RE: Call for proposals for ISSUE-194

That means that AdChoices compliant (or any) servers will need to react differently to users from different jurisdictions, because an EU citizen's browser request with DNT unset would have to be taken as equivalent to DNT:1. They may be able to use IPv4 adresses for that (sometimes) but it will not work for IPv6. 

We need site-specific DNT:1 so the standard can address this contradiction.

Mike


-----Original Message-----
From: JC Cannon [mailto:jccannon@microsoft.com] 
Sent: 01 May 2013 17:06
To: rob@blaeu.com; Chris Mejia
Cc: Shane Wiley; Matthias Schunter (Intel Corporation); public-tracking@w3.org; Mike Zaneis; Lou Mastria - DAA; Marc Groman - NAI
Subject: RE: Call for proposals for ISSUE-194

Remember there is also the opt-out regime in place today that systems are already setup for. I would hope that we don't have to change systems when there is no DNT, which is the stated for the most part today.

Thanks,
JC

-----Original Message-----
From: Rob van Eijk [mailto:rob@blaeu.com] 
Sent: Wednesday, May 1, 2013 8:42 AM
To: Chris Mejia
Cc: Shane Wiley; Matthias Schunter (Intel Corporation); public-tracking@w3.org; Mike Zaneis; Lou Mastria - DAA; Marc Groman - NAI
Subject: Re: Call for proposals for ISSUE-194


Hi Chris, Shane,
I am not disagreeing with you. I am saying that in absence of cetainty, the default should assumed to be on. This is in lign with having a default unset in the EU and the interpretation of Rigo. The DAA framework indicates a default to be off by default. That is where I disagree.
Rob

