[PET] Apache Webserver Update Ignores IE10 Privacy Settings (Paul Syverson)
sguerses at esat.kuleuven.be
Thu Sep 20 14:26:46 BST 2012
a couple weeks ago, i found this blog post was an insightful reading on the topic. it is written by james grimmelmann:
i know that aleecia mcdonald is a key person in the the dnt process and has written much on dnt. i have seen extensive explanations from her on other mailing lists. i do not know if she has the head space for it, but it would be great to hear from her on this list, too.
as far as i can tell, dnt is a form of signaling and not a technical enforcement mechanism (if you do not believe in signaling, you can stop reading here). in terms of signaling, it is comparable to p3p but consists of a single bit to indicate users preferences for "third party" tracking (who counts as first and third party is an entertaining discussion in itself).
i will try to provide a short summary of what i know, which does no justice to both the technical and political intricacies of the matter. for some reason, the dnt specification has a weird definition of three agreed upon states: no setting (silence), 0 = track me, 1 = do not track me. the advertisement companies prefer the default to be unset or 0 and they are saying they will pull out of the process (and will go bankrupt, poor things) if the default is 1. privacy advocates who believe in dnt like signaling suggest that the default should be 1 because the users are unlikely to understand that they are being tracked and that they can signal to companies that they do not want to be tracked. the same users are even less likely to understand how dnt is interpreted and enforced by companies, but that again is another problem that aleecia has researched extensively. there is also the problem with no signal when the user is using an old browser without the new dnt specification -- this is yet another sticky issue. these are some of the complications with setting one single bit to indicate a tracking preference. it would be great to hear a summary on these discussions one day (among others). if you want to get into the nitty gritty details of it, the discussions are on the w3c mailing list of the tracking protection working group.
since dnt is not a technical enforcement mechanism, the success/effectiveness of dnt depends on all parties agreeing to its final specification (which is likely to reflect the ideas of the most powerful negotiators rather than the most reasonable) and the ability (power) of ftc in the us (and who knows which regulatory body in other parts of the world) to enforce that specification using legal mechanisms. it may make some mileage in the us where legally protections are very limited and where users may benefit from a `gentlemanly' agreement with companies to `respect' the signal. in europe, where data protection already covers tracking matters, dnt may result in less protection than the data protection directive itself (although this is also unknown, since the dnt specification is not nailed down and the dpd is currently being revised). if it is true, i.e., dnt offers less protection than the dpd, i do not know what that would mean for the europeans? with or without dnt, the rest of the world will continue to surf in a heavily tracked www. what happens outside of the browser space is again for me an unknown.
hope that provides an initial stab at some of the known unknowns around dnt (things may have changed since i last read up on it, i apologize for any misrepresentations).
this was supposed to be a short note from vacation...oh well, if you made it all the way here, thanks for reading and warm greetings,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the PET