[PET] Apache Webserver Update Ignores IE10 Privacy Settings (Paul Syverson)
Aleecia M. McDonald
aleecia at aleecia.com
Tue Sep 25 06:36:46 BST 2012
Standard disclaimers apply: not speaking as an official anything, not speaking for anyone else, &c.
On Sep 20, 2012, at 9:26 AM, Seda Guerses <sguerses at esat.kuleuven.be> wrote:
> hey everyone,
> a couple weeks ago, i found this blog post was an insightful reading on the topic. it is written by james grimmelmann:
A good pointer, and new to me. The conversation referenced above is substantially more sophisticated and knowledge-based than many others.
> i know that aleecia mcdonald is a key person in the the dnt process and has written much on dnt. i have seen extensive explanations from her on other mailing lists. i do not know if she has the head space for it, but it would be great to hear from her on this list, too.
Yikes. Called out by Seda. :-)
> as far as i can tell, dnt is a form of signaling and not a technical enforcement mechanism (if you do not believe in signaling, you can stop reading here). in terms of signaling, it is comparable to p3p but consists of a single bit to indicate users preferences for "third party" tracking (who counts as first and third party is an entertaining discussion in itself).
Yes! A good point. P3P signals from websites to users "I do XYZ" where DNT is a signal from users to websites, "please do not do ABC." (APPEL is more a direct parallel.) Note that P3P Compact Policies are backed up by IE "enforcing" P3P CPs in the browser. What, if anything, browsers will do about DNT is unknown.
First parties are those parties users intend to interact with. There can be multiple first parties on one page, and party status can change (e.g. a facebook Like button loads on a non-facebook page as a third party, but becomes a first party if clicked upon.) This approach seems to make sense to users.
The work of the W3C TPWG is, among other things, to define a common basic set of things DNT means. Where P3P is a general purpose language for expressing policies, DNT is a "you must be this tall to ride" line. Sites can always do more for privacy than the bundle of DNT practices, but must not do less if they claim to comply with DNT. The current implementations out in the world [very likely] exceed what DNT will define as the minimum common practices.
And as always, the text is a work is in progress. The main ideas are pretty well locked down by now. But things can and do shift over time.
> i will try to provide a short summary of what i know, which does no justice to both the technical and political intricacies of the matter. for some reason, the dnt specification has a weird definition of three agreed upon states: no setting (silence), 0 = track me, 1 = do not track me. the advertisement companies prefer the default to be unset or 0 and they are saying they will pull out of the process (and will go bankrupt, poor things) if the default is 1. privacy advocates who believe in dnt like signaling suggest that the default should be 1 because the users are unlikely to understand that they are being tracked and that they can signal to companies that they do not want to be tracked. the same users are even less likely to understand how dnt is interpreted and enforced by companies, but that again is another problem that aleecia has researched extensively. there is also the problem with no signal when the user is using an old browser without the new dnt specification -- this is yet another sticky issue. these are some of the complications with setting one single bit to indicate a tracking preference. it would be great to hear a summary on these discussions one day (among others). if you want to get into the nitty gritty details of it, the discussions are on the w3c mailing list of the tracking protection working group.
This "weird" approach throws people. It can take a while to grab onto the idea here. Seda summarizes well: because people do not upgrade to new browsers all at once, we cannot depend upon getting either a DNT:1 or DNT:0 signal for all users. We must think about what to do with no setting at all.
The US & UK tend to treat privacy differently from how the EU treats privacy. In the US, we talk about user "choice" for privacy, and in the UK, it's a discussion about "consent" to tracking. In the US, anyone who has DNT unset has not chosen to turn it on, and will continue to be tracked. In the EU, anyone with DNT unset has not consented to tracking, and must not be tracked until they do. Effectively, we have a difference between opt-in and opt-out, as based on where in the world a user is located. One of the TPWG concerns was not stomping on national sovereignty issues and multi-national policy making.
Financial implications are also certainly relevant, but were not the only part of the discussion. Cynics may disbelieve me, but we actually had people acting in good faith to come to a viable consensus decision. This was a year ago.
> since dnt is not a technical enforcement mechanism, the success/effectiveness of dnt depends on all parties agreeing to its final specification (which is likely to reflect the ideas of the most powerful negotiators rather than the most reasonable) and the ability (power) of ftc in the us (and who knows which regulatory body in other parts of the world) to enforce that specification using legal mechanisms. it may make some mileage in the us where legally protections are very limited and where users may benefit from a `gentlemanly' agreement with companies to `respect' the signal. in europe, where data protection already covers tracking matters, dnt may result in less protection than the data protection directive itself (although this is also unknown, since the dnt specification is not nailed down and the dpd is currently being revised). if it is true, i.e., dnt offers less protection than the dpd, i do not know what that would mean for the europeans?
It means companies must do more for DNT for European users. We have a global of "thou shalt follow the law." In many cases that means things like if you are legally compelled to retain data in a way contrary to DNT, that's still compliant with DNT. But here, it means doing more for European privacy to meet applicable laws.
The TPWG plans to create a non-normative (that is, not binding in any way) document with thoughts on global deployment. It will largely be a pointer to more information to national and local laws that DNT implementors should keep in mind. That's not something we have as a formal deliverable, but we have the expertise in the room to help point out issues developers might want to keep in mind.
> with or without dnt, the rest of the world will continue to surf in a heavily tracked www. what happens outside of the browser space is again for me an unknown.
Anything that speaks HTTP can speak DNT. This includes apps. Mozilla is building a DNT setting into their mobile OS. For Windows, some (but not all) browsers use a registry setting for DNT, again putting it into the OS but in an unexpected (to me, at least) way. This is one of the ways anti-virus package AVG works, and the Working Group is still pondering that one. Within the browser space, a handful of addons and extensions turn on DNT. And in addition to an explicit DNT setting, Private Browsing mode in Safari sets DNT, restoring state when Private Browsing is turned off. SPDY can also follow the DNT framework, but nothing is announced there.
> hope that provides an initial stab at some of the known unknowns around dnt (things may have changed since i last read up on it, i apologize for any misrepresentations).
> this was supposed to be a short note from vacation...oh well, if you made it all the way here, thanks for reading and warm greetings,
Thanks for your time writing this up, Seda. I hope your vacation was (is?) great.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the PET