Chris Mejia schreef op 2013-05-01 17:35:
> Rob, I agree with Shane. We have reached consensus as a group now, 
> twice, that DNT must be enabled/set by the individual user-- it cannot 
> be defaulted "on", and the default state must be unset. In another 
> related thread, Rigo makes an interesting point:
> 
>> _DNT unset means tracking in the US and "not tracking" in the EU. 
>> This is_
>> _the beauty of "unset" as a default. The default is then altered by 
>> the_ _user to either DNT:1 or DNT:0 on demand (and IMHO per site, yes 
>> it_ _works)_
> 
> While I don't necessarily agree that it's as black and white as Rigo 
> states (i.e. unset doesn't AUTOMATICALLY mean tracking will happen in 
> the US), his overall assertion makes some sense. Why couldn't certain 
> jurisdictions interpret the signal (or lack thereof) per local 
> regulation/law, and act accordingly?
> 
> Best,
> 
> Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group | 
> Interactive Advertising Bureau - IAB
> 
> On 4/30/13 8:34 AM, "Shane Wiley" <wileys@yahoo-inc.com> wrote:
> 
>> Rob,
>> 
>> Are you suggesting this "DNT by Default" only for the EU (Global 
>> Considerations document) or are you suggesting this as a requirement 
>> globally? As this is a complete about face to the already agreed upon 
>> position of the working group I'm trying to better understand why 
>> you're introducing this concept so late in the game (so to speak).
>> 
>> Thank you,
>> Shane
>> 
>> -----Original Message-----
>> From: Rob van Eijk [mailto:rob@blaeu.com]
>> Sent: Tuesday, April 30, 2013 3:22 AM
>> To: Matthias Schunter (Intel Corporation)
>> Cc: public-tracking@w3.org
>> Subject: Re: Call for proposals for ISSUE-194
>> 
>> Hi Matthias,
>> 
>> For me, the goal of ensuring that sites reliably receive valid DNT 
>> signals is connected with the communication between sites and users.
>> The underlying problem for me is the ability to have a granular and 
>> valid DNT dialogue between a site and a user. The underlying problem 
>> is also connected to the defaults. My proposal starts with adressing 
>> the defaults and continues with a technical solution. I conclude with 
>> a text proposal.
>> 
>> Two weeks ago, I discussed DNT with DPAs in Prague. The consensus is 
>> that for DNT to be an effective instrument to provide user control, 
>> it is crucial that sites can be certain that the DNT signal which 
>> they receive is a true indication of the user’s wishes. The 
>> discussion on the defaults that was part of the DAAs proposal that 
>> was brought to the table on yesterday's call.
>> 
>> The DAA takes the position that DNT would be off by default. I 
>> strongly advise against this postion. The consensus amoungst DPAs is 
>> that in the absence of fully informed user choice a site must assume 
>> that a user is not aware of Web Tracking and therefore assume the 
>> default position as if they had received a DNT:1 signal, which 
>> indicates a wish from the user that this user prefers not to be 
>> tracked on the target site (TPE section 4.1).
>> 
>> To seperate the noise from the music, the subject of reliably 
>> receiving valid DNT signals contains an element of trust. Trust can 
>> be established by creating a chain of identity, in which the level of 
>> authentication determines the level of trust. As a vehicle for the 
>> level of authentication, a session key or token can used. The key or 
>> token can be stored temporarily in the cookie store or HTML5 local 
>> storage.
>> 
>> In lign with the imperative of privacy by design, the level of 
>> authentication must be adequate, relevant and not excessive in 
>> relation to the purpose. To maintain the level of trust, the expiry 
>> of the authentication is something to consider. In other words, the 
>> lifespan of trust is important. For the purpose of the communication 
>> between a site and a user, I would think the duration of a session is 
>> enough. A session is proportional to the amounth of time to maintain 
>> the level of trust.
>> 
>> What is considered a session is a level of detail we need to discuss 
>> further. For me there are a few elements that signal the end of a 
>> session, for example closing a browser, clearing the cookie, clearing 
>> the local storage, but also closing a browser tab. The latter is a 
>> invitation for the browser vendors to make expiry transparent to the 
>> user.
>> 
>> So in terms of concrete text, I propose the following:
>> 
>> <text proposal>
>> In the absence of a validated DNT signal, which indicates a fully 
>> informed user choice, a site MUST assume that a user is not aware of 
>> Web Tracking and therefore MUST assume the default position as if 
>> they had received a DNT:1 signal, which indicates a wish from the 
>> user that this user prefers not to be tracked on the target site.
>> 
>> Trust MAY be established by creating a chain of identity, in which 
>> the level of authentication determines the level of trust. As a 
>> vehicle for the level of authentication, sites MAY use a session key 
>> or token. The key or token MAY be stored temporarily in for example 
>> the cookie store or HTML5 local storage. The expiry of the key or 
>> token MUST be limited, and for a minumum MUST expire through 
>> automatic deletion when the Browser Tab closes.
>> </text proposal>
>> 
>> Looking forward to fruitful discussion at the forthcoming face 2 
>> face, Regards, Rob
>> 
>> Matthias Schunter (Intel Corporation) schreef op 2013-04-30 09:38:
>> 
>>> Hi Team,
>>> 
>>> during the last TPE call, we discussed ISSUE-194. One goal of
>>> ISSUE-194 is to ensure that sites reliably receive valid DNT 
>>> signals.
>>> Without such a mechanism, there is a risk that a multitude of things 
>>> spray DNT;1 signals (antivirus, network devices, operating systems, 
>>> ...; often without user interaction).
>>> As a consequence, sites can no longer reasonably by required to 
>>> listen to those signals.
>>> 
>>> We agreed that separating noise from signals is a valid concern and 
>>> there were concerns whether there exists any solution that satisfies 
>>> our goals.
>>> 
>>> If we could reliably distinguish between valid user 
>>> preferences/choice and noise from other entities on the net, then 
>>> this allows sites to actually reliably act on user preferences while 
>>> "D"isregarding the noise.
>>> 
>>> As part of discussing this further, I would like to issue a call for 
>>> proposals. The question is what mechanisms are envisioned that allow 
>>> sites to (more) reliably separate noise from preferences.
>>> 
>>> Any proposals (as responses) are welcome. My goal is to then discuss 
>>> and compare thes proposals to understand whether they help sites 
>>> with this concern.
>>> 
>>> Regards,
>>> matthias

Received on Wednesday, 1 May 2013 17:17:37 UTC