Re: ISSUE-45 ACTION-246 Clarified proposal on compliance statements from David Wainberg on 2012-10-31 (public-tracking@w3.org from October 2012)

From: David Wainberg <david@networkadvertising.org>
Date: Wed, 31 Oct 2012 14:17:29 -0400
To: Lauren Gelman <gelman@blurryedge.com>
CC: Joseph Lorenzo Hall <joe@cdt.org>, Shane Wiley <wileys@yahoo-inc.com>, John Simpson <john@consumerwatchdog.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <50916B39.8070907@networkadvertising.org>
Hi Lauren,

The issue right now is not whether you support it. It's how to address 
concerns about the range of acceptable tokens. Ultimately, if there is 
not support for this, it won't be included in the spec. However, if it 
does end up in the spec, we'd want it to be the best we can make it.

That said, I don't get the comparison to P3P. Is it the use of the word 
"token"? Otherwise, they're quite different.

-David



On 10/31/12 2:02 PM, Lauren Gelman wrote:
>
> I don't support this at all.  DNT was supposed to be a common 
> standard.  Either you were in or out. Now you are just rebuilding P3P.
>
> Lauren Gelman
> BlurryEdge Strategies
> 415-627-8512
>
> On Oct 31, 2012, at 10:54 AM, David Wainberg wrote:
>
>> Let's move this discussion to the other thread: "ISSUE-45 managing 
>> compliance mode tokens"
>>
>> On 10/30/12 10:46 AM, Joseph Lorenzo Hall wrote:
>>> Is there a way to have as little variation as possible? I've only 
>>> seen the EU/US discussion as a *necessary* variation, but I can 
>>> imagine people have ideas for others.
>>>
>>> And would each token be completely specified in the compliance spec? 
>>> (so that users would be able to know what a "US/DAA" response means 
>>> in terms of commitments made by the party serving that response?)
>>>
>>> best, Joe
>>>
>>> On Oct 29, 2012, at 15:13, David Wainberg 
>>> <david@networkadvertising.org <mailto:david@networkadvertising.org>> 
>>> wrote:
>>>
>>>> Lauren, that is a possible token. As explained in the top post on 
>>>> this thread 
>>>> (http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0154.html) 
>>>> this will, in a fully transparent way, accommodate the variation we 
>>>> will necessarily see in the way companies are able to honor DNT.
>>>>
>>>> On 10/29/12 2:55 PM, Lauren Gelman wrote:
>>>>>
>>>>> Does that mean a US/DAA "token" is permitted under the language?
>>>>>
>>>>> Lauren Gelman
>>>>> BlurryEdge Strategies
>>>>> 415-627-8512
>>>>>
>>>>> On Oct 29, 2012, at 11:46 AM, David Wainberg wrote:
>>>>>
>>>>>> Hi Lauren,
>>>>>>
>>>>>> I think in general I think it will be hard for companies to 
>>>>>> speculate whether or how they'll honor DNT before the specs are 
>>>>>> done. Once there are defined standards, then companies will be 
>>>>>> able to determine what is applicable for their business.
>>>>>>
>>>>>> -David
>>>>>>
>>>>>> On 10/29/12 2:30 PM, Lauren Gelman wrote:
>>>>>>> Shane.  Does this permit a US/DAA "token" and would Yahoo use 
>>>>>>> that one or the W3C one this group is developing?
>>>>>>>
>>>>>>> Lauren Gelman
>>>>>>> BlurryEdge Strategies
>>>>>>> 415-627-8512
>>>>>>>
>>>>>>> On Oct 29, 2012, at 11:13 AM, Shane Wiley wrote:
>>>>>>>
>>>>>>>> John,
>>>>>>>>  This is still a single specification but provides for regional 
>>>>>>>> variance in communicating the user which policy their DNT will 
>>>>>>>> be honored under.  W3C is still a valid response but this would 
>>>>>>>> allow E/DAA to be a valid response as well.
>>>>>>>>  - Shane
>>>>>>>>  From: John Simpson [mailto:john@consumerwatchdog.org]
>>>>>>>> Sent: Monday, October 29, 2012 2:05 PM
>>>>>>>> To: David Wainberg
>>>>>>>> Cc: public-tracking@w3.org <mailto:public-tracking@w3.org>
>>>>>>>> Subject: Re: ISSUE-45 ACTION-246 Clarified proposal on 
>>>>>>>> compliance statements
>>>>>>>>  David,
>>>>>>>>  I'm puzzled here.  I don't think the WG is anywhere near 
>>>>>>>> consensus on the concept that the spec should provide servers 
>>>>>>>> with an opportunity to select what DNT regime they are 
>>>>>>>> following.  My impression is that we are working to develop a 
>>>>>>>> single specification. This suggestion seems to undercut that 
>>>>>>>> concept.
>>>>>>>>  Best regards,
>>>>>>>> John
>>>>>>>>  ----------
>>>>>>>> John M. Simpson
>>>>>>>> Consumer Advocate
>>>>>>>> Consumer Watchdog
>>>>>>>> 2701 Ocean Park Blvd., Suite 112
>>>>>>>> Santa Monica, CA,90405
>>>>>>>> Tel: 310-392-7041
>>>>>>>> Cell: 310-292-1902
>>>>>>>> www.ConsumerWatchdog.org <http://www.ConsumerWatchdog.org/>
