Re: June Change Proposal: Partial Compliance from Jonathan Mayer on 2013-07-07 (public-tracking@w3.org from July 2013)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Sun, 7 Jul 2013 14:05:24 -0700
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <1EA1B3905FAA420B8CCA70B6835595C7@gmail.com>

I completely agree with Roy and Amy: We cannot mandate any sort of compliance, partial or otherwise.  This is a voluntary standard. 

We can, however, define what it means to be in compliance with the standard.  That definition has various implications, including under Section 5 of the Federal Trade Commission Act.

Let me give an example: Suppose we establish a standard that says a website cannot ignore a syntactically valid "DNT: 1" header.  Suppose a website claims "We honor Do Not Track!" but nevertheless disregards Internet Explorer 10 headers.  This proposal would better equip the FTC to bring an enforcement action against that website.  Put differently, the website is not mandated to honor Internet Explorer 10 headers.  But it would have to be open about its practices, e.g. "We honor Do Not Track (but not from Internet Explorer 10 users)!"

I'm surprised that this proposal is at all controversial.  Our shared aim has been to develop a consensus standard for web privacy.  All this proposal attempts to do is enhance transparency from websites that deviate from the standard.

Jonathan

On Monday, July 1, 2013 at 10:11 AM, Roy T. Fielding wrote:

> This is tracking-ISSUE-213
> 
> *sigh*
> 
> On Jul 1, 2013, at 10:09 AM, Roy T. Fielding wrote:
> > On Jun 30, 2013, at 3:02 PM, Thomas Roessler wrote:
> > > Thanks, noted here:
> > > http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Partial_Compliance
> > > 
> > > 
> > 
> > 
> > It is hopelessly impotent to require "not partial compliance", since
> > the first requirement that a partially compliant implementation
> > won't implement is that requirement.
> > 
> > The right way to require this is to create distinct communication
> > about full compliance or partial compliance or non-compliance,
> > each of which communicates a strict set of complied requirements.
> > It might be the case that we define a protocol that has no way to
> > communicate partial or non-compliance, which is a sensible design
> > point that this WG can reach agreement on (if we ever bother to
> > make a call for consensus).
> > 
> > Requiring full compliance, OTOH, is just senseless grandstanding.
> > We don't need to change the protocol to support a fear of
> > perception of compliance when we are a long way from convincing
> > anyone to comply at all.  We need to encourage people to implement.
> > 
> > ....Roy

Received on Sunday, 7 July 2013 21:05:54 UTC