RE: Call for proposals for ISSUE-194

Remember there is also the opt-out regime in place today that systems are already setup for. I would hope that we don't have to change systems when there is no DNT, which is the stated for the most part today.

Thanks,
JC

-----Original Message-----
From: Rob van Eijk [mailto:rob@blaeu.com] 
Sent: Wednesday, May 1, 2013 8:42 AM
To: Chris Mejia
Cc: Shane Wiley; Matthias Schunter (Intel Corporation); public-tracking@w3.org; Mike Zaneis; Lou Mastria - DAA; Marc Groman - NAI
Subject: Re: Call for proposals for ISSUE-194


Hi Chris, Shane,
I am not disagreeing with you. I am saying that in absence of cetainty, the default should assumed to be on. This is in lign with having a default unset in the EU and the interpretation of Rigo. The DAA framework indicates a default to be off by default. That is where I disagree.
Rob

Chris Mejia schreef op 2013-05-01 17:35:
> Rob, I agree with Shane. We have reached consensus as a group now, 
> twice, that DNT must be enabled/set by the individual user-- it cannot 
> be defaulted "on", and the default state must be unset. In another 
> related thread, Rigo makes an interesting point:
> 
>> _DNT unset means tracking in the US and "not tracking" in the EU. 
>> This is_
>> _the beauty of "unset" as a default. The default is then altered by 
>> the_ _user to either DNT:1 or DNT:0 on demand (and IMHO per site, yes 
>> it_ _works)_
> 
> While I don't necessarily agree that it's as black and white as Rigo 
> states (i.e. unset doesn't AUTOMATICALLY mean tracking will happen in 
> the US), his overall assertion makes some sense. Why couldn't certain 
> jurisdictions interpret the signal (or lack thereof) per local 
> regulation/law, and act accordingly?
> 
> Best,
> 
> Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group | 
> Interactive Advertising Bureau - IAB
> 
> On 4/30/13 8:34 AM, "Shane Wiley" <wileys@yahoo-inc.com> wrote:
> 
>> Rob,
>> 
>> Are you suggesting this "DNT by Default" only for the EU (Global 
>> Considerations document) or are you suggesting this as a requirement 
>> globally? As this is a complete about face to the already agreed upon 
>> position of the working group I'm trying to better understand why 
>> you're introducing this concept so late in the game (so to speak).
>> 
>> Thank you,
>> Shane
>> 
>> -----Original Message-----
>> From: Rob van Eijk [mailto:rob@blaeu.com]
>> Sent: Tuesday, April 30, 2013 3:22 AM
>> To: Matthias Schunter (Intel Corporation)
>> Cc: public-tracking@w3.org
>> Subject: Re: Call for proposals for ISSUE-194
>> 
>> Hi Matthias,
>> 
>> For me, the goal of ensuring that sites reliably receive valid DNT 
>> signals is connected with the communication between sites and users.
>> The underlying problem for me is the ability to have a granular and 
>> valid DNT dialogue between a site and a user. The underlying problem 
>> is also connected to the defaults. My proposal starts with adressing 
>> the defaults and continues with a technical solution. I conclude with 
>> a text proposal.
>> 
>> Two weeks ago, I discussed DNT with DPAs in Prague. The consensus is 
>> that for DNT to be an effective instrument to provide user control, 
>> it is crucial that sites can be certain that the DNT signal which 
>> they receive is a true indication of the user’s wishes. The 
>> discussion on the defaults that was part of the DAAs proposal that 
>> was brought to the table on yesterday's call.
>> 
>> The DAA takes the position that DNT would be off by default. I 
>> strongly advise against this postion. The consensus amoungst DPAs is 
>> that in the absence of fully informed user choice a site must assume 
>> that a user is not aware of Web Tracking and therefore assume the 
>> default position as if they had received a DNT:1 signal, which 
>> indicates a wish from the user that this user prefers not to be 
>> tracked on the target site (TPE section 4.1).
>> 
>> To seperate the noise from the music, the subject of reliably 
>> receiving valid DNT signals contains an element of trust. Trust can 
>> be established by creating a chain of identity, in which the level of 
>> authentication determines the level of trust. As a vehicle for the 
>> level of authentication, a session key or token can used. The key or 
>> token can be stored temporarily in the cookie store or HTML5 local 
>> storage.
>> 
>> In lign with the imperative of privacy by design, the level of 
>> authentication must be adequate, relevant and not excessive in 
>> relation to the purpose. To maintain the level of trust, the expiry 
>> of the authentication is something to consider. In other words, the 
>> lifespan of trust is important. For the purpose of the communication 
>> between a site and a user, I would think the duration of a session is 
>> enough. A session is proportional to the amounth of time to maintain 
>> the level of trust.
>> 
>> What is considered a session is a level of detail we need to discuss 
>> further. For me there are a few elements that signal the end of a 
>> session, for example closing a browser, clearing the cookie, clearing 
>> the local storage, but also closing a browser tab. The latter is a 
>> invitation for the browser vendors to make expiry transparent to the 
>> user.
>> 
>> So in terms of concrete text, I propose the following:
>> 
>> <text proposal>
>> In the absence of a validated DNT signal, which indicates a fully 
>> informed user choice, a site MUST assume that a user is not aware of 
>> Web Tracking and therefore MUST assume the default position as if 
>> they had received a DNT:1 signal, which indicates a wish from the 
>> user that this user prefers not to be tracked on the target site.
>> 
>> Trust MAY be established by creating a chain of identity, in which 
>> the level of authentication determines the level of trust. As a 
>> vehicle for the level of authentication, sites MAY use a session key 
>> or token. The key or token MAY be stored temporarily in for example 
>> the cookie store or HTML5 local storage. The expiry of the key or 
>> token MUST be limited, and for a minumum MUST expire through 
>> automatic deletion when the Browser Tab closes.
>> </text proposal>
>> 
>> Looking forward to fruitful discussion at the forthcoming face 2 
>> face, Regards, Rob
>> 
>> Matthias Schunter (Intel Corporation) schreef op 2013-04-30 09:38:
>> 
>>> Hi Team,
>>> 
>>> during the last TPE call, we discussed ISSUE-194. One goal of
>>> ISSUE-194 is to ensure that sites reliably receive valid DNT 
>>> signals.
>>> Without such a mechanism, there is a risk that a multitude of things 
>>> spray DNT;1 signals (antivirus, network devices, operating systems, 
>>> ...; often without user interaction).
>>> As a consequence, sites can no longer reasonably by required to 
>>> listen to those signals.
>>> 
>>> We agreed that separating noise from signals is a valid concern and 
>>> there were concerns whether there exists any solution that satisfies 
>>> our goals.
>>> 
>>> If we could reliably distinguish between valid user 
>>> preferences/choice and noise from other entities on the net, then 
>>> this allows sites to actually reliably act on user preferences while 
>>> "D"isregarding the noise.
>>> 
>>> As part of discussing this further, I would like to issue a call for 
>>> proposals. The question is what mechanisms are envisioned that allow 
>>> sites to (more) reliably separate noise from preferences.
>>> 
>>> Any proposals (as responses) are welcome. My goal is to then discuss 
>>> and compare thes proposals to understand whether they help sites 
>>> with this concern.
>>> 
>>> Regards,
>>> matthias

Received on Wednesday, 1 May 2013 16:06:34 UTC