W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Today's call: summary on user agent compliance

From: Tamir Israel <tisrael@cippic.ca>
Date: Sun, 10 Jun 2012 15:52:11 -0400
Message-ID: <4FD4FAEB.6090502@cippic.ca>
To: Jonathan Mayer <jmayer@stanford.edu>
CC: Alan Chapell <achapell@chapellassociates.com>, ifette@google.com, Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>, Ninja Marnau <nmarnau@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Singer <singer@apple.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Jonathan's summary is accurate.

To be clear, the Canadian framework does not necessarily put any legal 
obligations on user agents in this context, but only on servers. 
However, as I hope members of this group are well aware, exchanges 
between users and third party servers they have never interacted with 
raise serious technical challenges that are quite difficult to manage 
without the assistance of a UA.

While there are certainly numerous potential mechanisms for addressing 
this consent requirement, I think, in practical terms, it is quite 
difficult to achieve without the assistance of a UA-based mechanism. 
Particularly difficult is the need to provide users with an opt-out 
mechanism that is persistent, immediately effective, and easily employed 
at or before time of collection.

More specifically, the DNT spec seems to meet many of these requirements 
by and large. Where it seems to break down is if servers can 
unilaterally reject a facially valid DNT-1. It could potentially be 
remedied by requiring a level of conformance within the spec. One 
challenge I think is a practical one -- services tend to deploy US-like 
implementations in Canada, as opposed to EU-like ones.

