-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Align normative text on user consent for Distinctive Identifiers with privacy section #63
Comments
I agree with Mark's analysis, and his proposed change. I believe we've not previously reached a decision that user consent is required to use distinctive identifiers, and the current spec language seems to suggest. |
This text was added six months ago to address bug 27165 from the TAG. |
The TAG bug referred to the case of unclearable identifiers. We have done better than the TAG asked by making those non-compliant. This issue is not about that. This issue is about the case of clearable (site-specific) identifiers, where the Privacy section has always required either that users are fully informed or that they give consent. However, the normative procedures refer only to the case of explicit consent. |
The bug summary refers to "unclearable identifiers", but the description refers to "identifiers that cannot be cleared along with regular cookies and site data." The spec text related to "cookie-like" clearing uses If you want to make a proposal tying all of these together, that's fine. However, my reading of your current proposal is that it would recommend requesting consent if consent is required. That doesn't make sense - it's not actually required when required. You could drop "Fully informed" is also very broad and ambiguous. If your concern is that the recommendation in section 3.1.2.1 is too braod because it doesn't allow for the "fully informed" case, we may need to further clarify that that means. |
Adding @domenic, filer of the original bug. |
Yes, the intent of that bug was "identifiers that cannot be cleared along with regular cookies and site data." If "unclearable identifiers" is not the correct term for that, I apologize for the misleading phrasing. |
The user interface mechanism for clearing EME distinctive identifiers is up I get what you are saying about the MUST / SHOULD mismatch. What I think The decisions on whether consent is needed, what kind of user interface If you think the Privacy section should be stronger with respect to when Revised suggestion for the procedural text: "If the User Agent requires explicit user consent for the use of On Mon, Jun 1, 2015 at 2:30 PM, Domenic Denicola notifications@github.com
|
I agree that one intent of this text is to standardize the point at which UAs request/check consent. However, the text is also generally recommending that user agents obtain such consent for Distinctive Identifiers. If we are going to remove that general recommendation, we should have specific conditions that eliminate the need for such a recommendation. The concern that led to the original bug was about standardizing access to semi-permanent client IDs into the (pluginless) web platform. There was also an example of silently abusing such identifiers in a DRM system exposed by a popular plugin. As such abusable capabilities are pulled into the web platform, it seems reasonable to at least recommend, if not require, mitigating such abuses.
There is precedent for a web spec to require user agents to acquire "the express permission of the user" "through a user interface".
That spec also contains (minimal) requirements on how the permission is acquired, what is shown in the UI, and that the permission to be revocable.
Converting the contents of https://w3c.github.io/encrypted-media/#allow-identifiers-cleared to an algorithm seems like a good start. |
On Mon, Jun 1, 2015 at 5:07 PM, ddorwin notifications@github.com wrote:
What we have agreed is reflected in the Privacy section and is different,
Dominic's mail you link you says "We should consider requiring or strongly In fact, what the Privacy section does is already stronger than what I just want the normative procedures to align with what's in the Privacy
What I'm talking about here is the option for user agents to inform users,
|
Following on from our discussion on the call, suppose we introduced an algorithm "Is explicit consent for use of Distinctive Identifiers required ?" If that algorithm returns YES, the UA MUST prompt for explicit consent. If that algorithm returns NO, the UA must either prompt for explicit consent or inform the user (if they have not already been informed). What would that algorithm say ? One option would be to say that the answer will be YES unless all the recommendations of the Privacy section are implemented, but I think that may be too strong. It's also a new proposal which I still think should be addressed as a separate issue from this one. |
… identifiers is required
I created a Pull Request with a proposal for this issue. Consent is required if the recommendation for clearing identifiers together with cookies are not supported by the user agent or if the user agent so determines for other reasons. Otherwise, informing the user is an option. I think this aligns more precisely with the TAG guidance. |
@mwatson2, thanks for creating the PR. I've left comments there. Overall, the direction looks good. |
… identifiers is required
The non-normative Privacy sections states (Section 11.4.2):
"User agents must ensure that users are fully informed and/or give explicit consent before Distinctive Identifier(s) are exposed, such as in messages from the Key System implementation."
However, the option to provide information has been dropped in the normative procedures (Section 3.1.2.1, Step 15):
"If there is no persisted consent covering accumulated configuration for the origin, it is recommended that implementations request user consent to use Distinctive Identifier(s)."
The Privacy text has been stable for some time and we have not discussed recommending consent in all cases. Whether explicit consent is necessary is a matter for user agents.
I propose modifying the text in 3.1.2.1 to the following:
"If explicit user consent for the use of Distinctive Identifiers is required and if there is no persisted consent covering accumulated configuration for the origin, it is recommended that implementations request user consent to use Distinctive Identifier(s)."
The text was updated successfully, but these errors were encountered: