Re: ISSUE-45 ACTION-246: draft proposal regarding making a public compliance commitment from Alan Chapell on 2012-09-05 (public-tracking@w3.org from September 2012)

From: Alan Chapell <achapell@chapellassociates.com>
Date: Wed, 05 Sep 2012 12:12:20 -0400
To: Shane Wiley <wileys@yahoo-inc.com>, "Aleecia M. McDonald" <aleecia@aleecia.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <CC6CF1C8.20297%achapell@chapellassociates.com>
Not to pile on  but as I'm on a plane and only able to participate via IRC
and email - and wanted to second that believe this proposal will receive
considerable support.

Alan

From:  Shane Wiley <wileys@yahoo-inc.com>
Date:  Wednesday, September 5, 2012 12:06 PM
To:  "Aleecia M. McDonald" <aleecia@aleecia.com>, "public-tracking@w3.org
(public-tracking@w3.org)" <public-tracking@w3.org>
Subject:  RE: ISSUE-45 ACTION-246: draft proposal regarding making a public
compliance  commitment
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Wed, 05 Sep 2012 16:07:38 +0000

Aleecia,
 
I believe this proposal and the strong support within IRC during the working
group call would officially declare this as NOT a dead end.  It would be
helpful to gauge the working group as I believe you¹ll find considerable
support for a compliance flag within the well-known location resource.
 
- Shane
 

From: Aleecia M. McDonald [mailto:aleecia@aleecia.com]
Sent: Wednesday, September 05, 2012 9:00 AM
To: public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: ISSUE-45 ACTION-246: draft proposal regarding making a public
compliance commitment
 
Of note: in Seattle, we discussed the possibility of having multiple codes
to indicate different flavors of DNT. Specifically, I raised it as a
suggestion. The WG members soundly rejected, in favor of coming to a common
single understanding of DNT. We have already declared this a dead end.

 

One can imagine a world with, say, a DAA approach and a W3C approach,
without needing a new flag sent with every response. Just pick different
semantics. It will be very clear which is what, without the overhead. If
that is the problem you are trying to solve, I think it is already solved
without needing any work here.

 

If we take this just as being about different regions, I'm not sure what a
USA or NLD designation entails. And I'm not sure how to convey that to
users. I think I do not understand what you have in mind yet. I look forward
to hearing more about how you think that could work.

 

            Aleecia

 

On Sep 4, 2012, at 5:51 PM, David Wainberg <david@networkadvertising.org>
wrote:


This fulfills ACTION-246
(http://www.w3.org/2011/tracking-protection/track/actions/246), which
relates to ISSUE-45
(http://www.w3.org/2011/tracking-protection/track/issues/45).

There are problems with the current proposed approach to issue 45. The
current version does not accommodate implementation distinctions based on,
for example, geography/jurisdiction, business model, or technology. It also
creates unnecessary and counter-productive legal landmines that will spur
companies to avoid implementing the full spec. We can provide for making
legal commitments without this unwanted result.

I think the first point should be obvious. There will be a tremendous
diversity of organizations, business models, and technologies to which DNT
may be applied, either voluntarily or compulsorily, under a diversity of
regulatory regimes. The spec needs to accommodate this diversity.

The more important point is that, if we make the mistake of tying the server
response (the header or WKL) to a broad, legally-binding representation that
goes well beyond the specific meanings of the responses, end-users will lose
out because companies will avoid implementing the response mechanisms. The
reality is that companies who may otherwise be eager to implement DNT will
avoid making representations that could be construed in overly broad ways,
that may be ambiguous, or that otherwise are potentially misaligned with
what they do. Instead, companies will seek to make representations that
unambiguously describe their practices. We should facilitate this, not make
it difficult.

Note that I am definitely not saying that companies should be able to act
contrary to what they represent in the response mechanism(s). That, however,
is not a problem we need to solve. Companies will be held to account for any
such misrepresentations anyway, regardless of what the spec says. And if the
available responses are sufficiently precise and adequately defined, I think
companies will implement them.

This proposal solves both problems. It will provide for the enforceable
statement that the working group is aiming for, but it will also allow
needed flexibility for servers operating under various regulatory regimes,
and would do so especially for servers operating under multiple regulatory
regimes. And, most important, it would create a mechanism whereby companies
can clearly and accurately say what they do and then do what they say.
The proposal is the following:
* The compliance spec remains silent on the matter
* Add a required "compliance" field to the tracking status resource in the
TPE, where the value indicates the compliance regime under which the server
is honoring the DNT signal.
* The value of the compliance field is a 3-5 letter token indicating the
applicable regulatory regime. Allowed tokens could include 3-letter country
codes, e.g. USA, GBR, NLD, or designations for voluntary regimes, e.g. W3C,
DAA, NAI, IABEU. My understanding is that an organization like IANA can
manage a list of tokens in order to prevent collisions.
Received on Wednesday, 5 September 2012 16:13:01 UTC