W3C Community Group comments

Colleagues,

Lee Tien and I have taken a rough early pass at comments from the W3C Do Not Track Community Group.  It's  is in the text below.

All comments are welcome as soon as possible.

Here is the link to the W3C's Tracking Protection Working Group Page:

http://www.w3.org/2011/tracking-protection/

You can find working drafts of the standards documents, lists of raised issues and an archive of the email discussions among working group members as well as minutes of the weekly conference calls.

If you see any issues Lee and I did not raise in our rough draft, please raise them.  Remember also, please, that this is a rough start on our comments.  Also it's important to note that we don't believe agreement is necessary at this point.  If you've got something that you feel needs to be said and that others in our community group don't agree with, that's fine.

Our intention is to provide different viewpoints in the final document when that's necessary.

Please get any thoughts to us as soon as possible, but I hope no latter than noon PT Wednesday..

Best,
John

------

Title:  Community Group comments on W3C DNT

Date:  Dec. 18, 2011

Editors:  Lee Tien (EFF) and John Simpson (Consumer Watchdog)

1.  Background

While the commercial Internet/digital media environment provides important forums for diversity of expression, communication, and information, it has been structured to collect nearly unlimited amounts of information on each user -- creating new forms of surveillance that raise crucial civil liberties and consumer protection concerns.  In general, the user’s interest in not being tracked must be recognized as a right to be respected, not an obstacle to be overcome in the pursuit of data collection.

 

Unfortunately, Internet tracking is invasive and pervasive. Wherever consumers go online and whatever they do is tracked usually without their knowledge and consent. What they click on, purchase, or share with others is compiled, analyzed and used to profile them. The data is often used to target advertising, but can also be used to make assumptions about people in connection with employment, housing, insurance, and financial services; for purposes of lawsuits against individuals; and for government surveillance.  From a U.S. legal perspective, the vast majority of what users do online is quintessential First Amendment behavior—reading, writing, speaking, and associating with others.  Such First Amendment activity enjoys significant constitutional protections against direct government interference (e.g., First Amendment law protects anonymous speech and privacy of association), but these protections can be circumvented when private actors keep records of online activity. 

 

Our concern here is therefore mainly about the practices and products of tracking and the data retained or derived from tracking.  We recognize that businesses may have valid economic interests in tracking, but businesses must also recognize that users have valid privacy and civil liberties interests in not being tracked and in control of the data retained or derived from tracking if users consent to such tracking.  Even if businesses have clear and uncontroversial legitimate purposes for tracking, civil litigants and government entities may be able to obtain access to data retained or derived from tracking for purposes inimical to users’ interests.

 

Our view is that the status quo is a product of a particular technological regime that was not designed to protect user privacy, under which much information is available to websites simply by virtue of how user-agents work.  While we take that status quo as a practical given, we do not regard it as normative. For instance, users did not agree that browsers should transmit HTTP referrer information, and we would welcome user control over whether such data should be transmitted.  In other words, the fact that businesses are accustomed to receiving information about users, user-agents or user devices does not mean that businesses are entitled to receive that information. 

 

Given the status quo, citizens and consumers require tools, in addition to public policy, to protect their privacy.  Existing tools are inadequate because they: 

-       Don’t actually work: Opt-out often means you don’t get targeted ads, but your information is still collected and your activities tracked.

-       Are too confusing: Consumers don’t have the expertise to choose what companies to block, or where to go to block them.

-       Require too many choices: Ad companies, Web browsers, search companies, and Websites all have different privacy tools and consumers must act to protect themselves with each.

-       Don’t make clear whom to trust: There is no way for consumers to know if a privacy tool is a legitimate site, or if it is trying to trick them into giving up even more info (or worse yet, money!)

 

 

A “Do Not Track” mechanism is a method that allows a computer user to send a clear, unambiguous message that one’s online activities should not be tracked. There are a number of ways this could be accomplished.  In fact the “Do Not Track” concept is technology neutral.  It is any method that sends the message to websites a consumer visits that one’s activities should not be tracked. Simply put, “Do Not Track” is like posting a “No Trespassing” sign on your property.  We leave to others the task of drawing the technical specifications for how such a message should be sent.  At a minimum, however, the mechanism should be universal, easily usable, persistent, and cover all tracking technologies.

 

Issue-8: 

[user knowledge/expectations]

 

Instead of the technology we focus on websites’ compliance with a DNT request and user expectations when they opt to send the DNT message.  The question of user expectations is a persistent theme in ongoing W3C discussion of DNT.  We are greatly concerned that many stakeholders cannot put themselves in the ordinary web user’s place, expect users to understand more of what is happening on the web than they actually do, and accordingly impute more consent or even acquiescence of existing tracking practices than is realistic.  [flesh out?]

