Re: TPE Handling Out-of-Band Consent (including ISSUE-152)

> I do think that for DNT to work, you need to be able to figure out who
thinks they have an exception to track.

As Matthias and I discussed back-and-forth (yesterday?), it should be
possible to do an asynchronous check, where a user who received an "L"
response comes to a well-known URI and submits a "Do you think you have an
out-of-band exception to track me?" query and comes back 24-48 hours later
for an answer (as long as they do not clear their cookies in-between the
query and the answer-check).  Of course instantaneous would be nicer, but
that isn't always possible.  This would still be transparent, eventually.

--ronan



On Fri, Mar 22, 2013 at 4:39 PM, Justin Brookman <justin@cdt.org> wrote:

>  On 3/22/2013 3:42 PM, Ronan Heffernan wrote:
>
> Responding to a DNT:1 signal with an acknowledgement that a company
> follows DNT, and will abide by the restrictions (and permitted uses)
> therein, is easy.  Responding with real-time lookups of whether OOBC exists
> is quite difficult (in many cases impossible), especially for large-scale
> systems that use CDNs and other distributed processing, and systems that do
> not receive technical information required to perform OOBC lookups until
> after some browsing has already happened.
>
> I just don't understand why these concerns hadn't been raised in the
> previous two years of discussions (it is possible they have and I was
> paying less attention to TPE, but if they were, they were resolved to the
> editors' and chairs' satisfaction).  The mandatory response signal has been
> in the TPE for some time now.  I would like to hear from others if feedback
> is effectively impossible for OOB.  In which case, that's an argument that
> we need should get rid of OOB and require implementation of the exception
> mechanism by user agents (something I had previously been reluctant to do).
>
> If I understand the part of your proposal about the client-side software
> overriding the user's DNT:1 with a DNT:0, I find that to be a troubling and
> dangerous suggestion, far more open to abuse and less transparent to users
> than non-real-time OOBC determination.
>
> I am thinking out loud trying to find a way past this impasse.  I do think
> that for DNT to work, you need to be able to figure out who thinks they
> have an exception to track.  I do not know that out-of-out-of-band consent
> is envisioned in the TPE, but conceptually, if you have a user's opt-in
> permission to override browser settings via your own software, there's
> nothing in the compliance standard that would or should stop you from doing
> that.  And it would be discoverable by at least a sophisticated end user
> that he was sending out DNT:0 signals to Nielsen domains.  Not saying this
> is optimal, but it may be better than no visibility whatsoever into who
> asserts consent to track.  And less subject to abuse precisely because of
> this visibility.
>

Received on Friday, 22 March 2013 22:06:12 UTC