W3C home > Mailing lists > Public > public-tracking@w3.org > August 2017

RE: TPE latest

From: Rob van Eijk <rob@blaeu.com>
Date: Thu, 31 Aug 2017 07:37:37 +0000
To: Shane M Wiley <wileys@oath.com>
Cc: Roy T. Fielding <fielding@gbiv.com>, public-tracking@w3.org <public-tracking@w3.org>
Message-ID: <0102015e373952d8-d8e572d3-442e-43f4-a7be-44d901c8f42b-000000@eu-west-1.amazonses.com>
Hi Shane,

Sure, WP29's guidance on tracking cookies is about privacy be default. I re-phrased this as DNT = do not collect without my consent many occasions. But, to me, 10.1 is not about consent, but about enabling the protocol by the user in order to express consent on behalf of the user.

Since the DNT protocol has a distinct signaling role, browser vendors and OS manufacturers have their role to play in enabling DNT at first use. This falls well within the scope of the concept of privacy by default. 


A pre-checked box does not sit in a dialogue in isolation, it usually has to be confirmed and that active confirmation, e.g. with a button to move to the next dialogue box, or to, e.g. save the settings, it is still an unambigous decision, i.e. the end user has to take action on first use, after having been informed and after the end user understood what the (legal) implication of that action is going to be. To be clear, a pre-checked box in isolation is not privacy by default; but I think that would be an edge case.

Rob

-----Original message-----
From: Shane M Wiley
Sent: Thursday, August 31 2017, 7:33 am
To: Rob van Eijk
Cc: Roy T. Fielding; public-tracking@w3.org
Subject: RE: TPE latest

Rob,

I thought A29WP guidance was for consent to be valid a publisher is unable to provide a pre-checked box but now you feel for DNT to be activated its okay to pre-check the box?  If this is true then publisher consent dialogues should also be able to be pre-checked with user confirmation, correct?

- Shane

Sent from a mobile device so please excuse brevity and typos

On Aug 30, 2017 10:20 PM, "Rob van Eijk" <rob@blaeu.com <mailto:rob@blaeu.com> > wrote:
I understand the rationale and I do not disagree. The rationale should be moved to  5.2 as it has a clarifying function there.

On Xbox one, if the dialog had a preselected setting that needed confirmation at first use, I do not see the problem. Seems to me a clear example of confirmation by the user of the setting ar first use.The user action in this use case seems to me the confirm button. 
 Moreover, UI is out of scope. 
Rob

-----Original message-----
From: Roy T. Fielding
Sent: Thursday, August 31 2017, 2:50 am
To: Rob van Eijk
Cc: public-tracking@w3.org <mailto:public-tracking@w3.org> 
Subject: Re: TPE latest

On Aug 30, 2017, at 6:45 AM, Rob van Eijk <rob@blaeu.com <mailto:rob@blaeu.com> > wrote:

Moreover, Subsection 10.1 is redundant as it is already explained in subsection 5.2. Moreover, subsection 10.1 is not a privacy consideration as such. It has a clarifying function, which is already addressed in subsection 5.2. 

Therefore, I suggest deleting subsection 10.1. (I made the remark on 21 August, URL: https://lists.w3.org/Archives/Public/public-tracking/2017Aug/0017.html).


And my response still stands: we are encountering implementations and
public statements that explicitly violate the protocol semantics of 5.2.


For example, my recently acquired XBOX ONE S web browser, which claims to be
Edge, just popped up the privacy dialog on first use this weekend and it had
sending of DNT:1 pre-selected for me.

I think that more than justifies a little redundancy in the spec, particularly
since section 10.1 doesn't just restate the requirements -- it explains their rationale
with regard to privacy considerations.

....Roy
Received on Thursday, 31 August 2017 07:38:01 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:39 UTC