Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance] from Roy T. Fielding on 2012-06-04 (public-tracking@w3.org from June 2012)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 4 Jun 2012 13:43:09 -0700
To: Tamir Israel <tisrael@cippic.ca>
Cc: "public-tracking@w3.org protection wg" <public-tracking@w3.org>
Message-Id: <7495F116-8730-4B35-ABA0-5F60CB30EAAE@gbiv.com>

On Jun 4, 2012, at 12:29 PM, Tamir Israel wrote:

> On 6/4/2012 11:52 AM, Dobbs, Brooks wrote:
>> I see where there is a requirement that the intermediaries don't inject
>> headers, but equally I see a big red capital MUST describing that the
>> expression reflect the user's preference.  Both injecting/modifying the
>> header or instantiating it (one way or the other) absent a reflection of the
>> user's preference seem equally non-compliant.
>> 
>> IMHO it sets a very dangerous precedent (no matter where you side on the
>> desirability of high adoption of DNT: 1) to say 1) the specification is
>> founded in reflecting preference and, simultaneously, 2) default settings
>> can reflect this preference.  Isn't this argued very differently with
>> respect to default browser settings implying consent for cookies in the EU?
> 
> Dangerous precedent it is indeed, but some jurisdictions (Canada being one) are stuck with it for the long haul. The Canadian landscape straddles EU and US approaches by a.) requiring consent and b.) accepting implicit/opt-out consent. Particularly, in the context of DNT, our privacy commissioner has affirmed that implied opt-out consent will be the guiding principle.
> 
> Where I envision potential problems under Canadian laws (and I imagine this might be an issue in comparable non-EU jursdictions as well), is if a server is required to ignore a 'DNT-1' designation because it is premised on a default user-agent selection and, hence, does not reflect a user preference. In this context, it is very difficult to pretend there is any form of implied consent to track.

Please understand that a server would not be required to ignore
an invalid DNT field -- they just have the right to because the
protocol exchange is invalid.  Furthermore, the result of ignoring
the invalid field is to fall back to the current state of
"no preference" being expressed.  Hence, there would be no impact
on Canadian or EU laws, nor would it change a server's obligation
to comply with those laws in the absence of DNT.

....Roy

Received on Monday, 4 June 2012 20:43:35 UTC