W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78]

From: Sean Harvey <sharvey@google.com>
Date: Tue, 17 Jan 2012 20:18:56 -0500
Message-ID: <CAFy-vudnh0O-YM9fJU-3QUJCH67RAFDW0Fr8ro-ZU-gtL0V5Kw@mail.gmail.com>
To: Rigo Wenning <rigo@w3.org>
Cc: Kevin Smith <kevsmith@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Hi Rigo,

It is disappointing to hear this sort of bad faith expressed at this point
in the process. it doesn't bode especially well for the success of our
Brussels meeting if we cannot collectively acknowledge that, while
differing opinions may be expressed on these email chains, everyone on this
committee is trying in good faith, through their diverse perspectives, to
come up with a standard that is both good for users and implementable by
the businesses they encounter on the web.

A review of the email chains and notes from previous in-person meetings
over the past months will show that I among others have explicitly called
out the need to disallow first parties from sharing data "on the backend"
with third parties. I have been calling this out consistently throughout
this process, and I'm glad that you're now joining me to speak up on the
same topic.

In fact, that is the very reason why I think cross-site tracking is a
better paradigm than the imperfect proxy of first vs third partyness. While
I'm open to sticking with 1st vs 3rd if that's how the consensus emerges,
cross-site tracking and/or data sharing is a more elegant, less potentially
loophole-intensive way to ensure that even the first parties that you
interact with are not allowed to share data with third parties after the
event has taken place.

For the record, and speaking for myself, where I raise objections to
language proposed by others in the group, it is not out of a desire to find
loopholes or somehow defile the spirit of the committee's work;  it's
typically because of a concern that a given set of proposed language is
either non-implementable, or a vague, moving target that provides no clear
guidance to either companies attempting compliance or regulators seeking to
measure that compliance.

I've interpreted my role as a co-editor as being someone who is enabling of
group consensus, not controlling of the process. In that spirit I commit to
listening to my counterparts in Brussels with an open mind and working to
come up with a standard that is good for users and implementable by
companies. I trust that you, and the rest of the committee as well, will do
the same.

sean








On Tue, Jan 17, 2012 at 4:55 PM, Rigo Wenning <rigo@w3.org> wrote:

