Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance] from Matthias Schunter on 2012-06-17 (public-tracking@w3.org from June 2012)

From: Matthias Schunter <mts-std@schunter.org>
Date: Sun, 17 Jun 2012 19:14:44 +0200
To: Justin Brookman <justin@cdt.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4FDE1084.1070208@schunter.org>
Hi Justin,


my humble opinion...

We have agreed that the DNT value should reflect the preference of the
user. This includes that it is OK if a privacy-suite that is installed
by the user (as an expression of preference) modifies Mozilla to send
DNT;1 (or inserts a corresponding plugin or installs a modified  browser).

I believe that just ignoring the DNT header is not an option (no matter
what tool has inserted it). This holds for DNT;1 as well as DNT;0. The
reason (from my perspective) is that this would violate the principle of
transparency.

The only thing an enterprise may do is to tell the user that it's
preference of DNT;1 is not acceptable (e.g., by redirecting to a special
landing page). This rejection can have various reasons and it seems to
be similar to the case where we agreed that sites may choose to refuse
to serve DNT;1 users or choose to offer a version with 'light'  or paid
content. This landing page may also ask for changing settings etc.

Whether these businesses want to treat this customer segment in such a
way should not be our decision and should be left to the individual
enterprise and their customers.

The only thing we MUST avoid is that a user agent sends DNT;1 and that
the user is then tracked without strong notices since this would
significantly undermine the trust into our standard.


Just my 2cents,

matthias






in my humble opinion, we have two option
On 02/06/2012 00:31, Justin Brookman wrote:
> As a user, if I'm going to pick a party to guess my preference, I am
> going to pick *my* user agent instead of some downstream third party I
> have no relationship with whatsoever.  If I choose to run
> PrivacyBrowser because it has been marketed as the privacy-protective
> browser that runs DNT automatically, I am going to be rather surprised
> to hear that AdNetzUnlimited has ignored or stripped the header
> because I probably never meant it in the first place.  You can't do
> that with default cookie settings today in Safari, and you won't be
> able to do it with DNT either.  If an ISP changed the user's headings
> from DNT:1 to DNT:0 without user interaction, I am comfortable that
> existing law would address that situation and I would not expect third
> party websites to be in a position to police that.  If anyone feels
> they have a legal case against a user agent for pre-checking DNT or
> otherwise pushing users toward using the header, W3C will pose no
> barrier to the pursuit of those remedies.
>
> We spent the last several months stating we're not going to specify UI
> or guess user intent.  The group rejected specifying standards of
> consent for exceptions to DNT.  I still haven't heard how you are
> going to deal with the example of PrivacySuite configuring Mozilla to
> send DNT.  If lawyers or coders at each of the companies are going to
> have to guess what constitutes UA compliance for a part of the spec we
> haven't written yet and guess what the UI was for that UA for each
> user, you're opening yourselves up to extra compliance costs and
> significant exposure to liability, let alone intense press and user
> scrutiny.
> Justin Brookman
> Director, Consumer Privacy
> Center for Democracy & Technology
> 1634 I Street NW, Suite 1100
> Washington, DC 20006
> tel 202.407.8812
> fax 202.637.0969
> justin@cdt.org
> http://www.cdt.org
> @CenDemTech
> @JustinBrookman
>
> On 6/1/2012 6:56 PM, Dobbs, Brooks wrote:
>> Re: tracking-ISSUE-150: DNT conflicts from multiple user agents
>> [Tracking  Definitions and Compliance] New voice here...  I might as
>> well jump right into the controversy.
>>
>> I am not sure there is full consistency here.  I read the spec as
>> saying "Key to that notion of expression is that it /must/ reflect
>> the user's preference".  This seems pretty foundational to me.  Where
>> there is a significant likelihood for the origin server to believe
>> that the expression is not a reflection of the user's preference
>> (either as a 1 or a 0), wouldn't such server  be in error to process
>> it accordingly?  Conversely to the IE/AVG cases, if hypothetically an
>> ISP were to inject an extension into every DNT header which in the
>> future allowed for an exception, wouldn't the server be in error for
>> always making room for this exception where they know it to be coming
>> from that ISP?
>>
>> -Brooks
>>
>> -- 
>>
>> *Brooks Dobbs, CIPP *| Chief Privacy Officer |*KBM Group* | Part of
>> the Wunderman Network
>> (Tel) 678 580 2683 | (Mob) 678 492 1662 | *kbmg.com*
>> _brooks.dobbs@kbmg.com
>>
>>
>> _
>> This email -- including attachments -- may contain confidential
>> information. If you are not the intended recipient,
>>  do not copy, distribute or act on it. Instead, notify the sender
>> immediately and delete the message.
>>
>>
>> On 6/1/12 4:36 PM, "Justin Brookman" <justin@cdt.org> wrote:
>>
>>       Agree with David --- we don't even know what MSFT's eventual
>>     implementation is going to be, and I can't say I know what AVG's
>>     is today.  Is there a screen that's pre-checked?  Is there some
>>     sort of ephemeral notice saying "by the way, DNT is on."  Will
>>     those UIs change over time?  Who is going to monitor the UIs and
>>     make the decision: "No, this isn't user choicey enough!"  How
>>     will you know what the UI was when the user installed the user
>>     agent?  Even if the default is on and there's no notice at all,
>>     how will the party know that the user didn't turn it off at some
>>     point, see a retargeted ad for a Vegas casino, and then turn in
>>     back on again?
>>      
>>      I can't see how a standard answers those questions.
>>      
>>     Justin Brookman
>>     Director, Consumer Privacy
>>     Center for Democracy & Technology
>>     1634 I Street NW, Suite 1100
>>     Washington, DC 20006
>>     tel 202.407.8812
>>     fax 202.637.0969
>>     justin@cdt.org
>>     http://www.cdt.org
>>     @CenDemTech
>>     @JustinBrookman
>>      
>>      On 6/1/2012 5:28 PM, David Singer wrote:
>>
>>
>>          
>>          
>>         On Jun 1, 2012, at 14:22 , Shane Wiley wrote:
>>          
>>          
>>
>>
>>              
>>              
>>             David,
>>
>>
>>
>>             I disagree.  If you know that an UA is non-compliant, it
>>             should be fair to NOT honor the DNT signal from that
>>             non-compliant UA and message this back to the user in the
>>             well-known URI or Response Header.  Further, we can
>>             provide information for the user to use a UA that is DNT
>>             compliant if they wish for their preference to be honored
>>             in that regard.
>>
>>
>>
>>              
>>              
>>
>>
>>          
>>          
>>         OK, I think we will have to agree to disagree.  I can't think
>>         of any other spec., off hand, that allows one end to
>>         'misbehave' if they believe the other end is misbehaving.
>>          There *are* specs that deal with what you do if you see
>>         actual invalid values, incorrect responses, etc., but none
>>         that I know of that allow you to conclude 'you didn't really
>>         mean that' and do something other than what was signalled.
>>          
>>
>>          
>>          
>>         I still don't know how you tell the difference between a user
>>         who agree with, and wanted, the choice, and a user who wasn't
>>         aware of it.
>>          
>>
>>          
>>          
>>
>>          
>>          
>>          
>>          
>>
>>          
>>          
>>         David Singer
>>          
>>         Multimedia and Software Standards, Apple Inc.
>>          
>>          
>>          
>>
>>          
>>          
>>
>>
Received on Tuesday, 19 June 2012 16:21:14 UTC