Re: TPE latest from Matthias Schunter (Intel Corporation) on 2017-08-31 (public-tracking@w3.org from August 2017)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Thu, 31 Aug 2017 09:52:53 +0200
To: public-tracking@w3.org
Message-ID: <23d31867-30fd-8519-d21f-8bbeb484de83@schunter.org>
Hi Shane/Rob/Roy,


thanks a lot for your inputs.

While this is an important discussion, I would like to push it out to a
EU deployment spec. I would expect that one needs to define defaults and
what to assume if no DNT is sent.

The current approach of TPE is that a vendor must not send a DNT value
without prior collection of an unambiguous choice by the user.

A box to be clicked/removed/changed/confirmed IMHO is such a choice.
This can be at install time or any other time before start sending DNT
values.

If the current spec is not clearly describing this approach, we should
put an editorial improvement into the queue for the next release.

Unless anyone cannot live with this approach, I would like to defer the
discussion of "what specific UA and what specific implementation meets
this requirement" a bit and focus on getting the CR published.




Regards,
matthias



On 31.08.2017 09:37, Rob van Eijk wrote:
> Hi Shane,
> 
> Sure, WP29's guidance on tracking cookies is about privacy be default. I
> re-phrased this as DNT = do not collect without my consent many
> occasions. But, to me, 10.1 is not about consent, but about enabling the
> protocol by the user in order to express consent on behalf of the user.
> 
> Since the DNT protocol has a distinct signaling role, browser vendors
> and OS manufacturers have their role to play in enabling DNT at first
> use. This falls well within the scope of the concept of privacy by default.
> 
> A pre-checked box does not sit in a dialogue in isolation, it usually
> has to be confirmed and that active confirmation, e.g. with a button to
> move to the next dialogue box, or to, e.g. save the settings, it is
> still an unambigous decision, i.e. the end user has to take action on
> first use, after having been informed and after the end user understood
> what the (legal) implication of that action is going to be. To be clear,
> a pre-checked box in isolation is not privacy by default; but I think
> that would be an edge case.
> 
> Rob
> 
>     -----Original message-----
>     *From:* Shane M Wiley
>     *Sent:* Thursday, August 31 2017, 7:33 am
>     *To:* Rob van Eijk
>     *Cc:* Roy T. Fielding; public-tracking@w3.org
>     *Subject:* RE: TPE latest
> 
>     Rob,
> 
>     I thought A29WP guidance was for consent to be valid a publisher is
>     unable to provide a pre-checked box but now you feel for DNT to be
>     activated its okay to pre-check the box?  If this is true then
>     publisher consent dialogues should also be able to be pre-checked
>     with user confirmation, correct?
> 
>     - Shane
> 
>     Sent from a mobile device so please excuse brevity and typos
> 
>     On Aug 30, 2017 10:20 PM, "Rob van Eijk" <rob@blaeu.com
>     <mailto:rob@blaeu.com>> wrote:
> 
>         __
>         I understand the rationale and I do not disagree. The rationale
>         should be moved to  5.2 as it has a clarifying function there.
> 
>         On Xbox one, if the dialog had a preselected setting that needed
>         confirmation at first use, I do not see the problem. Seems to me
>         a clear example of confirmation by the user of the setting ar
>         first use.The user action in this use case seems to me the
>         confirm button.
>         Moreover, UI is out of scope.
>         Rob
> 
>             -----Original message-----
>             *From:* Roy T. Fielding
>             *Sent:* Thursday, August 31 2017, 2:50 am
>             *To:* Rob van Eijk
>             *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>
>             *Subject:* Re: TPE latest
> 
>>             On Aug 30, 2017, at 6:45 AM, Rob van Eijk <rob@blaeu.com
>>             <mailto:rob@blaeu.com>> wrote:
>>
>>             Moreover, Subsection 10.1 is redundant as it is already
>>             explained in subsection 5.2. Moreover, subsection 10.1 is
>>             not a privacy consideration as such. It has a clarifying
>>             function, which is already addressed in subsection 5.2. 
>>             Therefore, I suggest deleting subsection 10.1. (I made the remark on 21 August, URL: https://lists.w3.org/Archives/Public/public-tracking/2017Aug/0017.html
>>             <https://lists.w3.org/Archives/Public/public-tracking/2017Aug/0017.html>).
> 
>             And my response still stands: we are encountering
>             implementations and
>             public statements that explicitly violate the protocol
>             semantics of 5.2.
> 
>             For example, my recently acquired XBOX ONE S web browser,
>             which claims to be
>             Edge, just popped up the privacy dialog on first use this
>             weekend and it had
>             sending of DNT:1 pre-selected for me.
> 
>             I think that more than justifies a little redundancy in the
>             spec, particularly
>             since section 10.1 doesn't just restate the requirements --
>             it explains their rationale
>             with regard to privacy considerations.
> 
>             ....Roy
>
Received on Thursday, 31 August 2017 07:53:21 UTC