- From: David Wainberg <david@networkadvertising.org>
- Date: Wed, 22 Aug 2012 19:17:36 -0400
- To: rob@blaeu.com
- CC: public-tracking@w3.org
Hi Rob, First, to circle back to the language I proposed, which places responsibility on the "enclosing" UA. Otherwise, it's too hard to ensure that the signal accurately reflects the user's intent. "A UA that allows or enables other software to alter the DNT setting MUST ensure that such alteration reflects the user's intent." Otherwise, I am interested in the direction of your language, but wonder about what would be required for "consulting the user." And what form of consulting the user will be required to gain an exception to DNT? Finally, you reference real time bidding and e-scoring. I am curious what impact you anticipate DNT, as currently formulated, will have on those practices. Because the WG has defined neither tracking nor any particular harms that DNT is intended to prevent, we all seem to have very different ideas about what the outcome should or will be for various business models and practices. Regards, David On 8/22/12 5:01 PM, Rob van Eijk wrote: > > Dobbs, > > I follow your conclusion that the question is not IF, but HOW to > continue the online ad ecosystem. It underlines the disbalance. If > only the current web functioned in such a way that a casual user would > even have a choice to prevent being tagged by not visiting a donut > shop. With innovating services like real time bidding and e-scoring > gaining momentum, it doesn't matter where a user goes online for > shopping. The casual user will often get the same unique tags anyway. > > Circling back to the requirements on other software that sets DNT > headers, I would like to table an additional text proposal. > > Proposal (changes in CAPITAL): > > Change the existing paragraph in the TPE spec to: > A user agent MAY EITHER have a default tracking preference of unset > (not enabled) OR MAY HAVE A DEFAULT TRACKING PREFERENCE OF SET > (ENABLED). IN CASE OF A DEFAULT OF SET (ENABLED), IT IS UP TO THE USER > AGENT TO ACCURATELY REFLECT THE USER'S INTENT DURING INSTALLATION AND > UPDATE. A USER AGENT MUST THEREFOR NOT HAVE A DEFAULT TRACKING > PREFERENCE OF SET (ENABLED) WITHOUT CONSULTING THE USER. A user agent > extension or add-on must not alter the tracking preference unless the > act of installing and enabling that extension or add-on is an explicit > choice by the user for that tracking preference. IT IS UP TO THE USER > AGENT EXTENSION OR ADD-ON TO ACCURATELY REFLECT THE USER'S INTENT > DURING INSTALLATION AND UPDATE. A USER AGENT EXTENSION OR ADD-ON MUST > THEREFOR NOT HAVE A DEFAULT TRACKING PREFERENCE OF SET (ENABLED) > WITHOUT CONSULTING THE USER. > > Rob > > Dobbs, Brooks schreef op 2012-08-22 20:58: >> Tamir, >> >> I again note that DNT: 1 is NOT a preference FOR privacy. It is a >> preference that a recipient server will process data in accordance with >> the compliance spec as required by the signal. The net impact of the >> server's behavior may or may not on the whole be more or less privacy >> protective for the individual concerned. A user may reasonably conclude >> that DNT: 0 or unset is likely to have a better net impact on privacy. >> Being asked for OOB exception or a micropayment for content may not, in >> many reasonable minds, be privacy enhancing. >> >> I am not being pedantic here. We must be conscious that we aren't >> discussing IF ad supported websites will continue to be funded but HOW. >> If a donut store offers you "free" donuts for giving their advertising >> sponsors your IP address and cookie as you wait in line but then is >> required by protocol not to collect those things, you may expect the >> shop >> will ask you for a credit card when you get to the register (or they'll >> close). >> >> >> >> -Brooks >> >> >> -- >> >> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the >> Wunderman Network >> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com >> brooks.dobbs@kbmg.com >> >> >> >> This email including attachments may contain confidential >> information. >> If you are not the intended recipient, >> do not copy, distribute or act on it. Instead, notify the sender >> immediately and delete the message. >> >> >> >> On 8/22/12 2:09 PM, "Tamir Israel" <tisrael@cippic.ca> wrote: >> >>> I don't think the terminology is inappropriate. Within the context of >>> 'expressing an individual's choice', an individual selection of >>> DNT-1 is >>> expressive of that individual's preference for privacy, not of any >>> broader social impact on global privacy that may or may not result from >>> that choice. >>> >>> This seems right to me. >>> >>> Best, >>> Tamir >>> >>> On 8/22/2012 11:46 AM, Alan Chapell wrote: >>>> James - >>>> >>>> Judging by the email thread over the past couple of days, it seems >>>> like >>>> that phrase is creating some confusion - even