>>>>>>>> john@consumerwatchdog.org <mailto:john@consumerwatchdog.org>
>>>>>>>>  On Oct 29, 2012, at 9:57 AM, David Wainberg wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Editors -- can we please add these options to the two docs?
>>>>>>>>
>>>>>>>> TPE: Add a required "compliance" field to the tracking status 
>>>>>>>> resource in the TPE, where the value indicates the compliance 
>>>>>>>> regime under which the server is honoring the DNT signal. In 
>>>>>>>> 5.5.3 of the TPE:
>>>>>>>>
>>>>>>>>     A status-object MUST have a member named compliance that 
>>>>>>>> contains a single compliance mode token.
>>>>>>>>
>>>>>>>>
>>>>>>>> TCS:
>>>>>>>>
>>>>>>>>     Compliance mode tokens must be associated with a 
>>>>>>>> legislative or regulatory regime in a relevant jurisdiction, or 
>>>>>>>> with a relevant and established self-regulatory regime.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 10/9/12 9:22 AM, David Wainberg wrote:
>>>>>>>> ACTION-246 
>>>>>>>> (http://www.w3.org/2011/tracking-protection/track/actions/246), 
>>>>>>>> which relates to ISSUE-45 
>>>>>>>> (http://www.w3.org/2011/tracking-protection/track/issues/45).
>>>>>>>>
>>>>>>>> Hello all,
>>>>>>>>
>>>>>>>> This is a clarification of my previous proposal 
>>>>>>>> (http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0012.html). 
>>>>>>>> I'm launching it on a fresh thread, because the previous one 
>>>>>>>> got a bit wild and off-topic.
>>>>>>>>
>>>>>>>> Recall that this arose out of the problem of how or where 
>>>>>>>> parties may or must make statements regarding their DNT 
>>>>>>>> compliance. One proposal, which many of us strongly objected 
>>>>>>>> to, was to make provision of the tracking status resource in 
>>>>>>>> and of itself an assertion of compliance with the DNT spec. 
>>>>>>>> That proposal was a replacement for an initial proposal to 
>>>>>>>> require a public statement of compliance, but without 
>>>>>>>> specifying where or how that statement must be made.
>>>>>>>>
>>>>>>>> The problems with these proposals are that the one is overly 
>>>>>>>> strict, does not provide any flexibility, and sets up a legal 
>>>>>>>> landmine that companies will avoid by not providing the WKL, 
>>>>>>>> and the other is too loose; it allows for potentially unlimited 
>>>>>>>> variation in how companies honor DNT and where and how they 
>>>>>>>> make their commitments to do so.
>>>>>>>>
>>>>>>>> This proposal solves these problems by requiring a statement in 
>>>>>>>> the status resource regarding compliance with one of a limited 
>>>>>>>> set of DNT variations. Although I understand the desire for and 
>>>>>>>> attractiveness of a single universal specification for DNT 
>>>>>>>> compliance, the reality is that we will have to accommodate 
>>>>>>>> some variation based on, e.g., business model, geography, etc. 
>>>>>>>> Examples of this problem arose during the Amsterdam meeting. If 
>>>>>>>> we want to ensure wide adoption and enforceability of DNT, this 
>>>>>>>> is the way to do it.
>>>>>>>>
>>>>>>>> The proposal is the following:
>>>>>>>>
>>>>>>>> Add a required "compliance" field to the tracking status 
>>>>>>>> resource in the TPE, where the value indicates the compliance 
>>>>>>>> regime under which the server is honoring the DNT signal. In 
>>>>>>>> 5.5.3 of the TPE:
>>>>>>>>
>>>>>>>>     A status-object MUST have a member named compliance that 
>>>>>>>> contains a single compliance mode token.
>>>>>>>>
>>>>>>>> From here, I look to the group for discussion regarding how and 
>>>>>>>> where to define compliance mode tokens. My initial version of 
>>>>>>>> this proposal suggested looking to IANA to manage a limited set 
>>>>>>>> of tokens to prevent collisions. I think there was some 
>>>>>>>> misunderstanding and concern about how this would work. No -- 
>>>>>>>> companies should not just create their own arbitrary values. My 
>>>>>>>> view is that each token must have a well-defined and 
>>>>>>>> widely-accepted meaning. How's this:
>>>>>>>>
>>>>>>>>     Compliance mode tokens must be associated with a 
>>>>>>>> legislative or regulatory regime in a relevant jurisdiction, or 
>>>>>>>> with a relevant and established self-regulatory regime.
>>>>>>>>
>>>>>>>> I'm open to other ideas for this.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> David
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>
>
Received on Wednesday, 31 October 2012 18:18:00 UTC