 

Furthermore, even if users were as well informed as many stakeholders seem to think they are, users currently lack the tools to make their desires known.  Indeed, the idea of DNT has become popular partly because businesses have deliberately circumvented users’ attempts to express their rejection of tracking. For example, when methods were developed to block tracking “cookies,” trackers got around that by using flash cookies.

 

We also focus, where appropriate, on legal regimes that establish different user expectations as a matter of public policy.  For instance, while the United States does not have a general background consumer privacy law that clearly resolves consent issues, other legal regimes do. 

 

Under the recent Canadian guidance,

 

“Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent. Therefore, if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.”

 

The European Union may take a stronger position on consent.  As we read the recent Article 29 Working Group opinion on behavioral advertising (Opinion 16/2011) , a DNT mechanism may be permissible under the e-Privacy Directive so long as “no tracking” is the default. 

 

 

2.  Scope and goals

For purposes of these comments, we treat all of the data at issue as personal and identifiable data, because this data is at least initially associated with the user’s device, whether by IP address, a MAC address, or some other identifier (IMEI, IMSI, etc.).  Even if users share devices, we believe that in a significant proportion of cases the device linkage is meaningful to the data collector (e.g., as expressing the purchasing preferences of a household as a unit), or that data collectors can disaggregate shared use (e.g., distinguishing between child and adult users in a household by destination, time of day, etc.).  We will address proposals for de-personalizing data (aggregation, de-identification) as they emerge. 

3.  Definitions

 

Tracking

Tracking is the collection of data about Internet activities of a user, computer, or device (including mobile phones and devices), over time and across a Website or Websites.

 

Specific enumerated purposes, such as site maintenance and improvement, fraud prevention or legal compliance may warrant some kind of exemption, if they are well defined.  [note Art. 29 point that the exemption would be limited to certain requirements e.g. prior notice and consent, without exempting from minimum necessary, revocation, spoliation etc.]

 

We do not limit our understanding of tracking from a policy or rights perspective to cross-site tracking.  As explained earlier, our concern about tracking stems ultimately from the retention of data about users’ online activities, and the fact that such data is maintained by first-party websites does not prvent other parties (such as the government) from obtaining that data and correlating it across multiple websites.

 

We nevertheless agree that in the W3C DNT context, it may be possible, and will be valuable, to develop a consensus around the mechanisms for addressing cross-site and third-party tracking.  Our point here is that we are also concerned about first-party tracking, even if W3C DNT does not address it.

 

Within that more limited framework, we more-or-less agree with Roy Fielding’s statement:

 

[block quote]

DNT is about HTTP tracking of users from sites that might be trusted to sites that might not be trusted and the sharing of personally identifiable or behavioral information collected at one site with any other site that a user would not have expected to have deliberately provided that information.  It doesn't matter how the data is collected or how the user is tracked -- what matters is that a user's choice to provide data to one site does not imply that they want the same data (or generalizations based on that data) to affect their interactions with, be observable by, or be retained by other sites.

 

So, we are specifying a means for the user to express that they do not wish such data to be retained/used by any site other than the one that they deliberately decided to provide it to, along with a set of constraints on recipients of such data when the DNT expression is enabled.  This requires that we distinguish between sites that have been deliberately chosen by the user to receive the data (a.k.a., first parties) and anyone else who just happens to receive that data because of how browsers request, process, and render page elements provided by the first party.  It also requires that we define the scope of a "site" as an aspect of the user's perception of their own deliberate decision, rather than a more technical term like domain (an artifact of DNS) or same-origin (an artifact of web application security).

[end block quote]

[Do people agree?  Happy to pick this apart but I need specific points.]

collection of data

immediate or rapid deletion?

Immediate or rapid de-identification?

Other minimization?

First and third parties

 

Various issues (10, 26, 49) are about the meaning of the first-party/third-party distinction.  We believe the key principle underlying this distinction is consumer expectations, and not technical concerns such as domains or same-origin, as stated by Roy Fielding.  Branding is relevant as a factor in consumer expectations, not as an independent principle or test.

 

When a user enters a URL and visits a specific website, that site which has its address in the user’s browser address box is considered the First Party site. By convention the user is the Second Party and all other sites are Third Parties.  Because a user is directly interacting with the First Party there is an implicit understanding that data will be shared with the site. There is, however, no user expectation that data will be shared with unknown Third Party sites.  The reality, as the Wall Street Journal’s “What They Know” series pointed out is that Third Party tracking is extensive. The nation’s 50 top Websites install an average of 64 pieces of tracking technology on users’ browsers – all without your knowledge. This tracks all of your activity online, adds it to your profile, and then puts it up for instant sale in a stock market-like auction. And while the First Party/Third Party distinction is a useful analytic tool in assessing user expectations about Do Not Track obligations, it is also true that the distinctions between First and Third Parties are eroding, as the role of ad exchanges and demand side platforms, illustrate.