amongst the working >>>> group. >>>> Perhaps we can find a better term for our documents so as not to >>>> confuse >>>> the marketplace. >>>> >>>> Perhaps "deliberate choice for the DNT signal"? >>>> >>>> >>>> Cheers, >>>> >>>> Alan Chapell >>>> Chapell & Associates >>>> 917 318 8440 >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 8/22/12 10:40 AM, "Grimmelmann, James" <James.Grimmelmann@nyls.edu> >>>> wrote: >>>> >>>>> Brooks, >>>>> >>>>> The language "choice for privacy" has been in the TPE working drafts >>>>> since last year. It is there as a way to describe certain kinds of >>>>> user >>>>> actions in configuring a user-agent that can reasonably be understood >>>>> to >>>>> include a "deliberate choice by the user" about a tracking >>>>> preference. >>>>> This reflects the real-world fact that many users who choose to >>>>> enable >>>>> the DNT: 1 header will do so out of a desire for privacy. Thus, a >>>>> user >>>>> agent or extension could offer a more general-purpose privacy setting >>>>> "that then implicitly includes a tracking preference." >>>>> >>>>> Don't worry: I'm not (and I don't think anyone else is) asking the >>>>> group >>>>> to take an official stance on whether widespread DNT use will be good >>>>> for >>>>> privacy or bad for privacy. That's highly contested and highly >>>>> subjective. The language shows up in the context of "Determining >>>>> User >>>>> Preference" and that's how I'm reading it: to address the question of >>>>> whether IE 10's DNT: 1 signals will reflect deliberate choices by >>>>> users >>>>> about tracking. >>>>> >>>>> James >>>>> >>>>> On Aug 22, 2012, at 9:41 AM, "Dobbs, Brooks" <Brooks.Dobbs@kbmg.com> >>>>> wrote: >>>>> >>>>>> James and all, >>>>>> >>>>>> I think we are moving down the road of making some very dangerous >>>>>> assumptions here. We are getting in the habit of referring to >>>>>> sending >>>>>> the >>>>>> signal DNT: 1 as "a choice for privacy". This is a highly >>>>>> subjective >>>>>> statement and not necessarily true. >>>>>> >>>>>> Choosing DNT: 1 is a signal to an origin server that it must follow >>>>>> the >>>>>> rules as established by the compliance doc with all the resulting >>>>>> treatments to the UA. This may result in initial outcomes that many >>>>>> users >>>>>> will see as privacy enhancing. However, it may also channel UAs to >>>>>> different website payment schemes (non-ad supported) or move people >>>>>> towards advertising tools run by parties with a PII relationship to >>>>>> the >>>>>> user who are able to get out of band exceptions; neither would >>>>>> likely >>>>>> to >>>>>> be called "a choice for privacy". This is not hypothetical at all. >>>>>> If >>>>>> a >>>>>> website needs N million dollars a year to provide content and >>>>>> service >>>>>> and >>>>>> that funding is cut to a third by DNT, they will seek one of >>>>>> those two >>>>>> roads, neither of which makes a lot of sense to call "a choice for >>>>>> privacy". >>>>>> >>>>>> Let's keep this conversation where it should be. A "preference" >>>>>> means a >>>>>> user's desire for his/her transaction to be processed by the >>>>>> recipient >>>>>> server in accordance with the rules established for that signal >>>>>> by the >>>>>> compliance doc. If an individual user, with individual use >>>>>> patterns, >>>>>> at >>>>>> any given time finds that to be "a choice for privacy" then so it >>>>>> is - >>>>>> for >>>>>> her. I doubt that the person asked for a credit card or to identify >>>>>> himself for an out of band exception to view a previously ad >>>>>> supported >>>>>> site will be as cavalier with the word choice. >>>>>> >>>>>> -Brooks >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the >>>>>> Wunderman Network >>>>>> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com >>>>>> brooks.dobbs@kbmg.com >>>>>> >>>>>> >>>>>> >>>>>> This email including attachments may contain confidential >>>>>> information. >>>>>> If you are not the intended recipient, >>>>>> do not copy, distribute or act on it. Instead, notify the sender >>>>>> immediately and delete the message. >>>>>> >>>>>> >>>>>> >>>>>> On 8/21/12 10:43 PM, "Grimmelmann, James" >>>>>> <James.Grimmelmann@nyls.edu> >>>>>> wrote: >>>>>> >>>>>>> I disagree; this is far from a "clear" case. Here is the coming IE >>>>>>> 10 >>>>>>> setup process as described by Microsoft (cutting and pasting a >>>>>>> bit): >>>>>>> >>>>>>> ---- >>>>>>> In the Windows 8 set-up experience, customers will be asked to >>>>>>> choose >>>>>>> between two ways of configuring a number of settings: ³Express >>>>>>> Settings² >>>>>>> or ³Customize.² >>>>>>> >>>>>>> Customers will receive prominent notice that their selection of >>>>>>> Express >>>>>>> Settings turns DNT ³on.