W3C home > Mailing lists > Public > public-tracking@w3.org > March 2013

Re: TPE Handling Out-of-Band Consent (including ISSUE-152)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 22 Mar 2013 14:53:35 -0700
Cc: public-tracking@w3.org
Message-Id: <66BFB49D-251F-4FC8-9D09-80E1E62782A0@gbiv.com>
To: Justin Brookman <justin@cdt.org>
On Mar 22, 2013, at 1:39 PM, Justin Brookman wrote:
> On 3/22/2013 3:42 PM, Ronan Heffernan wrote:
>> Responding to a DNT:1 signal with an acknowledgement that a company follows DNT, and will abide by the restrictions (and permitted uses) therein, is easy.  Responding with real-time lookups of whether OOBC exists is quite difficult (in many cases impossible), especially for large-scale systems that use CDNs and other distributed processing, and systems that do not receive technical information required to perform OOBC lookups until after some browsing has already happened.
> I just don't understand why these concerns hadn't been raised in the previous two years of discussions (it is possible they have and I was paying less attention to TPE, but if they were, they were resolved to the editors' and chairs' satisfaction).  The mandatory response signal has been in the TPE for some time now.  I would like to hear from others if feedback is effectively impossible for OOB.  In which case, that's an argument that we need should get rid of OOB and require implementation of the exception mechanism by user agents (something I had previously been reluctant to do).

I think Alex raised the issue early on and we simply neglected
to design for it.  There do exist systems that only *use* collected data
in essentially offline batch processing, so it is reasonable for a site
to say "we are collecting data for all transactions but will only retain
and use data from users identified as having previously given consent".

I would not suggest using "C" for that.  It is a different answer.

Alternatively, we could just make it part of the "3" definition to
be that DNT:1 data will not be retained (beyond the minimum period
allowed for non-processed raw data) unless agreed to separately by
the user under contract.  That would be consistent with prior consent
overriding DNT.

And, again, whether or not this meets what the user asked by DNT:1
depends entirely on the definition of Do Not Track.  If DNT:1 means
let me browse anonymously, then sites that can't support anonymous
browsing can't comply with DNT. Panel studies should simply
require that members in the panel turn off DNT.

OTOH, if DNT:1 means do not follow my activity across non-affiliated
sites without my prior consent, then it would be sufficient for
OOB consent sites to implement DNT by stating that the data will be
deleted within X hours if it does not correspond to a user that has
consented.

....Roy
Received on Friday, 22 March 2013 21:53:58 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:07 UTC