Re: TPE Handling Out-of-Band Consent (including ISSUE-152)

Eventually is not good enough. It seriously undermines the whole concept of DNT as a consent mechanism.

Rob

Ronan Heffernan <ronansan@gmail.com> wrote:

>> I do think that for DNT to work, you need to be able to figure out
>who
>thinks they have an exception to track.
>
>As Matthias and I discussed back-and-forth (yesterday?), it should be
>possible to do an asynchronous check, where a user who received an "L"
>response comes to a well-known URI and submits a "Do you think you have
>an
>out-of-band exception to track me?" query and comes back 24-48 hours
>later
>for an answer (as long as they do not clear their cookies in-between
>the
>query and the answer-check).  Of course instantaneous would be nicer,
>but
>that isn't always possible.  This would still be transparent,
>eventually.
>
>--ronan
>
>
>
>On Fri, Mar 22, 2013 at 4:39 PM, Justin Brookman <justin@cdt.org>
>wrote:
>
>>  On 3/22/2013 3:42 PM, Ronan Heffernan wrote:
>>
>> Responding to a DNT:1 signal with an acknowledgement that a company
>> follows DNT, and will abide by the restrictions (and permitted uses)
>> therein, is easy.  Responding with real-time lookups of whether OOBC
>exists
>> is quite difficult (in many cases impossible), especially for
>large-scale
>> systems that use CDNs and other distributed processing, and systems
>that do
>> not receive technical information required to perform OOBC lookups
>until
>> after some browsing has already happened.
>>
>> I just don't understand why these concerns hadn't been raised in the
>> previous two years of discussions (it is possible they have and I was
>> paying less attention to TPE, but if they were, they were resolved to
>the
>> editors' and chairs' satisfaction).  The mandatory response signal
>has been
>> in the TPE for some time now.  I would like to hear from others if
>feedback
>> is effectively impossible for OOB.  In which case, that's an argument
>that
>> we need should get rid of OOB and require implementation of the
>exception
>> mechanism by user agents (something I had previously been reluctant
>to do).
>>
>> If I understand the part of your proposal about the client-side
>software
>> overriding the user's DNT:1 with a DNT:0, I find that to be a
>troubling and
>> dangerous suggestion, far more open to abuse and less transparent to
>users
>> than non-real-time OOBC determination.
>>
>> I am thinking out loud trying to find a way past this impasse.  I do
>think
>> that for DNT to work, you need to be able to figure out who thinks
>they
>> have an exception to track.  I do not know that out-of-out-of-band
>consent
>> is envisioned in the TPE, but conceptually, if you have a user's
>opt-in
>> permission to override browser settings via your own software,
>there's
>> nothing in the compliance standard that would or should stop you from
>doing
>> that.  And it would be discoverable by at least a sophisticated end
>user
>> that he was sending out DNT:0 signals to Nielsen domains.  Not saying
>this
>> is optimal, but it may be better than no visibility whatsoever into
>who
>> asserts consent to track.  And less subject to abuse precisely
>because of
>> this visibility.
>>

Received on Saturday, 23 March 2013 07:41:31 UTC