Re: TPE Handling Out-of-Band Consent (including ISSUE-152)

Roy,

Yes, I think that Alex Deliyannis expressed these same concerns, because of
our shared experience implementing large-scale, globally-distributed WWW
systems.  Perhaps we were negligent in not periodically re-raising our
concerns about requiring complex real-time processing in light-weight
distributed nodes.

Your proposal to include this as part of a "3" response sounds interesting,
and I will review that section of the draft.  Thanks.

--ronan



On Fri, Mar 22, 2013 at 5:53 PM, Roy T. Fielding <fielding@gbiv.com> wrote:

> On Mar 22, 2013, at 1:39 PM, Justin Brookman wrote:
> > On 3/22/2013 3:42 PM, Ronan Heffernan wrote:
> >> Responding to a DNT:1 signal with an acknowledgement that a company
> follows DNT, and will abide by the restrictions (and permitted uses)
> therein, is easy.  Responding with real-time lookups of whether OOBC exists
> is quite difficult (in many cases impossible), especially for large-scale
> systems that use CDNs and other distributed processing, and systems that do
> not receive technical information required to perform OOBC lookups until
> after some browsing has already happened.
> > I just don't understand why these concerns hadn't been raised in the
> previous two years of discussions (it is possible they have and I was
> paying less attention to TPE, but if they were, they were resolved to the
> editors' and chairs' satisfaction).  The mandatory response signal has been
> in the TPE for some time now.  I would like to hear from others if feedback
> is effectively impossible for OOB.  In which case, that's an argument that
> we need should get rid of OOB and require implementation of the exception
> mechanism by user agents (something I had previously been reluctant to do).
>
> I think Alex raised the issue early on and we simply neglected
> to design for it.  There do exist systems that only *use* collected data
> in essentially offline batch processing, so it is reasonable for a site
> to say "we are collecting data for all transactions but will only retain
> and use data from users identified as having previously given consent".
>
> I would not suggest using "C" for that.  It is a different answer.
>
> Alternatively, we could just make it part of the "3" definition to
> be that DNT:1 data will not be retained (beyond the minimum period
> allowed for non-processed raw data) unless agreed to separately by
> the user under contract.  That would be consistent with prior consent
> overriding DNT.
>
> And, again, whether or not this meets what the user asked by DNT:1
> depends entirely on the definition of Do Not Track.  If DNT:1 means
> let me browse anonymously, then sites that can't support anonymous
> browsing can't comply with DNT. Panel studies should simply
> require that members in the panel turn off DNT.
>
> OTOH, if DNT:1 means do not follow my activity across non-affiliated
> sites without my prior consent, then it would be sufficient for
> OOB consent sites to implement DNT by stating that the data will be
> deleted within X hours if it does not correspond to a user that has
> consented.
>
> ....Roy
>

Received on Friday, 22 March 2013 22:18:31 UTC