Privacy/TPWG/Change Proposal User Agent Compliance
Delete TCS section on UA compliance
(from David Singer)
The TPE already defines requirements for user agents in sending a DNT:1 signal. We should not have differing and possibly inconsistent user agent obligations in the TCS. The TPE is the more appropriate document for this requirement: TPE standardizes how DNT signals are sent, what they mean, and how to message back your acknowledgement and response to the request. TCS standardizes what servers should do in response to a DNT signal.
No tracking by UA
New text
A user agent MUST NOT share information related to the network interaction with parties outside such interaction without consent.
was:
A user agent MUST NOT track information related to the network interaction outside of the [Permitted Uses] and any explicitly-granted exceptions without consent.
Rationale: In reviewing the June draft with colleagues, it occurred to me that some User Agents – technically speaking – could engage in tracking. My sense is that it is implicit that User agents would fall under the definition of third party under this spec and therefore would be subject to certain requirements. My goal was to make that more explicit. And as others have noted, the use case is not merely speculative. (See http://download.cnet.com/8301-2007_4-20123464-12/amazons-silk-browser-now-eff-approved-really/ and http://www.theregister.co.uk/2003/11/07/help_my_belkin_router/)
Move UA requirements to User Agent section
Change proposal from Jack Hobaugh; issue-227
Move sentence on general browseable Web etc. from Scope to User Agent definition in Definitions section.
- This may simply be editorial. Nick Doty 00:29, 20 October 2013 (UTC)
Relevant sentence in the Scope section:
The specification applies to compliance with requests through user agents that (1) can access the general browsable Web; (2) have a user interface that satisfies the requirements in Determining User Preference in the [TRACKING-DNT] specification; (3) and can implement all of the [TRACKING-DNT] specification, including the mechanisms for communicating a tracking status, and the user-granted exception mechanism.
Current TCS Editors' draft
A user agent MUST offer users a minimum of two alternative choices for a Do Not Track preference: unset or DNT: 1. A user agent MAY offer a third alternative choice: DNT: 0.
If the user's choice is DNT:1 or DNT:0, the tracking preference is enabled; otherwise, the tracking preference is not enabled.
A user agent MUST have a default tracking preference of unset (not enabled).
User agents and web sites are responsible for determining the user experience by which a tracking preference is controlled. User agents and web sites MUST ensure that tracking preference choices are communicated to users clearly and accurately and shown at the time and place the tracking preference choice is made available to a user. User agents and web sites MUST ensure that the tracking preference choices describe the parties to whom DNT applies and MUST make available brief and neutral explanatory text to provide more detailed information about DNT functionality.
That text MUST indicate that:
- if the tracking preference is communicated, it limits collection and use of web viewing data for certain advertising and other purposes;
- when DNT is enabled, some data may still be collected and used for certain purposes, and a description of such purposes; and
- if a user affirmatively allows a particular party to collect and use information about web viewing activities, enabling DNT will not limit collection and use from that party.
User agents and web sites MUST obtain an explicit choice made by a user when setting controls that affect the tracking preference expression.
A user agent MUST transmit the tracking preference according to the [TRACKING-DNT] specification.
Implementations of HTTP that are not under control of the user MUST NOT generate or modify a tracking preference.
Old text proposals
Proposal from Jonathan Mayer and Dan Auerbach.
New text (jmayer)
Suggests adding a non-normative example only:
Example: A browser which presents a preselected first-run or install-time DNT option is compliant, as DNT signals would reflect the user's affirmative DNT choice.
New text (danA)
Suggests adding a non-normative example only:
Example: A browser which has a first-run option that forces a user to choose between DNT: 1, DNT: 0, or keeping DNT unset, would be considered compliant with the DNT standard, as signals sent out based on this implementation reflect the user's affirmative DNT choice.