- From: Dobbs, Brooks <Brooks.Dobbs@kbmg.com>
- Date: Tue, 8 Apr 2014 20:29:56 +0000
- To: Walter van Holst <walter.van.holst@xs4all.nl>, "public-tracking@w3.org" <public-tracking@w3.org>, Shane Wiley <wileys@yahoo-inc.com>
To quote Rush, who were clearly thinking of DNT in 1980, "If you choose not to decide, you still have made a choice". No signal is as valid a choice as 1 or 0, and must be afforded the same protections. This is not a compliance issue; it is a technical one. The technical spec must cover how a user choice is conveyed from client to server, which necessarily includes placing requirements on intermediaries such as plugins which may alter user choice (including the choice of not altering the default condition). If the UA wants the benefit of representing an individual's choice, it hardly seems a mistake that it MUST take the responsibility of conveying and/or reacting to the actual choice of the individual. Equally an origin server MUST NOT act on a signal which does not represent the choice of the individual. Perhaps this is the "technical" part of the technical spec we should have been concentrating on? That at least would have been something we could have tested implementations of. If we wind up with a spec that effectively says a valid signal MUST reflect the choice of the user if originated by a UA and MAY reflect the choice of an individual set by an intermediary, then we've done a very poor job. -Brooks -- Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the Wunderman Network (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com brooks.dobbs@kbmg.com This email including attachments may contain confidential information. If you are not the intended recipient, do not copy, distribute or act on it. Instead, notify the sender immediately and delete the message. On 4/8/14 3:59 PM, "Walter van Holst" <walter.van.holst@xs4all.nl> wrote: >On 2014-04-08 21:36, Shane M Wiley wrote: >> Walter, >> >> I agree that any technical standard that setups up compliance >> confirmation for the Server but not one for the signal setter is >> "pointless". While we've done our best to introduce this disconnect >> in the WG process, it was ultimately decided to punt on this issue. >> Expect to see more on this in Last Call comments. > >I maybe misreading, but this is not the reference I was asking for. >Also, on substance, I would say that any server that expects the user to >trust the server to adhere to whatever compliance spec the server claims >to adhere without trusting the user's expression of his or her tracking >preferences prima facie is a few clowns short of a circus. > >> That said, while difficult, web browser compliance can be discovered >> in a lab. We can install a web browser and a specific plug-in and >> observe the interactions to determine if there was compliance. > >Such observation is meaningless since you cannot verify remotely what >plug-ins are active on a browser. So even if you have observed that a >certain browser and plug-in combo violate the rule you are suggesting >(with or without resorting to decompilation of both, which may or may >not be IPR infringement), you cannot reliably observe for a certain >interaction that that browser and plug-in combo is in play. Because >there is nothing that prevents a plug-in that already willfully inserts >a DNT:1 signal in the HTTP-requests to override browser preferences from >removing any evidence of its presence from any HTTP-requests and to >filter out any API-calls by fingerprinting Javascript. So from the very >start a completely pointless exercise. We all have much better things to >do than soiling this process with fundamentally senseless issues like >this. Just stop it. > >Regards, > > Walter >
Received on Tuesday, 8 April 2014 20:30:27 UTC