[PET] Apache Webserver Update Ignores IE10 Privacy Settings

Aleecia M. McDonald aleecia at aleecia.com
Tue Sep 25 03:43:17 BST 2012


Thank you for a deeply thoughtful follow up. Until we know where the final DNT text ends up, I do not predict what anyone will think of it, self included. 

I ought to confess I replied to a subset of your message to sidestep the Apache topics. I have nothing to contribute to that discussion at this time.   

It seems to me that you are exactly right on identifying the frustrations for both the privacy community and advertising industry. If all goes well, we reach a middle ground that everyone can grumble about yet live with. If all goes wrong, we create something no one can tolerate, because it both goes too far for advertising companies and is too weak for privacy groups. I still have hope that there is a zone of negotiation in the middle within the W3C group. 

Part of why we are treated to an exciting few weeks of press and pressure is that the working group members are reaching major decisions on points we have vigorously debated for the past year, with an upcoming in-person meeting the first week of October. To quote a recent movie title, it might get loud.

	Aleecia
	/* speaking for myself only &c. */


On Sep 24, 2012, at 3:22 AM, Paul Syverson <syverson at itd.nrl.navy.mil> wrote:

> On Wed, Sep 19, 2012 at 12:04:09PM -0700, Aleecia M. McDonald wrote:
>> 
>> On Sep 19, 2012, at 9:25 AM, Paul Syverson <syverson at itd.nrl.navy.mil> wrote:
>> 
>>> I believe another prominent member of the PETs community who I shan't
>>> name was recently joking (or not?) about giving an invited talk on DNT
>>> with no shirt on and "Do not look at my chest" written on his chest.
>> 
>> One PETS regular sarcastically dismissed DNT as the "don't be evil"
>> bit when he first heard the idea, but rapidly came around to seeing
>> it would be more than a Pretty Please approach. Companies
>> voluntarily choose to adopt DNT, and then are held to the promise
>> they make. In the US, that means FTC enforcement. In that regard,
>> it's like the way privacy policies work. But where privacy policies
>> are "say what you will do, and do that," DNT is a bundle of things,
>> as in "here is a minimum baseline to follow if you want to claim DNT
>> compliance."
> 
> I fear that by pulling this anecdote from my post and using it to
> embellish on the value of DNT you took my point to be entirely
> dismissive of DNT. The points were in what I said first:
> The contributions of keeping things like DNT are often
> underappreciated by those who think that the only security that ever
> matters has an adversary model with only technological elements.
> Also, in my citation from Fielding, DNT will only work if
> people believe it is reflecting actual preferences. One danger of
> what happens if that breaks down is reflected in the quote
> from Swa Frantzen in the original post:
> "The real issue behind the name calling is that the standard is a
> compromise between an advertising industry that desperately wants to
> track users and privacy advocates who do not want anybody to be
> tracked. As with any compromise if one vendor starts to shift the
> balance of the compromise itself, the entire compromise is at
> risk. And if that happens those of us who did set DNT manually will
> get happily ignored by the advertising industry."
> 
> The "shirtless idea" is an amusing but nonetheless valid reminder of
> the limitations of policy based solutions. And as with most amusing
> anecdotes and jokes, it can't be taken too seriously or expected to
> fully and accurately capture all aspects of its subject. Perhaps you
> just felt a need to further clarify the virtues (and limitations) of
> DNT. That you did so in response to this particular extract from my
> post made me feel a need to further clarify what I was saying overall.
> 
> It's not just jokes that are so limited; the Frantzen quote is
> primarily a valid observation, but it does not fully and accurately
> capture the positions of all in the advertising industry or of privacy
> advocates. We can't say everything important and relevant at
> once. Nonetheless some of us still try, to the exasperation of my
> friends and non-friends alike.
> 
> HTH,
> Paul
> 
>> 
>> In the US, we have a Do Not Call list. From a PETS perspective, Do
>> Not Call is imperfect in that it does not have a technical mechanism
>> to stop telemarketing calls. Sure, enforcement matters. The name Do
>> Not Call is overly broad, in that it does not stop all calls
>> (yikes!) or even stop all solicitations. For example, there are
>> carve-outs for businesses with existing relationships, charity, and
>> political campaigns. But for all that it is Do Not Call* with fine
>> print to go with the *, Do Not Call does give people more control.
>> 
>> Neither Do Not Call nor Do Not Track will cure cancer. And yes, the
>> over-claims are frustrating to read, both in the press and in a few
>> research papers where the authors believe they know what DNT is, and
>> company X is violating DNT. As you can no doubt tell, we are into
>> the political layer here too.
>> 
>> Like Do Not Call, with DNT, I expect user choice and control will
>> advance, fine print and all. Some DNT details are still under
>> vigorous debate, but the overall shape is becoming clear.
>> 
>> 	Aleecia
>> 	/* personal opinions only; not speaking for Mozilla, Stanford,
>> or in any capacity for the Tracking Protection Working Group */
>> _______________________________________________ PET mailing list
>> PET at lists.links.org http://lists.links.org/mailman/listinfo/pet
> 
> _______________________________________________
> PET mailing list
> PET at lists.links.org
> http://lists.links.org/mailman/listinfo/pet



More information about the PET mailing list