W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Thu, 2 Feb 2012 14:54:39 -0800
To: John Simpson <john@consumerwatchdog.org>
CC: Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <FBFF74D3-1802-4DEE-B6D0-B83EA7777BF0@yahoo-inc.com>
Thank you John.  For the reasons I articulated I would recommend we remove this provision altogether or provide a MAY stance.

Sent from Shane's mobile

On Feb 2, 2012, at 2:39 PM, "John Simpson" <john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>> wrote:

Shane,

As I understood Justin's proposed language below it's the specific case where the site is legally compelled to collect data despite DNT being enabled.  His language says the affected user "SHOULD" be notified, but he raised the question of whether it ought to be  MUST. I  thought the stronger language, a MUST, was better.

Thanks,
John


On Feb 1, 2012, at 6:23 PM, Shane Wiley wrote:

John,

A company may be legally compelled to gather and share data despite DNT:1 so I’m not understanding the ask here.  Are you asking for a broad disclosure of this fact somewhere on a party’s website or are you asking that sites provide notice to specific users if there information has been legally requested?   If the former, most websites already state they follow the law (and are of course subject to those laws even if they don’t state it).  If it’s the latter, this is a significant request, very expensive, and feels outside the scope of this standard.  As the working group has agreed in some part in the past, we should strive to not link legal entanglements into the DNT standard (Patriot Act, ECPA, ePrivacy Directive, EU Data Protection Regulation draft, etc.).

- Shane

From: John Simpson [mailto:john@consumerwatchdog.org]
Sent: Wednesday, February 01, 2012 3:40 PM
To: Justin Brookman
Cc: public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

This is is different than saying that the standard does not attempt to override applicable laws.  Justin's language is aimed at telling the user that a party has been legally required to gather data despite DNT 1.  I like it and would be inclined to make it a "must."


On Jan 31, 2012, at 1:01 PM, Justin Brookman wrote:



Revising Jonathan's text based on this string:



A party MAY take action contrary to the requirements of this standard if compelled by applicable law.  If compelled by applicable law to collect, retain, or transmit data  despite receiving a DNT:1 signal for which there is no exception or exemption, the party SHOULD notify affected users to the extent practical and allowed by law.



I suggest "applicable law" instead of "mandatory legal process" both to accommodate David's concern about using contract to compel and because a statute could mandate the retention of IP logs (for example) without serving a subpoena or court order (which is what "process" means to me).  Feel free to revise the terms "exception or exemption" --- I was trying to convey the two scenarios of

(1) operational data collection/use/retention is allowed even if DNT is on and/or

(2) the user has given permission to a company to track,

but I haven't gotten all the way through the ponderous thread on the meanings of exception/exemption.



I also don't think a requirement to tell users when DNT is being ignored because of government action is at all out of scope.  I'm suggesting SHOULD as a placeholder but think a MUST is worth a discussion.  However, it's relevant to note that we don't require (or even offer SHOULD guidance) that companies inform users about operational collection/usage/retention (exceptions???) that is allowed despite the DNT header.

Justin Brookman

Director, Consumer Privacy Project

Center for Democracy & Technology

1634 I Street NW, Suite 1100

Washington, DC 20006

tel 202.407.8812

fax 202.637.0969

justin@cdt.org<mailto:justin@cdt.org>

http://www.cdt.org<http://www.cdt.org/>

@CenDemTech

@JustinBrookman

On 1/31/2012 2:40 PM, Shane Wiley wrote:
If the concern is that a party can somehow contract their way out of DNT compliance (versus other types of legal/government obligations) then I’m fine with calling that out more directly.

- Shane

From: David Singer [mailto:singer@apple.com]
Sent: Tuesday, January 31, 2012 12:36 PM
To: Shane Wiley
Cc: John Simpson; Amy Colando (LCA); Joanne Furtsch; MeMe Rasmussen; Tom Lowenthal; Jonathan Mayer; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)


On Jan 31, 2012, at 19:22 , Shane Wiley wrote:



Agreed – NO text seems like the appropriate path (in agreement with Amy and John).

well, the rationale was way back at the end of the thread.  it's two-fold:

a) you can send DNT, but don't forget that tracking may still happen if legally required - there is a 'legislation exception'
b) a notification of a 'legislation exception taken' will be signaled if legally possible, but under some laws, notification itself is not allowed.

we can also explain that having a *contract* that 'forces' you to track is not a valid exception...

David Singer
Multimedia and Software Standards, Apple Inc.


----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org>
john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>


----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org>
john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>

Received on Thursday, 2 February 2012 22:56:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:44 UTC