Re: Support for ISSUE 143 - EDUCATED Consumer Choice Should Be REQUIRED from Jonathan Mayer on 2012-07-09 (public-tracking@w3.org from July 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Sun, 8 Jul 2012 19:10:04 -0700
To: Tamir Israel <tisrael@cippic.ca>
Cc: Matthias Schunter <mts-std@schunter.org>, Chris Mejia <chris.mejia@iab.net>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4D600FBF33C54D7CB228C6DCFAE7906C@gmail.com>
The minutes from 3/7 suggest this paragraph was nixed in favor of its parallel in the TPE document.  I suspect some of the concerns were that it excessively focuses on the advertising industry and certain uses of information within that industry.

Jonathan  


On Saturday, July 7, 2012 at 1:43 PM, Tamir Israel wrote:

> On 7/7/2012 4:49 AM, Matthias Schunter wrote:  
> > Hi Chris,
> >  
> >  
> > I am in the process of post-processing my emails ;-)
> >  
> > Did anything happen on this discussion / has it been resolved?
> > If not you may push it forward  by proposing text.
> >  
> > What I deem important is that the text defines meaning/intent without freezing UI or text (if feasible). This will allow for more user agent innovation.
> >  
> > Note that the same holds for DNT;0: If the publisher receives DNT;0 then it is interesting to know  
> > what consent this transports,too. AFAIK Rigo/Rob aim for a similar standardisation for DNT;0.  
> >  
> >  
> > Regards,
> > matthias
> >  
> > On 23/05/2012 22:58, Chris Mejia wrote:
> > > W3C Tracking Protection Working Group:  
> > >  
> > > A DNT choice mechanism is fundamentally flawed when it does not rest on the basic tenant of user-educated and informed choice. I'm concerned that this working group is setting up an impossible situation for compliancy:  without a clear requirement for the user to be informed/educated about the choice they are making, at the point of that choice (in the user-interface), publishers who receive DNT:1 signals will have no (up-front) way to understand what the user's ACTUAL intent was when making their choice, and thus will not understand how to "honor" such choices.  Without users having a common understanding of what it means to turn on DNT, users will be setting/sending the DNT:1 header flag for a myriad of different reasons, representing many different "choices," based on their individual understandings of what "tracking," "privacy," or "do-not-track" mean, as influenced (or not influenced) by the user-interface they were exposed to when making/setting their choice.  This 'many choices = one outcome' model is fundamentally flawed and does not serve the best interest of users or the websites they visit.  
> > >  
> > > I have heard the argument that "users won't get-it" or "it's too complicated for users" or "users won't care"; my reply is, "then why are we doing this in the first place?"  Which market requirement are we replying to with DNT:1 = MANY/CHOOSE?  I find it highly irresponsible and even reckless to put a [powerful] choice mechanism in front of users without providing users the qualified information and context necessary to understand what that choice represents/does, and how it will affect them and the websites/businesses they frequent/support.  It's akin to saying, "you might need this gun for personal defense- it's free, take it," but not letting people know what the gun does. "What happens when I pull this trigger?"  "Just take the gun." Reckless.  
> > >  
> > > In support of Open Issue 143 (http://www.w3.org/2011/tracking-protection/track/issues/143), I believe this working group's work-product should REQUIRE that users receive a qualified [by this group] message regarding their DNT choice, AS that choice is presented to the user in the UI, for ALL programs that seek COMPLIANCE with this initiative— the technical requirement of this disclosure should be a mandated and required component of compliance.  Failing the inclusion of this important component, compliance (the general compliance document) should not be contemplated at all.  Adding the notion/suggestion of informed consent to a "best practices" document/addendum is not nearly sufficient; it leaves open too many loopholes will introduce market confusion. I think Justin's proposed explanation from the compliance spec on where the various interests here lie is very balanced:
> While there are a variety of business models to monetize content on the web, many rely on advertising. Advertisements can be targeted to a particular user's interests based on information gathered about one's online activity. While the Internet industry believes many users appreciate such targeted advertising, as well as other personalized content, there is also an understanding that some people find the practice intrusive. If this opinion becomes widespread, it could undermine the trust necessary to conduct business on the Internet. ... This should be a win-win for business and consumers alike. The Internet brings millions of users and web sites together in a vibrant and rich ecosystem. As the sophistication of the Internet has grown, so too has its complexity which leaves all but the most technically savvy unable to deeply understand how web sites collect and use data about their online interactions. While on the surface many web sites may appear to be ser ved by a single entity, in fact, many web sites are an assembly of multiple parties coming together to power a user's online experience. As an additional privacy tool, this specification provides both the technical and compliance guidelines to enable the online ecosystem to further empower users with the ability to communicate a tracking preferences to a web site and its partners.  
> Maybe someone can adjust this into a user-facing message? In any case, I feel confident that it is possible to craft a user-facing message that conveys a.) the importance of tracking to websites and b.) the importance of letting users choose who they do or do not wish to track them. I am confident this can be done in a balanced way....
>  
> > >  
> > > Some members of this working group believe that the "solution" to this problem is for publishers to ascertain a user's actual choice expression/intention by messaging all users who transmit the DNT:1 header flag, asking the silly question, "I see you have chosen not to be tracked, so I just wanted to re-confirm, do you REALLY not want to be tracked?" allowing for an "exception" when a user answers "oh no, I didn't really mean THAT."  Come on all… Why do you want to push the burden of informing consumers, downstream onto publishers?  The end game of your flawed "logic" is that the Web becomes a battlefield of annoying privacy pop-up land mines for consumer to navigate— a battle played out on publisher pages, and at publisher's expense.  Doesn't it make MUCH more sense to require that the original choice be made by adequately informed users, up-front in the DNT user-interface, at the point of choice? I do not see the exceptions as an attempt to do this. I see the exceptions as an attempt to ask the user if she trusts a _specific_ publisher or ad network to track them (but not all others). I may very well trust advertiserA and advertiserB, but not FinancialProfileMakerC, etc....
>  
> This is an important nuance, and I would think advertisers and publishers would be supportive of this. If it's the mechanism that is troubling because it puts too much burden on servers, there's always the TPLs....
> > >  
> > > Finally, I want to point out that user education and informed consent are basic core tenants of the interactive advertising industry's [DAA's] self-regulation program for online behavioral advertising (http://www.aboutads.info/)— a program that's been very successful and praised as a model for all industry, by government (including The White House, FTC and Dept. of Commerce), regulators, lawmakers and consumers alike.  Thus far, those basic tenants are missing in DNT.  If we are going to do this, then let's get it right— we all have a responsibility to get it right, and serve the BEST interests of informed consumers. There is no system of law that I am aware of where you need to seek user consent (informed or otherwise) in order to *not* track them....I get that this W3C process is about providing mechanisms to 'express user preferences', but please let's not pretend you need consent to refrain from tracking a user. This just makes no sense in any data protection context.
>  
> In addition to that, I think many have now indicated that the DAA mechanism (as well meaning as it may be) is flawed, most users are not aware of it or how to locate it, and overall is not sufficient.
>  
> Best,
> Tamir
Received on Monday, 9 July 2012 02:10:36 UTC