> Kevin,
>
> On Tuesday 17 January 2012 09:02:16 Kevin Smith wrote:
> > I was not actually commenting on W3C procedure as much as I was
> mentioning
> > that it seems trivial and inefficient to argue over specific wording when
> > the underlying decisions have yet to be made, especially when making
> those
> > decisions will also resolve the argument as well, which I believe to be
> the
> > case here.
>
> First of all, I think the "cross-site" or 1st vs 3rd party were all very
> clever diversions to save the analytics business. In fact, as long as the
> web
> site owner collects data (and any kind of data and whatever data) this is
> just
> fine. <irony>Only those evil ad networks have brought us into trouble.
> They are
> evil third parties doing cross-site tracking and analysis</irony>
>
> But in the US context (that triggers all the debate about first/third
> cross-
> site/original) it doesn't matter at all, who collects the data as they can
> exchange it freely in the back end. There is no general privacy law, let
> alone
> one on data protection. And because data serves innovation, the US
> government
> is very reluctant to just mow data collection down.
>
> I am personally (and not as W3C) reluctant to make those distinctions.
> Because
> I think the Web and its direct connection between all actors will be much
> smarter than any kind of distinction we can come up with.
>
> But it would be on the other hand a bit derailing for the discussion, if I
> would now ask to focus on a risk analysis. What do we want to protect? Is
> it
> mere compliance to a feared regulator action while privacy is also a
> defense
> against the regulating government? If this risk analysis has a result that
> certain collection practices done by first parties within the same side are
> endangering democracy, we shouldn't glue to false principals and address
> that.
>
> If on the other hand, some third party collections are just Ok, I don't see
> why we should demonize that collection only because it is "cross-site"  or
> "third party".
>
> And everybody waits that we deliver quickly. So can we really afford
> changing
> that discussion? Frankly, I don't know. On the other hand, remaining in the
> technology trenches doesn't buy us much either. Delaying doesn't further
> privacy protection on the web and increases the eagerness for harsh
> countermeasures of technologic and social nature by those waiting for us to
> deliver something.
>
> >
> > The question of our ultimate objective needs to be answered.
>
> I agree with you. But you have to start thinking about what you can give
> up.
> And clearly state what you can't give up and why. (without revealing
> business
> secrets.. ) What is the risk we try to tackle and what is the benefit we'll
> lose?
> >
> > One proposed objective is:
> >
> > **To provide a mechanism whereby a user can indicate preference to
> disallow
> > cross-site tracking**
>
> See and others say, DNT is to provide a mechanism to indicate a preference
> full stop. By introducing the "cross-site" you draw the discussion about
> the
> "ultimate objective" into the TPE Spec where it does NOT belong IMHO.
> Because
> the use of that tool will perhaps change by region and over time.
> >
> > I do not believe I am alone in thinking that we at one time had consensus
> > that this was our objective.  However, I am no longer sure this is the
> > case.  It sounds like some parties would prefer an objective closer to:
> >
> > Prevent cross-tracking + X
>
> I never had the impression of such a consensus. But coming back to
> process. It
> is on the chairs to state whether they see (and suggest a wording for) a
> consensus.
> >
> > However, I have not seen any clear proposals as to what X should be.
>
> See above. There were many concerns expressed, many times, in the Workshops
> predating the WG and in WG discussions. See my remarks above about a risk-
> based discussion..
>
> > I have
> > seen a few suggestions focusing on different privacy related issues, but
> > nothing comprehensive nor anything that has gained any real traction
> within
> > the group as a whole.
>
> Which is fragmentation. And fragmentation is the opposite of consensus as
> far
> as I understand it. We should intelligently seek for common grounds between
> the parties instead of defending the trenches.
>
> > However, if the group decides to expand upon or
> > completely go away from the objective of preventing cross-site tracking,
> > then I am confident that the documents will be changed
> > accordingly.
>
> I think it will be impossible to only address the "cross-site" aspects of
> the
> massive profiling that is happening without risking to be accused to try to
> escape from the real issues.
>
> How do you prevent abuse of such profiles? What aspects of consumer
> protection
> are we willing to honor if a user indicates by setting DNT that he wants
> to be
> left alone for a moment.
> But how can we manage to make the "opt-back-in" really easy and a tool for
> businesses with good practices? So that they gain advantages in the market
> and
> acquire more users than the evil guys who just rip off every bit they can
> get?
> If convincing users to allow data collection is hard, DNT has missed an
> opportunity.
>
> > Likewise, if the objective is once again (or perhaps for the
> > first time) solidified as mentioned above, then most objections to the
> > current language will likely dissipate leaving only organizational
> > discussions remaining on this topic.
>
> I think the conflict around the terminology here is just a proxy war around
> certain collection practices. But I confess that we are doing our
> argumentation in public and it is probably necessary to have indirect
> argumentation.
> >
> > I therefore recommend again that this topic be tabled until at least the
> > above decision has been made.
>
> I agree it is not good for our discussion to make a show-down on
> "cross-site"
> vs not "cross-site". Because "cross-site" is as difficult a distinction as
> 1st
> vs 3rd party. Additionally, "cross-site", by logic, requires two parties. A
> first and a second/third party.
>
> Whether data is collected via 10 first parties using the same analytics
> provider or by 1 third party being embedded into 10 sites doesn't really
> matter. Does it? Can they afford to let some of the traffic drop out? How
> much
> can drop out until the analysis is not accurate enough anymore to make
> sense?
>
> Best,
>
> Rigo
>
>
>


-- 
Sean Harvey
Business Product Manager
Google, Inc.
212-381-5330
sharvey@google.com
Received on Wednesday, 18 January 2012 01:19:34 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:23 UTC