I’d love to have you file some feedback on the draft as well, either before or after it actually it is “first published.” (Reminder again that this is a publicly accessible editor’s draft, but it is not yet published as a working draft.)
> the draft doesn’t care about … SSL
We thought about requiring SSL to use some restricted properties like this one, mainly as a backup to ensure its only used on sites that know what they are doing and actually need it (document editing suites for example), but it’s not needed for security unless the site was try to store that user preference on the server via XHR. All the back-and-forth happens on the client, so it’s not as if this data goes over the wire via HTTP. Maybe I’m misunderstanding your point. Again, please file it in bugzilla or through email b/c we don’t use blog comments as a issue tracker.
> …if I have 5 bits of info I need for my website, either the browser will have to show 5 prompts
Please read the spec (or wait until it’s a WD and then read it). Specific UI exposure in browsers is an implementation detail, but nothing in the spec requires this, and the ED even recommends restriction categories (e.g. general, media, screenreader, etc.) with separate justifications.
> Anyone can have the prompt say “I need this information to provide you with a better experience”, and then sell the information on.
As @Jer points out, this information is available today heuristically and through disparate published APIs and the sites don’t have to ask for it or provide any justification. Fingerprinters and shady dealers already get this info a variety of ways and do their best to not alert you to the fact that they are tracking you, so I doubt they would want to broadcast that knowledge through a user prompt. We’re trying to codify a way to make this information available in a standard way while being diligent about the potential privacy concerns. Again, I encourage you to provide feedback to the working group in bugzilla or email.