- From: Ryan Ware via WBS Mailer <sysbot+wbs@w3.org>
- Date: Mon, 19 Dec 2016 18:57:01 +0000
- To: public-new-work@w3.org
The following answers have been successfully submitted to 'Call for Review: Tracking Protection Working Group Charter' (Advisory Committee) for Intel Corporation by Ryan Ware. The reviewer's organization supports this Charter as is. Additional comments about the proposal: I support this charter for many different reasons. In the most general case, I think it fits with Intel's expectations around protecting it's customers. Additionally, Jan Philipp Albrecht has outlined 9 very compelling reasons: 1. The EU General Data Protection Regulation, for which I had the honour of being rapporteur, will be applied from May 2018. Among other things, it introduces statutory obligations on any company, wherever it is located, that collects or processes the personal data of persons in the EU. Personal data is defined as “any information relating to an identified or identifiable natural person” and can include data processed for singling-out individuals online such as “online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags”. Sanctions for breaches of these obligations can be up to 4% of a company’s annual worldwide turnover or €20 million, whichever is greater. 2. On many web sites, including those run by the major online publishers, there can be several hundred “third-party” servers accessed when a page is visited. If personal data is processed by these servers, the GDPR requires that the identity of the relevant data controller, its claimed legal basis and purpose for processing be declared. Other than described in the Do Not Track Tracking Preference Expression (TPE) document, there is currently no standardised web platform method for doing this. The current TPE includes mechanisms allowing companies to inform users, and any privacy tools that they employ, of the identity and policies of all companies that respect the DNT signal. 3. The GDPR also requires companies to obtain a user’s informed consent for, or in some circumstances support an automated right to object to, online personal data collection and processing, with users being given the ability to revoke their consent at any time. The Article 29 Working Party has called for this to be within their user agent as well as via the web resource. The current TPE includes mechanisms for communicating the user’s informed consent for tracking to all or to a set of third-parties on a specific web site, which gives users much more control than that made available via HTTP cookies or other state persistence mechanism subject to the Same Origin Policy, as users are far more comfortable giving their consent in the context of a particular website than across the entire web. The web platform currently has no API mechanism for doing this, other than the DNT Consent API. 4. Separating the signalling of user consent to a particular request header (DNT), supports the ability of sites to use “expiry” based caching via the “Vary” header. Existing mechanisms for indicating user specific consent, such as HTTP Cookies, do not allow for this. Legislation such as the GDPR is bound to introduce much more web traffic that relies on user consent, and the restrictions on caching could badly affect the performance of the web platform. 5. Users are increasingly turning to other methods to protect their privacy online such as content and ad blockers. These are designed to detect attempts to collect data or particular web servers or resources and block them, but have to be far blunter tools than they need to be. The building blocks within the TPE offer ways for them to operate with more finesse and allows legally compliant companies to establish trust of users making the use of such tools less necessary. 6. There are other rights for individuals laid out in the GDPR, including the right to access, amend or erase personal data. The transparency mechanisms described in the TPE can and should be extended to allow companies to support these rights. 7. There is evidence that at the moment about 12-14% of web requests to European websites have the DNT header set, which must reflect the desire of a significant proportion of Europeans to have their preference respected. 8. The current draft of the upcoming proposal for a new EU ePrivacy Regulation (http://g8fip1kplyr33r3krz5b97d1.wpengine.netdna-cdn.com/wp-content/uploads/2016/12/POLITICO-e-privacy-directive-review-draft-december.pdf) also addresses the possibility of consenting with technical settings in the browser, see Article 9(2). It also introduces an obligation for browser manufacturers to respect the privacy by design principle, see Article 10(2). 9. For all these reasons, there is more work to do in your area of expertise. I urge you therefore to extend the mandate of the TPWG until after the end of 2016. The reviewer's organization: - intends to review drafts as they are published and send comments. - intends to develop experimental implementations and send experience reports. - intends to develop products based on this work. - intends to apply this technology in our operations. - would be interested in participating in any press activity connected with this group. Answers to this questionnaire can be set and changed at https://www.w3.org/2002/09/wbs/33280/tracking-2016/ until 2016-12-23. Regards, The Automatic WBS Mailer
Received on Monday, 19 December 2016 18:57:09 UTC