Re: Comments on tracking-compliance.html from Justin Brookman on 2011-10-26 (public-tracking@w3.org from October 2011)

From: Justin Brookman <justin@cdt.org>
Date: Wed, 26 Oct 2011 10:43:15 -0400
To: public-tracking@w3.org
Message-ID: <4EA81C83.8050505@cdt.org>
On 10/26/2011 12:59 AM, Bjoern Hoehrmann wrote:
> At the moment there are only a few third parties that obtain data that
> can be used to track people on a global scale. If the Working Group was
> to define "consent", I would think it to be quite reasonable to look how
> these few organize their "consent to privacy policy" systems, which may,
> in the future, include provisions saying their logged-in users consent
> to be tracked by them even when visiting unrelated web sites that just
> happen to embed some widget they offer. Let's say Acme, Inc. offers some
> social networking web site with a billion users and they put a provision
> like that into their privacy policy. Some people might argue that Acme
> has designed their signup process so that people are discouraged to read
> the privacy policy and users do not actually affirm their consent when
> they sign up. That would lead the Working Group to argue about whether
> some entity is engaging in jailtime criminal conduct, and the result may
> be that the specification says such and such is good enough even though,
> in some jurisdictions, actually doing "that" puts you in jail.
>
> I do think the document can say useful things about consent, but it's a
> highly sensitive matter where a very specific definition specifically
> for "DNT" provides only very limited value, so the matter should be
> handled in a manner that is unlikely to create much controversy.
The document is not attempting to define what constitutes "Affirmative, 
Informed Consent" in any or all jurisdictions.  We do not have the power 
to do that.  We are defining that term for this particular protocol.  
Jailtime does not come into consideration.  Companies will have to 
follow each country's specific laws regardless of what we do.  All this 
spec says is that the request for permission has to be somewhere the 
user will be likely to notice.  Complying with that will not violate any 
law.  If a country imposes greater obligations --- request for 
permission has to be in 30-pt Comic Sans --- they can do that and 
companies will have to comply, but it doesn't effect our spec.

If a user today sets her browser to "block third party cookies," a third 
party cannot evade that control by putting in a license agreement "you 
consent to our placing third party cookies despite any browser 
settings."  Similarly, if a user sets her browser to "Do Not Track" (or 
whatever her browser calls the setting), Acme shouldn't be able to 
ignore that instruction by reserving the right to ignore that 
instruction in a place the user is unlikely to notice.  The whole point 
of this process is to give users a relatively simple and 
straight-forward control to limit cross-site tracking; if a third party 
wants to ignore the instruction, it should be upfront and get the 
informed consent of the user to ignore her personal setting.  I don't 
see how idea is controversial.  Users are going to be extremely confused 
and frustrated if their browser controls can be vitiated by obscure 
boilerplate.  The point of this process, however, is standardization, 
and it is appropriate for the group to give some clear guidance to third 
parties wishing to comply in good faith with the header how to ask for 
permission to track despite the setting.

> I think "behavioral tracking" needs to be notably different from just
> "tracking" in order to justify using a different term. Based on my own
> understanding of the terms and the draft, I find it difficult to argue
> the terms are notably different. If you consider more traditional cases
> of tracking, like a hunter may do in the woods in winter, it's hard to
> imagine data the hunter may obtain that's not based on behavior. It may
> be okay to use the term "behavioral tracking", but the document would
> have to explain more clearly how "behavioral tracking" is a very special
> form of "tracking".
I think I agree with this?  I don't care whether what we call it, 
"tracking" or "behavioral tracking" --- we should just pick a term and 
then define it to make clear that the spec applies to the the collection 
of passively-transmitted .url data (and whatever else we decide is in 
scope) instead of following deer in the woods.
Received on Wednesday, 26 October 2011 14:43:49 UTC