I think of websites like private properties. You are given conditional access on the assumption that you can behave (T&C / AUP), otherwise it's like trespassing. So, I don't think that people should expect excessive rights of freedom that they might have on their own property or even in public. It's a balancing act.
That's really not how I think, nor does it really reflect reality, IMHO. They are on my property, it's all rendered and running in my browser on my device. All that's happened is I've requested some data from the server and they've given it to me, from then on how I display it and what gets run is entirely up to me.
If we want to attach terms and conditions to it (i.e. to use this site you must accept analytics/tracking/advertising) then lets make a framework to automate this stuff. I'm perfectly happy for my browser to say, up-front, that it won't be displaying graphical ads and it won't be running any known trackers or analytic suites, it won't be providing you any location data, nor will it be loading any social media buttons or widgets. You can then decide if you want to give me your data. That would be fine.
But I'm not buying into some idea of an implied social contract to let website owners do what the hell they want with my device.
> If we want to attach terms and conditions to it (i.e. to use this site you must accept analytics/tracking/advertising) then lets make a framework to automate this stuff.
Look, let's try an analogy. I run a shop, you want to come into my shop, you want to physically bring yourself into my shop, with your personal items, including your wallet and let's say a bag to help you purchasing items, or perhaps just to browse.
I'm going to keep an eye on you as I see fit whilst you are in my shop. Surely you can see that as fair?
You are an agent entering my property. This is what your computer does when you access my site.
I can extend this further. You have your wallet, you make a purchase, I have a till I record the purchase and even give you a receipt of the purchase, so that you can come back and we can both agree that you've been here before. So you come on to my site and you click on a download, I record the event through Google Tag Manager, which shoots it across to Google Analytics, and I even give you a cookie, useful for both of us. Next time you come to the site perhaps that cookie will mean I hide the download button from you, or it shows another related download to you.
Feel free to rip up the receipt, or delete the cookie, you're messing with the accepted way of doing things and harming yourself as well as me, but please go ahead you're free to. But please try to understand that not everyone is out to get you, I'm not trying to 'spy' on you, I couldn't care less about you as an individual. I'm trying to optimise for the whole, for my business, for my clients. I have no evil agenda, and if I did you wouldn't be able to stop me because evil finds a way.
The social contract exists, it is established, and it is incredibly close to how physical suppliers of products and services work. You live your life allowing businesses to track your movements within their physical domains, so why have a double standard for virtual domains?
Don't pretend for a moment that because my 'shop' is rendering at your physical location that you aren't in fact virtually visiting me. You want something from my 'shop'? I want to know how you interact with my 'shop' It's really as simple as that.
Your logic damages good, honest people, instead of cutting to the actual problems. Things like Do Not Track and whining about tracking being invasive is simply attacking the symptom and not the root cause. It's like demanding a ban on horses because the cowboys harassing your town all ride them. It does bugger all but damage everyone else whilst the cowboys/evil people just ignore your ban or find another way. Please see logic.
>> You are an agent entering my property. This is what your computer does when you access my site.
No, no it does not. I'm not in your shop. I'm in my house. I requested some data from you, your server provided it. I'm under no obligation to do anything with that data at all, let alone allow you to execute arbitrary code on my computer because you feel like it's your right to.
It's closer to mail order, both in fact and in statute (remote selling regulations etc). You know I've ordered the catalog, you don't get to know it lay open at page 23 for half an hour or that I spent 15 minutes staring at the underwear models.
>> You want something from my 'shop'? I want to know how you interact with my 'shop' It's really as simple as that.
Cool, turns out I don't want it that badly that I'll allow my machine to tell you everything about what I'm doing, so if purchasing from your shop is conditional on you getting to run this code, do us both a favour and block my access.
