Re: action-231, issue-153 requirements on other software that sets DNT headers from Tamir Israel on 2012-08-22 (public-tracking@w3.org from August 2012)

From: Tamir Israel <tisrael@cippic.ca>
Date: Wed, 22 Aug 2012 09:27:43 -0400
To: David Wainberg <david@networkadvertising.org>
CC: ifette@google.com, Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>, John Simpson <john@consumerwatchdog.org>, "Dobbs, Brooks" <Brooks.Dobbs@kbmg.com>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>, Nicholas Doty <npdoty@w3.org>
Message-ID: <5034DE4F.1030208@cippic.ca>
David --

ISSUE-151 UA Requirement: Be able to handle exception requests?

http://www.w3.org/2011/tracking-protection/track/issues/151

As far as I can tell, the debate over whether the exceptions API will be 
a 'MAY' or a 'MUST' is ongoing (someone please correct me if I'm wrong). 
Tradeoffs: more fine-grained DNT vs. an API that is complicated to 
implement.

I personally think the exceptions API is integral to the spec, and it 
should definitely be subject to the 'express user preference' provisio, 
as is all else.

However, failure to implement the exceptions API is very different from 
a good faith attempt to implement a user choice mechanism that some feel 
is not up to par. The first is objective -- the functionality is either 
there or it is not. The second is highly subjective, meaning that anyone 
who does not like a particular implementation (first a straight default, 
now pre-selection and, potentially a failure to weed out problematic 
plug-ins) can simply veto it and remain compliant.


On 8/21/2012 11:06 PM, David Wainberg wrote:
> This is a great question. Is such a UA compliant with the spec? I 
> think we've agreed that DNT set by default does not represent a user's 
> deliberate choice, and for that reason is invalid. But what about 
> signals from UAs that violate the spec in other material ways, such as 
> not providing for exceptions?
>
> On 8/21/12 8:12 PM, Tamir Israel wrote:
>> What does a server do when it gets a DNT-1 that is /not /a UA 
>> default, but with no implementation for exceptions?
>>
>> I think the exceptions are important....
>>
>> On 8/21/2012 8:05 PM, Ian Fette (ã,¤ã,¢ãf³ãf.ã,§ãffãf+ã,£) wrote:
>>> Hypothetical situation here. Server gets a DNT:1 request from a 
>>> browser. Browser ships DNT:1 by default. Browser doesn't implement 
>>> exceptions. Browser may or may not block third party cookies by 
>>> default. What exactly is the server supposed to do in this case?
>>>
>>> -Ian
>>>
>>> On Tue, Aug 21, 2012 at 4:59 PM, Shane Wiley <wileys@yahoo-inc.com 
>>> <mailto:wileys@yahoo-inc.com>> wrote:
>>>
>>>     Jeff,
>>>
>>>     Â
>>>
>>>     I disagree both on your philosophical position (compliant
>>>     Servers must honor non-compliant UAs) but more importantly as
>>>     part of the working group process.Â  Hopefully we can review
>>>     this (again) at the next TPE weekly meeting.
>>>
>>>     Â
>>>
>>>     - Shane
>>>
>>>     Â
>>>
>>>     *From:*Jeffrey Chester [mailto:jeff@democraticmedia.org
>>>     <mailto:jeff@democraticmedia.org>]
>>>     *Sent:* Tuesday, August 21, 2012 4:56 PM
>>>     *To:* Shane Wiley
>>>     *Cc:* John Simpson; Tamir Israel; Dobbs, Brooks; David Singer;
>>>     David Wainberg; public-tracking@w3.org
>>>     <mailto:public-tracking@w3.org> (public-tracking@w3.org
>>>     <mailto:public-tracking@w3.org>); Nicholas Doty
>>>
>>>
>>>     *Subject:* Re: action-231, issue-153 requirements on other
>>>     software that sets DNT headers
>>>
>>>     Â
>>>
>>>     Shane: Â I don't believe we have said such flags are "invalid."
>>>     Â I agree with John, DNT:1 must be honored. We should not
>>>     penalize privacy by design, a policy most stakeholders support. Â
>>>
>>>     Regards,
>>>
>>>     Â
>>>
>>>     Jeff
>>>
>>>     Â
>>>
>>>     Â
>>>
>>>     Â
>>>
>>>     On Aug 21, 2012, at 7:49 PM, Shane Wiley wrote:
>>>
>>>
>>>
>>>     John,
>>>
>>>
>>>     I thought we already agreed in the working group to remain
>>>     silent on this situation and allow implementers to defend their
>>>     actions with respect to sending invalid flags.Â  Correct?Â  I
>>>     understand your personal views here but I wanted to reconfirm
>>>     the working group end-point on this issue.
>>>
>>>     Â
>>>
>>>     Thank you,
>>>     Shane
>>>
>>>     Â
>>>
>>>     *From:*Â John Simpson [mailto:john@consumerwatchdog.org]Â
>>>     *Sent:*Â Tuesday, August 21, 2012 4:46 PM
>>>     *To:*Â Tamir Israel
>>>     *Cc:*Â Dobbs, Brooks; David Singer; David Wainberg;Â
>>>     public-tracking@w3.org <mailto:public-tracking@w3.org>Â
>>>     (public-tracking@w3.org <mailto:public-tracking@w3.org>);
>>>     Nicholas Doty; Shane Wiley
>>>     *Subject:*Â Re: action-231, issue-153 requirements on other
>>>     software that sets DNT headers
>>>
>>>     Â
>>>
>>>     For what it's worth I do not see how you can "blacklist" a UA
>>>     that is supposedly noncompliant if it sends a valid DNT:1 You
>>>     can write a letter to the vendor, you can call them out for
>>>     being noncompliant, you can protest to regulatory authorities if
>>>     they claim to be complaint when they are not.
>>>
>>>     Â
>>>
>>>     However, if you get a DNT:1 signal, it needs to be honored. Â
>>>
>>>     Â
>>>
>>>     On Aug 21, 2012, at 2:58 PM, Tamir Israel wrote:
>>>
>>>
>>>
>>>
>>>     OK -- I am not advocating two headers! Although one for each
>>>     personality would probably lead to more accurate profiling ; P
>>>
>>>     I suppose my concern was a combination of a.) how far will a
>>>     UA's obligation to check that alterations to its DNT are
>>>     'reflective of user input' be stretched and b.) whether this
>>>     opens up the door to more UA blacklisting potential.
>>>
>>>     Best,
>>>     Tamir
>>>
>>>     On 8/21/2012 5:13 PM, Dobbs, Brooks wrote:
>>>
>>>
>>>     Tamir,
>>>
>>>         Â
>>>
>>>         You are making this too complicated. Â UAs shouldn't be
>>>         required to audit
>>>
>>>         applications, plugins, etc - they should, per the spec, only
>>>         ever send a
>>>
>>>         signal which is consistent with a user preference. Â If they
>>>         don't feel
>>>
>>>         confident that what they are sending meets that requirement
>>>         they shouldn't
>>>
>>>         send anything. Â Anything else completely undermines the
>>>         spec. Â If you send
>>>
>>>         two DNT headers, you are by definition, non-compliant
>>>         (schizophrenic users
>>>
>>>         not withstanding).
>>>
>>>         Â
>>>
>>>         -Brooks
>>>
>>>         Â
>>>
>>>         Â
>>>
>>>     Â
>>>
>>>     ----------
>>>
>>>     John M. Simpson
>>>
>>>     Consumer Advocate
>>>
>>>     Consumer Watchdog
>>>
>>>     1750 Ocean Park Blvd. ,Suite 200
>>>
>>>     Santa Monica, CA,90405
>>>
>>>     Tel: 310-392-7041 <tel:310-392-7041>
>>>
>>>     Cell: 310-292-1902 <tel:310-292-1902>
>>>
>>>     www.ConsumerWatchdog.org <http://www.ConsumerWatchdog.org>
>>>
>>>     john@consumerwatchdog.org <mailto:john@consumerwatchdog.org>
>>>
>>>     Â
>>>
>>>     Â
>>>
>>>     Jeffrey Chester
>>>
>>>     Center for Digital Democracy
>>>
>>>     1621 Connecticut Ave, NW, Suite 550
>>>
>>>     Washington, DC 20009
>>>
>>>     www.democraticmedia.org <http://www.democraticmedia.org>
>>>
>>>     www.digitalads.org <http://www.digitalads.org>
>>>
>>>     202-986-2220 <tel:202-986-2220>
>>>
>>>     Â
>>>
>>>
>
Received on Wednesday, 22 August 2012 13:28:43 UTC