Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

I am fine with several of these formulations.  However, also...

I think that, for completeness, the specification should also have a section which describes a 'legal exception', when tracking is legally required.  Sometimes the service will be able to notify the user that they are claiming the legal exception, but I think there are some cases where the law will require tracking and forbid notification.  Nonetheless, our document can and should alert the community that there may be government-required tracking.

The legal exception should also document that it's only applicable to tracking required by law, not by contract or other voluntary legal instruments.  "We're tracking you because our contract with Intrusive Experts Inc. requires it" is not a good reason :-)


On Jan 30, 2012, at 23:47 , Amy Colando (LCA) wrote:

> In order to make sure that W3C process is moving along, I am formally proposing alternative text for Issue 28 as follows:
> 
> either NO text at all on this point, or text that states the fact that "this specification is not intended to override applicable laws and regulations."
> 
> (Matthias, please pester me separately if this is not what you need.)
> 
> -----Original Message-----
> From: Joanne Furtsch [mailto:jfurtsch@truste.com] 
> Sent: Wednesday, January 25, 2012 8:47 PM
> To: MeMe Rasmussen; Amy Colando (LCA)
> Cc: Shane Wiley; Tom Lowenthal; Jonathan Mayer; David Singer; public-tracking@w3.org
> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
> 
> Another +1 to Shane and Amy.  Shane's recommendation makes sense - adding some language to the preamble as to what the standard does not intend do.
> 
> On 1/25/12 11:26 AM, "MeMe Rasmussen" <meme@adobe.com> wrote:
> 
>> +1 to Shane and Amy.  I actually don't even think we need Shane's
>> language.  It goes without saying that parties should comply with the 
>> law and that a standard wouldn't override law.  I don't have a problem 
>> saying it. I just think it is unnecessary. I tend to be a proponent if 
>> less is more.
>> 
>> Sent with my thumbs. Please excuse typos.
>> 
>> On Jan 25, 2012, at 7:13 PM, "Amy Colando (LCA)" 
>> <acolando@microsoft.com>
>> wrote:
>> 
>>> I agree with Shane that the text should simply state that there may 
>>> be legal requirements that this standard is not intended to override.
>>> 
>>> As a very realistic example, not only are entities required to comply 
>>> with potentially differing breach notification laws, but in some cases 
>>> are subject to legal subpoenas (as for example in cases of child 
>>> pornography investigations) where disclosure to the subject is 
>>> expressly prohibited by the terms of the subpoena.
>>> 
>>> I recommend strongly that we stick to the technical standards 
>>> necessary for interpreting the DNT signal without attempting to 
>>> overwrite state and federal laws (and in a very timely manner, EU 
>>> directives) on data breach and required disclosures.  The more 
>>> additional legal requirements we hitch to this standard, the more 
>>> complex and daunting the implementation becomes for websites.
>>> 
>>> -----Original Message-----
>>> From: Shane Wiley [mailto:wileys@yahoo-inc.com]
>>> Sent: Wednesday, January 25, 2012 10:57 AM
>>> To: Tom Lowenthal; Jonathan Mayer
>>> Cc: David Singer; public-tracking@w3.org
>>> Subject: RE: Mandatory Legal Process (ACTION-57, ISSUE-28)
>>> 
>>> Tom,
>>> 
>>> I look forward to broader discussion on this issue.  In many 
>>> jurisdictions we already have both legal process disclosure and 
>>> security breach laws and I don't believe the DNT Specification is the 
>>> appropriate location for use to somehow alter a parties 
>>> responsibilities in those matters.  It honestly feels like an overreach (but a well intended one).
>>> 
>>> - Shane
>>> 
>>> -----Original Message-----
>>> From: Tom Lowenthal [mailto:tom@mozilla.com]
>>> Sent: Wednesday, January 25, 2012 7:50 PM
>>> To: Jonathan Mayer
>>> Cc: David Singer; public-tracking@w3.org; Shane Wiley
>>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>>> 
>>> I think that Jonathan's proposal makes much more sense when 
>>> considered form the perspective of the user, and their threat model 
>>> regarding their data.. When they switch on DNT, they're trying to 
>>> limit their data going to third parties. If we permit third parties to 
>>> collect some data anyway, this third-party data isn't meaningfully 
>>> accounted for in the user's mental model of where their data is. If it 
>>> wanders off, they should be alerted about it.
>>> 
>>> It's an additional safeguard on data collected by third parties. If 
>>> you're a third party then your data collection is significantly 
>>> limited by DNT: you can only collect it for certain enumerated 
