Re: Call for proposals for ISSUE-194 from Rob van Eijk on 2013-05-01 (public-tracking@w3.org from May 2013)

From: Rob van Eijk <rob@blaeu.com>
Date: Wed, 01 May 2013 17:42:04 +0200
To: Chris Mejia <chris.mejia@iab.net>
Cc: Shane Wiley <wileys@yahoo-inc.com>, "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>, <public-tracking@w3.org>, Mike Zaneis <mike@iab.net>, Lou Mastria - DAA <lou@aboutads.info>, Marc Groman - NAI <mgroman@networkadvertising.org>
Message-ID: <4e1ca0d7c1ae6a313ced8e28020982bb@xs4all.nl>
Hi Chris, Shane,
I am not disagreeing with you. I am saying that in absence of cetainty, 
the default should assumed to be on. This is in lign with having a 
default unset in the EU and the interpretation of Rigo. The DAA 
framework indicates a default to be off by default. That is where I 
disagree.
Rob

Chris Mejia schreef op 2013-05-01 17:35:
> Rob, I agree with Shane. We have reached consensus as a group now,
> twice, that DNT must be enabled/set by the individual user-- it cannot
> be defaulted "on", and the default state must be unset. In another
> related thread, Rigo makes an interesting point:
> 
>> _DNT unset means tracking in the US and "not tracking" in the EU. 
>> This is_
>> _the beauty of "unset" as a default. The default is then altered by 
>> the_
>> _user to either DNT:1 or DNT:0 on demand (and IMHO per site, yes it_
>> _works)_
> 
> While I don't necessarily agree that it's as black and white as Rigo
> states (i.e. unset doesn't AUTOMATICALLY mean tracking will happen in
> the US), his overall assertion makes some sense. Why couldn't certain
> jurisdictions interpret the signal (or lack thereof) per local
> regulation/law, and act accordingly?
> 
> Best,
> 
> Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group |
> Interactive Advertising Bureau - IAB
> 
> On 4/30/13 8:34 AM, "Shane Wiley" <wileys@yahoo-inc.com> wrote:
> 
>> Rob,
>> 
>> Are you suggesting this "DNT by Default" only for the EU (Global 
>> Considerations document) or are you suggesting this as a requirement 
>> globally? As this is a complete about face to the already agreed upon 
>> position of the working group I'm trying to better understand why 
>> you're introducing this concept so late in the game (so to speak).
>> 
>> Thank you,
>> Shane
>> 
>> -----Original Message-----
>> From: Rob van Eijk [mailto:rob@blaeu.com]
>> Sent: Tuesday, April 30, 2013 3:22 AM
>> To: Matthias Schunter (Intel Corporation)
>> Cc: public-tracking@w3.org
>> Subject: Re: Call for proposals for ISSUE-194
>> 
>> Hi Matthias,
>> 
>> For me, the goal of ensuring that sites reliably receive valid DNT 
>> signals is connected with the communication between sites and users. 
>> The underlying problem for me is the ability to have a granular and 
>> valid DNT dialogue between a site and a user. The underlying problem 
>> is also connected to the defaults. My proposal starts with adressing 
>> the defaults and continues with a technical solution. I conclude with 
>> a text proposal.
>> 
>> Two weeks ago, I discussed DNT with DPAs in Prague. The consensus is 
>> that for DNT to be an effective instrument to provide user control, it 
>> is crucial that sites can be certain that the DNT signal which they 
>> receive is a true indication of the user’s wishes. The discussion on 
>> the defaults that was part of the DAAs proposal that was brought to 
>> the table on yesterday's call.
>> 
>> The DAA takes the position that DNT would be off by default. I 
>> strongly advise against this postion. The consensus amoungst DPAs is 
>> that in the absence of fully informed user choice a site must assume 
>> that a user is not aware of Web Tracking and therefore assume the 
>> default position as if they had received a DNT:1 signal, which 
>> indicates a wish from the user that this user prefers not to be 
>> tracked on the target site (TPE section 4.1).
>> 
>> To seperate the noise from the music, the subject of reliably 
>> receiving valid DNT signals contains an element of trust. Trust can be 
>> established by creating a chain of identity, in which the level of 
>> authentication determines the level of trust. As a vehicle for the 
>> level of authentication, a session key or token can used. The key or 
>> token can be stored temporarily in the cookie store or HTML5 local 
>> storage.
>> 
>> In lign with the imperative of privacy by design, the level of 
>> authentication must be adequate, relevant and not excessive in 
>> relation to the purpose. To maintain the level of trust, the expiry of 
>> the authentication is something to consider. In other words, the 
>> lifespan of trust is important. For the purpose of the communication 
>> between a site and a user, I would think the duration of a session is 
>> enough. A session is proportional to the amounth of time to maintain 
>> the level of trust.
>> 
>> What is considered a session is a level of detail we need to discuss 
>> further. For me there are a few elements that signal the end of a 
>> session, for example closing a browser, clearing the cookie, clearing 
>> the local storage, but also closing a browser tab. The latter is a 
>> invitation for the browser vendors to make expiry transparent to the 
>> user.
>> 
>> So in terms of concrete text, I propose the following:
>> 
>> <text proposal>
>> In the absence of a validated DNT signal, which indicates a fully 
>> informed user choice, a site MUST assume that a user is not aware of 
>> Web Tracking and therefore MUST assume the default position as if they 
>> had received a DNT:1 signal, which indicates a wish from the user that 
>> this user prefers not to be tracked on the target site.
>> 
>> Trust MAY be established by creating a chain of identity, in which 
>> the level of authentication determines the level of trust. As a 
>> vehicle for the level of authentication, sites MAY use a session key 
>> or token. The key or token MAY be stored temporarily in for example 
>> the cookie store or HTML5 local storage. The expiry of the key or 
>> token MUST be limited, and for a minumum MUST expire through automatic 
>> deletion when the Browser Tab closes.
>> </text proposal>
>> 
>> Looking forward to fruitful discussion at the forthcoming face 2 
>> face, Regards, Rob
>> 
>> Matthias Schunter (Intel Corporation) schreef op 2013-04-30 09:38:
>> 
>>> Hi Team,
>>> 
>>> during the last TPE call, we discussed ISSUE-194. One goal of
>>> ISSUE-194 is to ensure that sites reliably receive valid DNT 
>>> signals.
>>> Without such a mechanism, there is a risk that a multitude of things
>>> spray DNT;1 signals (antivirus, network devices, operating systems,
>>> ...; often without user interaction).
>>> As a consequence, sites can no longer reasonably by required to 
>>> listen
>>> to those signals.
>>> 
>>> We agreed that separating noise from signals is a valid concern and
>>> there were concerns whether there exists any solution that satisfies
>>> our goals.
>>> 
>>> If we could reliably distinguish between valid user 
>>> preferences/choice
>>> and noise from other entities on the net, then this allows sites to
>>> actually reliably act on user preferences while "D"isregarding the
>>> noise.
>>> 
>>> As part of discussing this further, I would like to issue a call for
>>> proposals. The question is what mechanisms are envisioned that allow
>>> sites to (more) reliably separate noise from preferences.
>>> 
>>> Any proposals (as responses) are welcome. My goal is to then discuss
>>> and compare thes proposals to understand whether they help sites 
>>> with
>>> this concern.
>>> 
>>> Regards,
>>> matthias
Received on Wednesday, 1 May 2013 15:42:48 UTC