>> Your logic damages good, honest people, instead of cutting to the actual problems. Things like Do Not Track and whining about tracking being invasive is simply attacking the symptom and not the root cause. It's like demanding a ban on horses because the cowboys harassing your town all ride them. It does bugger all but damage everyone else whilst the cowboys/evil people just ignore your ban or find another way. Please see logic.
You make the sweeping assumption here that it's ok to collect as much data as you like for purposes you think are good.
I disagree.
--edit-- let me make this very clear: I don't care in the slightest why you want to collect analytics data, I'm not interested in taking part and I won't allow my computer to leak information constantly.
That mail order business keeps a record of your transaction and uses transaction records in aggregate to figure out what to stock, when, in what quantity, and how to position products in its catalog. You don't have a right to opt out of that, nor do you have a right to opt out of a website owner recording the HTTP requests you send to it.
>> I'm going to keep an eye on you as I see fit whilst you are in my shop. Surely you can see that as fair?
Unless something about my behavior stands out to you I can make a reasonable assumption that 1) you are not going to watch me the entire time and 2) the only record you are going to keep of my visit is the transaction receipt, and perhaps a note that one more person came into your shop today.
Every web server platform I am familiar with already logs access requests, which I don't think anyone is arguing against and you are free to monitor and analyze as you wish.
If you must monitor individual visitor's behavior it seems most stores have already worked that one out too, for example membership programs. A new analogy may read
> I'm going to give you the option of signing up for a membership program. If you sign up I will offer you services tailored to your habits whilst you are in my shop.
Even if you require membership for your services the terms of the relationship (e.g. you will be tracked) are, usually, available prior to the socially-questionable activity (e.g. tracking).
But for your analytic package the analogy would be more like
> I'm going to install live cameras throughout the shop to record you whilst you are in my shop. I'm going to review the recordings, or send them to a third party, so I may identify you and analyze your behavior at my own discretion.
Even if a shop has a camera the only social contract I am aware of is that the tape may be reviewed in the event of criminal or suspicious behavior.
> All that's happened is I've requested some data from the server and they've given it to me, from then on how I display it and what gets run is entirely up to me.
You currently already have this option. You can control all this. That you've setup your browser to, by default, automatically grant JavaScript the right to run or accept cookies from third parties or numerous other things is on you.
That's it has become fairly standard practice is a result of the masses wanting it that way.
> If we want to attach terms and conditions to it then lets make a framework to automate this stuff
This is a terrible idea, as it will just devolve into the same type of faux-consent as click-through agreements and whatnot. Then there will be some legal concept that you've agreed to render web pages a certain way, and you'll have created the world you don't want.
If computers are to empower individuals, they must be owned by individuals and function as individuals' agents - not simply as local terminals running opaque code dictated by someone else (either through the technical means of DRM, or in this example legal means). Machine boundaries are trust boundaries, and network protocols mediate between them. Protocols enforce how processes communicate, but only make recommendations for how they should act. Relying on anything else is madness and should be considered a bug.
This is probably a discussion I would prefer us to have offline but the gist of it is that as a nascent industry, we have to make strides towards self-regulation very quickly. The NAI knows about the dangers lurking ahead. Overregulation is not a bogeyman. It is a real threat.
DNT is good for us. We don't want to track someone who explicitly does not want to be tracked (boo, Microsoft IE team!)
As far as I know, DNT was designed to be a tri-state with { NoPreference, On, Off. NoPreference is the default. If it is turned on by default, what would NoPreference mean?
One could argue that DNT preference where chosen when the users opted to use IE with DNT as default. As such, NoPreference has no meaning when the user chose is always made one way or the other.
In the end, Microsoft made the decision to force it into a yes/no, rather than leaving it at "NoPreference". I can fully see the argument that Microsoft is not following the spirit of the standard in doing so.
I think of websites like private properties. You are given conditional access on the assumption that you can behave (T&C / AUP), otherwise it's like trespassing. So, I don't think that people should expect excessive rights of freedom that they might have on their own property or even in public. It's a balancing act.