² In addition, by using the Customize >>>>>>> approach, >>>>>>> users will be able to independently turn ³on² and ³off² a number of >>>>>>> settings, including the setting for the DNT signal. A ³Learn More² >>>>>>> link >>>>>>> with detailed information about each recommended setting will help >>>>>>> customers decide whether to select Express Settings or Customize. >>>>>>> ---- >>>>>>> >>>>>>> And here is the language from the August 14 TPE draft: >>>>>>> >>>>>>> ---- >>>>>>> The basic principle is that a tracking preference expression is >>>>>>> only >>>>>>> transmitted when it reflects a deliberate choice by the user. ... >>>>>>> >>>>>>> A user agent must have a default tracking preference of unset (not >>>>>>> enabled) unless a specific tracking preference is implied by the >>>>>>> decision >>>>>>> to use that agent. ... >>>>>>> >>>>>>> We do not specify how tracking preference choices are offered to >>>>>>> the >>>>>>> user >>>>>>> or how the preference is enabled: each implementation is >>>>>>> responsible >>>>>>> for >>>>>>> determining the user experience by which a tracking preference is >>>>>>> enabled. For example, a user might select a check-box in their user >>>>>>> agent's configuration, install an extension or add-on that is >>>>>>> specifically designed to add a tracking preference expression, or >>>>>>> make >>>>>>> a >>>>>>> choice for privacy that then implicitly includes a tracking >>>>>>> preference >>>>>>> (e.g., Privacy settings: high). The user-agent might ask the >>>>>>> user for >>>>>>> their preference during startup, perhaps on first use or after an >>>>>>> update >>>>>>> adds the tracking protection feature. >>>>>>> ---- >>>>>>> >>>>>>> There is a plausible argument that selecting Express Settings after >>>>>>> being >>>>>>> given prominent notice that this will turn DNT on is both a >>>>>>> "deliberate >>>>>>> choice by the user" and "a choice for privacy that then implicitly >>>>>>> includes a tracking preference" that the user-agent "ask[s] the >>>>>>> user >>>>>>> for >>>>>>> ... during startup." And because the user chooses to use Express >>>>>>> Settings, there is also a plausible argument that IE 10 will >>>>>>> "have a >>>>>>> default tracking preference of unset." >>>>>>> >>>>>>> There are also some plausible counterarguments. For example, it is >>>>>>> possible that Microsoft's explanation of the effect of choosing >>>>>>> Express >>>>>>> Settings will not be clear and prominent enough to make >>>>>>> selecting it >>>>>>> a >>>>>>> "choice for privacy." It is also unclear what the default state of >>>>>>> the >>>>>>> DNT checkbox will be in "Customize." >>>>>>> >>>>>>> I'm sure that this is not what many others on the list *intend* the >>>>>>> TPE >>>>>>> draft to mean, but based on what the draft currently *says*, IE >>>>>>> 10's >>>>>>> compliance is open to serious debate. >>>>>>> >>>>>>> James >>>>>>> >>>>>>> -------------------------------------------------- >>>>>>> James Grimmelmann Professor of Law >>>>>>> New York Law School (212) 431-2864 >>>>>>> 185 West Broadway >>>>>>> james.grimmelmann@nyls.edu<mailto:james.grimmelmann@nyls.edu> >>>>>>> New York, NY 10013 http://james.grimmelmann.net >>>>>>> >>>>>>> On Aug 21, 2012, at 9:35 PM, Roy T. Fielding >>>>>>> <fielding@gbiv.com<mailto:fielding@gbiv.com>> wrote: >>>>>>> >>>>>>> On Aug 21, 2012, at 6:01 PM, Tamir Israel wrote: >>>>>>> >>>>>>> Roy your apache example, as I understood it, applies in clear cases >>>>>>> of >>>>>>> non-compliance. I don't think there's ever going to be such a clear >>>>>>> case >>>>>>> as in reality implementations are going to be quite varied and >>>>>>> browser >>>>>>> sniffing of the kind you're suggesting will lead to browser wars. >>>>>>> Case >>>>>>> in >>>>>>> point: >>>>>>> >>>>>>> >>>>>>> >>>>>>> http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/ >>>>>>> >>>>>>> do >>>>>>> -n >>>>>>> ot-track-in-the-windows-8-set-up-experience.aspx >>>>>>> >>>>>>> Which is a clear case of non-compliance. If pre-selecting an >>>>>>> option in a dialog box is not sufficient to gain prior consent, >>>>>>> then it certainly isn't sufficient to satisfy: >>>>>>> >>>>>>> "The basic principle is that a tracking preference expression >>>>>>> is only transmitted when it reflects a deliberate choice by >>>>>>> the user. In the absence of user choice, there is no tracking >>>>>>> preference expressed." >>>>>>> >>>>>>> Browser wars is not a problem I have in HTTP, because of the >>>>>>> Apache principle regarding open standards. If you want to change >>>>>>> the standard, feel free to make proposals to that effect within >>>>>>> the process defined by this WG. Please do not continue this >>>>>>> argument about honoring deliberately broken UAs; you are wasting >>>>>>> our time, as this WG has even less ability to change Apache's >>>>>>> principles >>>>>>> than it does to impose implementation of a voluntary standard. >>>>>>> >>>>>>> ....Roy >>>>>>> >>>>>>> >>>>> >>>>> >>>> >>>> > >
Received on Wednesday, 22 August 2012 23:18:08 UTC