W3C home > Mailing lists > Public > public-tracking@w3.org > April 2012

Re: ACTION-152 - Write up logged-in-means-out-of-band-consent

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 02 Apr 2012 18:53:15 +0200
To: Shane Wiley <wileys@yahoo-inc.com>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>, Alan Chapell <achapell@chapellassociates.com>, Jeffrey Chester <jeff@democraticmedia.org>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, John Simpson <john@consumerwatchdog.org>
Message-ID: <1481543.Yt4FW8mkJj@hegel.sophia.w3.org>
On Monday 02 April 2012 08:40:00 Shane Wiley wrote:
> Interestingly I believe it is your argument that attempts at eating its
> cake and having it too.

I think you misunderstand. I give you the option of either eating the cake 
or having it ;) So I mention both options in one email. That doesn't mean 
both can be taken equally. It is either or.
> 
> The issues this group is wrestling with will have impacts on the privacy
> debate far beyond the reach of DNT.  I'm not sure how often you work in
> the internet advertising world or how much history you have the specifics
> of the privacy legal debate both in the US and the EU

I started 1999 and haven't stopped since...

> , but there will be
> no way to isolate the "appropriate consent" structure as applying only to
> DNT.  

BTW, JC's solution didn't talk about appropriate consent. "Appropriate 
consent" is not the only solution to our issue. I hate trenches. 

> This is exactly the reason advocates in this conversation are
> pushing so hard on these dimensions as they see this as an opportunity to
> solve multiple privacy topics in a single pass (Jonathan has said as much
> in email and in f2f meetings).  While I'm supportive of solving all of
> the privacy debate, I believe it will be impossible to do this in our
> stated timeframe - if ever - as I believe many of these debates will live
> far into the future as our cultures and the Internet evolve together.

But why should W3C be responsible for out of band legislation that takes 
into account our tool? There is the definition of the tool and there is how 
it is then used in a certain regional context. If you don't want the US 
taking into account consent beyond DNT, the regional opinion building has to 
be influenced in that way.  You're telling me that if we attempt to have a 
minimum signaling and not simply give in on any outside rule, this will 
change the US market. But I think there are some steps between A and B.

Simple solution: We do not address out of band agreements and you fall back 
to your usual 22 pages of legalese. The same way that a service tells DNT 
not implemented. But claiming out of band agreement and compliance is not 
working together without definition of "out of band agreement". 

So either compliance and some rules or no compliance statement and no rules.
(here is your cake)

But accepting all outside rules from an undefined rulemakers is not an 
option. Imagine I would say IETF rules trump DNT. Or ISO 29100 trumps DNT. 
Note that the ISO 29100 may contain surprises like in the coffee maker 
example. 
> 
> I don't see the disconnect (eat/have cake) between saying out-of-band
> consent trumps DNT and then allowing local law to define what is
> appropriate consent.  

In this case, your local law defines what DNT compliance means. And this 
returns to 42 pages of legalese that have brought us into the situation we 
are in. In this case everything is DNT compliant. Thus DNT becomes 
meaningless. Ideally, DNT defines a subset of all possible worlds. If all 
possible worlds can trump DNT and still claim to be DNT, DNT is all possible 
worlds and not a subset thereof anymore.

> In fact, I believe there will be many areas of this
> standard that will need to follow this formula.  We've already agreed as
> a working group that we don't believe direct references to regional laws
> are appropriate in the standards documents (fine for conversation as a
> testing mechanism) - rather we'd simply state "in compliance with local
> law".  I see several conversations within the TPWG as attempting to
> override local law by setting some default, pan-global privacy standard
> outside of DNT - "appropriate consent" is just one of these.

Apart from the pan-global thingy (I remember how painful it was when W3C in 
2000 was accused to be the government of the internet and how much we 
invested to get out of that false perception): 
We have a use case (from me), we have a solution (from JC), so why insisting 
on a general loophole? I haven't started the "this trumps that" simplicity. 
:) I think "this trumps that" is a dead end. We can do better, be smarter.

Rigo
Received on Monday, 2 April 2012 16:53:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:27 UTC