 

Hidden webpage elements are, of course, core cases of third parties.  They are deliberately concealed from users, and the average user is unaware of: web bugs or beacons; tools that can reveal them; how to prevent such elements from tracking them.  Visible, conspicuous webpage elements like ads and widgets must also be treated as third parties.  The average user does not realize that many ads are served by third parties rather than the first-party website they are visiting, or that information about the user is transmitted to those third parties. We believe that there is a general consensus on this point—that all of these webpage elements are third parties for DNT purposes.

 

We also detect a weaker consensus on the general idea that a visible third party can become a first party for DNT purposes if and only if the user engages in “meaningful interaction” with the window or widget.  We do not entirely agree here. 

 

First, even if we stipulate for W3C purposes that users “expect" behavioral activity recording by the sites they visit (in general, large well-established venues), it is much less clear that users expect such recording from widgets at all.  Many widgets appear as an app that simply performs a specific function.  In the case of a weather or map widget, it may simply return data, and the user may think of the widget as merely an application.  Indeed, we know that many consumers thought of Google Search in this way and had no idea that Google retained search histories.

 

Second, even if users might expect a widget to record data about them, they may not understand that each commonly branded widget is part of a hive mind. As Jonathan Mayer stated,

 

“Example 1: The user visits a site with a clearly-branded Accuweather.com weather widget. The user recognizes the branding and scrolls the widget forward to see tomorrow's weather.  The user expects to simply move the forecast ahead; the user does not expect Accuweather to collect cross-site tracking data.”

 

That understanding could be different for well-known social widgets, such as from Facebook, Google, Twitter, etc.  Our point is that an expectation of recording is not the same as an expectation of sharing.

 

Part of this may be the nature of the interaction.  Some third parties may behave in ways that make things much clearer.  Maybe if you click on the Chips Ahoy ad you go to the Nabisco site or get Nabisco content, and it could be fair to say that Nabisco has become a first party.  But it cannot be said categorically that deliberately clicking on a widget or other third-party element automatically confers first-party status.  Put another way, an unknown party should not be endowed with first-party status merely because the user knows that party differs from the main page yet interacts anyway. 

 

Canadian opt-out approach

“Opt-out consent for online behavioural advertising could be considered reasonable providing that:

• Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their online behavioural advertising practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;

• Individuals are informed of these purposes at or before the time of collection and provided with information about the various partiesinvolved in online behavioural advertising;

• Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;

• The opt-out takes effect immediately and is persistent;

• The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and

• Information collected and used is destroyed as soon as possible or effectively de-identified.”

EU/Art. 29 Working Group approach

Under EU principles, prior explicit opt-in consent is necessary for lawful tracking, and notice must be provided to users before data processing occurs.  The Article 29 Working Group has taken the position that such notice must include at least the following elements:  who (which entities) collect data; what data is collected; that “profiles” (derived data, summaries, inferences, etc.) are created, and for what purpose or purposes; that the collection enables user identification across multiple websites; the duration of data or profile retention; the duration of any user informed consent. 

The Article 29 Working Group focused mainly on cookie-based tracking, but suggested that a DNT mechanism could satisfy its requirements so long as the default state was “no tracking.” 

This has implications for W3C, in that the current consensus is agnostic as to browser defaults.  We have three distinct user expressions:  user rejects tracking; user accepts tracking; user is silent (does not make a DNT choice).  The W3C consensus appears to be that when the user is silent, websites have no compliance duties.  Obviously, external legal regimes will independently affect this.  Under the EU opt-in regime, it would seem that user silence would be equivalent to a user’s rejecting tracking.  Under the Canadian regime, it seems that user silence could permit tracking, but only if the browser actually included a qualifying DNT mechanism.  If none were present, then silence would not permit tracking (“if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.”).

4.  Compliance with an expressed tracking preference

first party compliance with DNT message

When a First Party receives a DNT message it MUST NOT share users’ data with third parties. An exception would be if the Third Party is acting as an agent performing a function only for the First Party and does nothing else with the data.  An example might be analytics.  If the Third Party is the agent of multiple First Parties, it must silo each First Party’s data without any sharing or analysis across data silos.

 

[something about online and offline data append?]

 

The First Party SHOULD collect only the data necessary to complete the transaction during the current session and not store the data over time, without the users’ explicit informed consent.  [needs discussion]

third party compliance

When a Third Party receives a DNT message, it MUST NOT collect data from a user without the users’ explicit informed consent. 

 

When a Third Party widget is embedded in a First Party site, is clearly branded and the user has meaningful interaction with the widget, it becomes a First Party site for the transaction and it MAY collect data necessary for the transaction. It SHOULD NOT retain the data beyond the session.

5.  User interactions



----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org

_______________________________________________
Privacy mailing list
Privacy@democraticmedia.org
http://six.pairlist.net/mailman/listinfo/privacy

Received on Monday, 19 December 2011 23:45:46 UTC