send DNT:1 when the user makes an explicit choice for privacy (jt also
> backtracks on our prior agreement to be equally prescriptive in dictating
> interface for setting DNT in the first place and for granting UGE/OOBC).  I
> propose to restate User Agent Compliance to mirror existing language in the
> TPE:
> 
> The goal of this protocol is to allow a user to express their personal
> preference regarding tracking to each server and web application that they
> communicate with via HTTP, thereby allowing each service to either adjust
> their behavior to meet the user's expectations or reach a separate agreement
> with the user to satisfy all parties.
> 
> Key to that notion of expression is that the signal sent must reflect the
> user's preference, not the choice of some vendor, institution, site, or any
> network-imposed mechanism outside the user's control; this applies equally to
> both the general preference and exceptions. The basic principle is that a
> tracking preference expression is only transmitted when it reflects a
> deliberate choice by the user. In the absence of user choice, there is no
> tracking preference expressed.
> 
> A user agent must offer users a minimum of two alternative choices for a Do
> Not Track preference: unset or DNT:1. A user agent may offer a third
> alternative choice: DNT:0.
> 
> If the user's choice is DNT:1 or DNT:0, the tracking preference is enabled;
> otherwise, the tracking preference is not enabled.
> 
> A user agent must have a default tracking preference of unset (not enabled)
> unless a specific tracking preference is implied by the decision to use that
> agent. For example, use of a general-purpose browser would not imply a
> tracking preference when invoked normally as SuperFred, but might imply a
> preference if invoked as SuperDoNotTrack or UltraPrivacyFred. Likewise, a user
> agent extension or add-on must not alter the tracking preference unless the
> act of installing and enabling that extension or add-on is an explicit choice
> by the user for that tracking preference.
> 
> A user agent extension or add-on must not alter the user's tracking preference
> setting unless it complies with the requirements in this document, including
> but not limited to this section (Determining a User Preference). Software
> outside of the user agent that causes a DNT header to be sent (or causes
> existing headers to be modified) must not do so without ensuring that the
> requirements of this section are met; such software also must ensure the
> transmitted preference reflects the individual user's preference.
> 
> We do not specify how tracking preference choices are offered to the user or
> how the preference is enabled: each implementation is responsible for
> determining the user experience by which a tracking preference is enabled
> <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-enabl
> ed> . For example, a user might select a check-box in their user agent's
> configuration, install an extension or add-on that is specifically designed to
> add a tracking preference expression, or make a choice for privacy that then
> implicitly includes a tracking preference (e.g., Privacy settings: high). The
> user-agent might ask the user for their preference during startup, perhaps on
> first use or after an update adds the tracking protection feature. Likewise, a
> user might install or configure a proxy to add the expression to their own
> outgoing requests.
> 
> Although some controlled network environments, such as public access terminals
> or managed corporate intranets, might impose restrictions on the use or
> configuration of installed user agents, such that a user might only have
> access to user agents with a predetermined preference enabled, the user is at
> least able to choose whether to make use of those user agents. In contrast, if
> a user brings their own Web-enabled device to a library or cafe with wireless
> Internet access, the expectation will be that their chosen user agent and
> personal preferences regarding Web site behavior will not be altered by the
> network environment, aside from blanket limitations on what resources can or
> cannot be accessed through that network. Implementations of HTTP that are not
> under control of the user must not generate or modify a tracking preference.
Received on Wednesday, 26 June 2013 12:18:24 UTC