TPE to CR: Advancing the conversation about Web tracking preferences

W3C's Tracking Protection Working Group today published the Candidate Recommendation of the Tracking Preference Expression (TPE) and calls for implementation and testing of the specification. Congratulations to the Working Group on this progress.

Abstract: This specification defines the DNT request header field as an HTTP mechanism for expressing the user's preference regarding tracking, an HTML DOM property to make that expression readable by scripts, and APIs that allow scripts to register site-specific exceptions granted by the user. It also defines mechanisms for sites to communicate whether and how they honor a received preference through use of the "Tk" response header field and well-known resources that provide a machine-readable tracking status.

The "DNT" header is one piece in a larger privacy conversation. The TPE enables users, through their user-agents, to send a standard signal, "Do Not Track", or alternatively to indicate that they do not mind being tracked; and it enables servers to recognize and respond to that user preference. DNT is implemented in most current browsers, so users can already make the technical request for privacy and ask for compliance by sites they frequent.

The Working Group was also chartered to define the meaning of compliance with the DNT preference. While the Working Group aims, in a second document, to define a compliance regime that may be useful across a wide range of use cases, it chose to make the standard flexible enough to work in a variety of regulatory or business scenarios by enabling sites to indicate (via a URI sent in tracking status responses or at a well-known location) what compliance regime they follow. They may choose to follow the W3C-defined Compliance specification or an alternate.

We welcome the work of other groups considering ways to use the DNT header. EFF and a coalition have announced an alternate, more stringent compliance policy. Users can install EFF's Privacy Badger extension to support that compliance policy by blocking non-compliant trackers. We see this building on top of the TPE specification not as a competing effort, but as expanding diversity of the Do Not Track ecosystem, using the language of the DNT header to convey a privacy request, and new compliance text to indicate their acceptable responses.

The importance of this work is highlighted by a recent finding from the Technical Architecture Group (TAG) on Unsanctioned Web Tracking. The TAG noted that tracking that abides by Web standards takes into account user needs for privacy and control over data flows, providing transparency to users and researchers, while "unsanctioned tracking" outside of well-defined mechanisms and standards tends to undermine user trust. TPE response and compliance can be tools of Web privacy transparency, helping sites to disclose their practices and meet user expectations. TPE thus enables sites to hear and respond to users' preferences about tracking -- giving alternatives to the regulation the TAG finding suggests might otherwise be necessary.

Next steps: Both the TPE and Compliance specifications are already implemented, but still need further testing (and resolution of remaining issues, on the Compliance spec) before they can be issued as W3C Recommendations. The Working Group will now focus on testing for interoperable implementations and addressing Last Call issues on the Compliance spec. We estimate that both specifications will be published as Recommendations in 2016.