IAB Comments to the Last Call Working Draft of the Tracking Preference Expression

IAB Comments to the Last Call Working Draft of the
Tracking Preference Expression (DNT)


The Interactive Advertising Bureau (IAB) appreciates the opportunity to provide comments to the Last Call Working Draft of the Tracking Preference Expression (TPE) specification.  IAB has participated in the W3C's Tracking Protection Working Group since its inception in 2011 and has dedicated a great deal of time and financial resources to help create a consensus product during the past 3 years.  While our bullet points below will focus on technical shortcomings of the current version of the TPE, we would be remise if we did not also take this opportunity to provide comments on the broader "DNT" process.

The W3C has always prided itself on having an open and inclusive standard setting process.  These ideals were evident when the W3C held the first meeting of the Tracking Protection Working Group and there were over 50 participants from a wide spectrum of interests, including regulators, academics, advocates, and industry representatives.  This dynamic created a frenzy of activity and the group continued to draw many participants for face-to-face meetings, during the weekly calls, and the listserv generated hundreds of emails per week.  However, over time the group became mired in complex discussions and was hampered by an overly-broad focus.  After nearly two years of work, it became evident to many participants that we would not be able to achieve "consensus" on a set of specifications.  I believe Jonathan Mayer captured the sense of futility best when he resigned from the group on July 30th, 2013, stating:

We have now held 10 in-person meetings and 78 conference calls. We have exchanged 7,148 emails. And those boggling figures reflect just the official fora.
The group remains at an impasse. We have sharpened issues, and we have made some progress on low-hanging fruit. But we still have not resolved our longstanding key disagreements, including: What information can websites collect, retain, and use? What sorts of user interfaces and defaults are compliant, and can websites ignore noncompliant browsers?

Our Last Call deadline is July 2013. That due date was initially January 2012. Then April 2012. Then June 2012. Then October 2012. We are 18 months behind schedule, with no end in sight.
There must come a stopping point. There must come a time when we agree to disagree. If we cannot reach consensus by next month, I believe we will have arrived at that time.

There has been a mass exodus from the Working Group since then, either through formal resignations or more often from widespread inactivity.  The group has not held a face-to-face meeting since May 2013 and meaningful discussion within the group has been nearly nonexistent since last Fall.  This is likely due to W3C leadership largely ignoring the clear will of the majority of the participants to stop work on the Compliance Spec and to focus on a narrow, technology spec.  Nearly all of the current drafting activity has been performed by the Co-Chairs of the Working Group or actual W3C staff.  In short, the W3C process is now devoid of the open and inclusive principles that are required by their bylaws.  We view this as a clear failure of the W3C leadership.

I would like to commend the Co-Chairs of the Working Group for their continued dedication to the process, one that has largely been forgotten by the rest of the World.  IAB remains a part of the Working Group because we believe that a functional TPE, one focused on technology implementation and not policy decisions, could make it possible for industry to recognize and respond to a consistent, accurate consumer expression set within their browser.  However, we are concerned by the fundamental flaws of the current W3C process.  It is dangerous to entrust the fate of a $100 Billion industry to a handful of individuals, many of whom bring a clear anti-business agenda to the table.  These concerns have been significantly magnified as drafting of the policy-oriented Compliance Spec has begun again.

In addition to the procedural concerns outlined above, IAB would like to identify the following technical shortcomings of the current TPE draft:


  *   The origin and validity of the signal cannot be confirmed, thus putting in doubt whether a consumer actually chose to turn it on or whether a company has made that decision for them.
     *   Legitimate DNT flags should reflect a user's choice to affirmatively turn on that signal. However, the TPE provides no means to ensure who turned on the signal and what point in the supply chain.
     *   We have already seen extensive "gaming" of the DNT:1 signal, as it is sent by default by some routers, plugins, and other intermediaries that have access to the setting or the HTTP headers.
     *   There is essentially no cost for intermediaries to turn on the DNT signal, thus companies can utilize this practice for their own profit motive to be seen as "competing on privacy".  The signal can quickly proliferate without ever being set by consumers.
  *   The definition of tracking is unworkably ambiguous and confusing to users and implementers alike.
     *   The definition is: "Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties."
     *   The terms "set of resources" and "jointly controlled by a set of parties" together create a highly ambiguous definition that cannot be interpreted with any reasonable level of certainty, thus leaving many parties uncertain of how to respond to the signal, and more importantly, users uncertain of the meaning of the preference they are sending.
     *   "Control", and particularly "joint control" are legal terms with definitions dependent on local jurisdiction and factual context. Joint control could mean a joint operating agreement, common ownership, or merely an agreement to provide consulting or management services. Does joint control require a contractual arrangement? Does it require day-to-day involvement in managing the organization? Would a minority investment in a company qualify as joint control?
These questions are not answered in the specification and fall outside of the scope of a "technical" specification.  They are essentially legal and policy questions, the answer to which will vary wildly across the globe.

     *   The definition of tracking may be inconsistent with regulatory regimes.   If the aim of this specification is to provide a mechanism to satisfy the desires or requirements within particular jurisdictions, it fails to do so, and in fact may be completely inconsistent with regulatory approaches in various jurisdictions. The definition is not a technical element of the specification, but rather a policy element. It does not belong in the technical specification.
  *   User Agents are not required to support exceptions
     *   The protocol is a mechanism for users to express their preferences with regard to tracking. User preferences are not globally binary, but may vary depending on context and the parties the user is interacting with. Users should not be forced into an all or nothing choice. The protocol will not succeed without a mechanism for users to express granular choices. Therefore, user granted permissions should be a required feature for all user agents.
  *   The W3C has not indicated how it will measure the feasibility of the policy aspects of the TPE
     *   As explained above, this definition contains ambiguities that make it impossible to interpret, much less reliably test. How will the W3C determine the efficacy of the protocol and how will implementing parties test their own implementations.
Thank you again for this opportunity to provide comments to the current version of the TPE document.

Mike Zaneis
EVP & General Counsel
Interactive Advertising Bureau
(202) 253-1466

Follow me on Twitter @mikezaneis

Received on Thursday, 19 June 2014 02:27:40 UTC