>>> purposes, you have to engage in minimization and sometimes reasonable 
>>> technical or operational precautions. This is just another defense 
>>> that users' get for third-party data collection.
>>> 
>>> However, I do agree with you Shane that the addition of this 
>>> responsibility just for legal process is a little odd. It would 
>>> probably make more sense to apply this to involuntary data disclosure 
>>> of any form, whether through legal process or a data breach. I further 
>>> agree with Sean that this is a new provision, and should probably get 
>>> an issue, and some time on the call. On the plus side, we basically 
>>> already have draft text!
>>> 
>>> On Wed 25 Jan 2012 07:25:40 PM CET, Jonathan Mayer wrote:
>>>> Some relevant U.S. legal background: web tracking may soon fall 
>>>> within the Fourth Amendment's compelled disclosure rules.
>>>> 
>>>> From Justice Sotomayor's concurrence in United States v. Jones:
>>>> 
>>>> More fundamentally, it may be necessary to reconsider the premise 
>>>> that an individual has no reasonable expectation of privacy in 
>>>> information voluntarily disclosed to third parties. E.g., Smith, 442 
>>>> U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). 
>>>> This approach is ill suited to the digital age, in which people 
>>>> reveal a great deal of information about themselves to third parties 
>>>> in the course of carrying out mundane tasks. People disclose the 
>>>> phone numbers that they dial or text to their cellular providers; 
>>>> the URLs that they visit and the e-mail addresses with which they 
>>>> correspond to their Internet service providers; and the books, 
>>>> groceries, and medications they purchase to online retailers. 
>>>> Perhaps, as Justice Alito notes, some people may find the tradeoff 
>>>> of privacy for convenience worthwhile, or come to accept this 
>>>> diminution of privacy as inevitable, post, at 10, and perhaps not. I 
>>>> for one doubt that people would accept without complaint the 
>>>> warrantle
>>> ss disclosure to the Government of a list of every Web site they had 
>>> visited in the last week, or month, or year.
>>>> 
>>>> On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote:
>>>> 
>>>>> The text I've proposed addresses web information practices for DNT 
>>>>> users.  By all means argue why organizations shouldn't inform their 
>>>>> users of compelled disclosure, but I think this text is 
>>>>> unambiguously within the working group's scope.
>>>>> 
>>>>> On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote:
>>>>> 
>>>>>> I believe attempts to "add on" to the party responsibilities 
>>>>>> within legal process "outside of the DNT standard" is outside of 
>>>>>> scope of the working group.  Instead I would suggest the preamble 
>>>>>> of each document simply state "this standard is not intended to 
>>>>>> override local, state, or country law."
>>>>>> 
>>>>>> - Shane
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: Tom Lowenthal [mailto:tom@mozilla.com]
>>>>>> Sent: Wednesday, January 25, 2012 7:11 PM
>>>>>> To: David Singer; public-tracking@w3.org
>>>>>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>>>>>> 
>>>>>> I don't think we need anything apart from Jonathan's text. I'd 
>>>>>> argue that for process applied to data collected in a third party 
>>>>>> capacity, notification is a must; for first party data, a should; 
>>>>>> and for any breach where you must notify some users, you must notify all users.
>>>>>> 
>>>>>> On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote:
>>>>>>> 
>>>>>>> On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote:
>>>>>>> 
>>>>>>>> Proposed text:
>>>>>>>> 
>>>>>>>> A party MAY take action contrary to the requirements of this 
>>>>>>>> standard if compelled by mandatory legal process.  To the extent 
>>>>>>>> allowed by law, the party MUST (SHOULD? MAY? non-normative?) 
>>>>>>>> notify affected users.
>>>>>>> 
>>>>>>> which means we need a 'legal exception'?
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> David Singer
>>>>>>> Multimedia and Software Standards, Apple Inc.
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>> 
>> Confidentiality Notice: The contents of this e-mail (including any
>> attachments) may be confidential to the intended recipient, and may 
>> contain information that is privileged and/or exempt from disclosure 
>> under applicable law. If you are not the intended recipient, please 
>> immediately notify the sender and destroy the original e-mail and any 
>> attachments (and any copies that may have been made) from your system 
>> or otherwise. Any unauthorized use, copying, disclosure or distribution 
>> of this information is strictly prohibited. <ACL>
>> 
>> 
> 
> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Tuesday, 31 January 2012 09:13:38 UTC