Best,
Tamir

On 6/10/2012 12:37 PM, Jonathan Mayer wrote:
> Alan,
>
> The OPC's new position paper on behavioral advertising is available at 
> http://www.priv.gc.ca/information/guide/2012/bg_ba_1206_e.asp.  It 
> provides generalized guidance in the field; as I noted, it does not 
> gauge current programs.  ("While the OPC does not provide advance 
> rulings and any future complaints under PIPEDA on the subject of 
> behavioural advertising will therefore need to be assessed on a 
> case-by-case basis, it is nevertheless possible and appropriate to 
> provide general guidance concerning the likely compliance and 
> non-compliance of certain behavioural advertising practices."  That 
> said, in one place the paper does appear to slip up: "[t]he paper will 
> also present some specific recommendations to bring OBA practices into 
> compliance with PIPEDA.")
>
> There are a number of areas where the current self-regulatory programs 
> fall short.  Working through the OPC's rubric: notice of purposes that 
> is "obvious" and "clear and understandable," notice of parties 
> participating in behavioral advertising, ease of opt out, persistence 
> of opt out, limits on sensitive data, and strict (not "reasonable") 
> minimization.  The paper also calls for special protections for 
> children and a prohibition against certain non-cookie tracking 
> technologies.  I recognize there are some companies and trade groups 
> that would (and do) make the stretch argument that self-regulation 
> satisfies all these thresholds.  In my plain reading it does not, 
> and the OPC's analysis reflects a keen understanding of current 
> policymaking and research in the third-party web tracking space.
>
> In closing, I want to be sure to note that my aim here is not to 
> reopen the long-standing "is self-regulation sufficient?" debate.  I'm 
> just trying to describe where Canadian law stands.
>
> Jonathan
>
> On Saturday, June 9, 2012 at 9:53 PM, Alan Chapell wrote:
>
>> Jonathan,
>>
>> Can you please expand the legal opinion you've provided on Canadian 
>> privacy law to help me (us) understand how the new position paper 
>> from the Office of the Privacy Commissioner characterizes the 
>> NAI/DAA/IAB Canada programs as deficient? Thanks.
>>
>>
>> Cheers,
>>
>> Alan Chapell
>> Chapell & Associates
>> 917 318 8440
>>
>>
>> From: Jonathan Mayer <jmayer@stanford.edu <mailto:jmayer@stanford.edu>>
>> Date: Saturday, June 9, 2012 8:04 PM
>> To: <ifette@google.com <mailto:ifette@google.com>>
>> Cc: Tamir Israel <tisrael@cippic.ca <mailto:tisrael@cippic.ca>>, 
>> Shane Wiley <wileys@yahoo-inc.com <mailto:wileys@yahoo-inc.com>>, 
>> Jeffrey Chester <jeff@democraticmedia.org 
>> <mailto:jeff@democraticmedia.org>>, Ninja Marnau 
>> <nmarnau@datenschutzzentrum.de 
>> <mailto:nmarnau@datenschutzzentrum.de>>, Rigo Wenning <rigo@w3.org 
>> <mailto:rigo@w3.org>>, Bjoern Hoehrmann <derhoermi@gmx.net 
>> <mailto:derhoermi@gmx.net>>, David Singer <singer@apple.com 
>> <mailto:singer@apple.com>>, "public-tracking@w3.org 
>> <mailto:public-tracking@w3.org> (public-tracking@w3.org 
>> <mailto:public-tracking@w3.org>)" <public-tracking@w3.org 
>> <mailto:public-tracking@w3.org>>
>> Subject: Re: Today's call: summary on user agent compliance
>> Resent-From: <public-tracking@w3.org <mailto:public-tracking@w3.org>>
>> Resent-Date: Sun, 10 Jun 2012 00:05:39 +0000
>>
>> Some background on Canadian privacy law may be helpful.  The 
>> comprehensive federal privacy statute (PIPEDA) does allow for opt-out 
>> choice mechanisms in some cases.  But an opt-out mechanism is only 
>> compliant if it meets thresholds for transparency, ease of use, and 
>> other requirements.
>>
>> At the W3C workshop in Princeton, a representative of the Office of 
>> the Privacy Commissioner voiced that the current self-regulatory opt 
>> outs fall short.  The OPC issued a new position paper this past week; 
>> it does not directly address the legality of current practices (owing 
>> to a prudential limit on advisory opinions), but in a plain reading 
>> the NAI/DAA/IAB Canada programs are quite deficient.
>>
>> In sum: online advertising companies may currently operate in 
>> violation of Canadian law.  Do Not Track could bring them into 
>> compliance—but it certainly won't if companies ignore the most 
>> popular browser's implementation.
>>
>> Jonathan
>>
>> On Saturday, June 9, 2012 at 12:49 AM, Ian Fette (イアンフェッティ) 
>> wrote:
>>
>>> On Fri, Jun 8, 2012 at 7:56 PM, Tamir Israel <tisrael@cippic.ca 
>>> <mailto:tisrael@cippic.ca>> wrote:
>>>> Hi Ian,
>>>>
>>>>
>>>> On 6/8/2012 10:03 PM, Ian Fette (イアンフェッティ) wrote:
>>>>> Tamir and others,
>>>>>
>>>>> I don't think the point is to say "a server merely notifies the 
>>>>> user they will ignore their DNT-1 signal, that this is sufficient 
>>>>> to gain user consent for server tracking.".
>>>>>
>>>>> Many jurisdictions don't require explicit opt-in consent for 
>>>>> "server tracking". Take the US for example. In this case, as long 
>>>>> as we're not promising something that we fail to deliver, there is 
>>>>> no problem here.
>>>>>
>>>>> I think you are getting hung up on the case where, in some 
>>>>> countries depending on what finalized legislation comes out, there 
>>>>> might be a requirement to obtain explicit opt-in consent. I agree 
>>>>> with you that the mere act of rejecting the user's DNT:1 signal is 
>>>>> not explicit opt-in consent in that context, and the website would 
>>>>> probably have to take further steps to obtain that explicit opt-in 
>>>>> consent. But that does not need to be the problem of this working 
>>>>> group or specification.
>>>>
>>>> The issue I'm trying to address is a scenario where opt-out consent 
>>>> is required. Functionally, the Canadian system operates much like 
>>>> the US in practice (servers are seemingly free to track without 
>>>> asking [as long as there is a readily available mechanism for 
>>>> opting out]). Typically, U.S.-based businesses find this to be a 
>>>> benefit, since their Canadian implementations can match their US 
>>>> implementation (given our physical proximity).
>>>>
>>>> The similarities in regime break down, however, where a server 
>>>> rejects a DNT-1 (because it was set by default), and there is no 
>>>> alternate mechanism left for the user to opt-out. As the server can 
>>>> no longer rely on implicit/opt-out consent in this case, presumably 
>>>> they can no longer track.
>>>>
>>>
>>> I'm not sure I follow you. Surely, Canadian users can use the 
>>> Internet today without hitting this legal dilemma. If DNT is not 
>>> available as a negotiation mechanism, either because the site 
>>> doesn't support it at all or chooses not to support it for a given 
>>> set of user agents, then you are in the same situation that you are 
>>> in today. Whatever mechanism are in place today are not going to 
>>> cease to exist with the rollout of DNT. So, I would presume you 
>>> would solve this situation the same way you solve it today.
>>>
>>>>
>>>>     The point of DNT is to allow a user to express a preference on
>>>>     tracking. The point of DNT is not to solve the EU regulatory
>>>>     debacle, or any other country-specific regulations. If it can
>>>>     be useful in that manner, then great, but I continue to
>>>>     question whether we should allow this working group to get
>>>>     continually railroaded into trying to solve country-specific
>>>>     regulatory problems.
>>>
>>>     The group may well decide to leave it to regulators in various
>>>     countries to decide how to solve their own specific regulatory
>>>     problems around the spec, but I think it is fully legitimate to
>>>     at least attempt to address these here.
>>>
>>>
>>> I agree it's worth understanding what it would take to address them 
>>> and try to do so if it's at zero to no cost, however lately it seems 
>>> like it has become the primary focus and adding great complications, 
>>> as opposed to an add-on to be done if it's straightforward.
>>>> Best regards,
>>>> Tamir
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jun 8, 2012 at 10:59 AM, Tamir Israel <tisrael@cippic.ca 
>>>>> <mailto:tisrael@cippic.ca>> wrote:
>>>>>> Hi Shane,
>>>>>>
>>>>>> I want to reiterate what I said earlier on -- I understand there 
>>>>>> is already an agreement on defaults in the group, and it is not 
>>>>>> my intention to question that.
>>>>>>
>>>>>> However, in this context, I'm not clear that where a server 
>>>>>> merely notifies the user they will ignore their DNT-1 signal, 
>>>>>> that this is sufficient to gain user consent for server tracking.
>>>>>>
>>>>>> Let me explain. The basis for tracking under the current spec is 
>>>>>> that the server is gaining implicit, opt-out consent to track the 
>>>>>> user. The 'opt-out' consent is mediated through the UA's browser 
>>>>>> mechanism. Now, if the server is saying 'I will ignore your DNT-1 
>>>>>> because I deem it non-compliant', there is no longer an opt-out 
>>>>>> consent mechanism in place for the server to rely on.
>>>>>>
>>>>>> Best,
>>>>>> Tamir
>>>>>>
>>>>>>
>>>>>> On 6/8/2012 11:29 AM, Shane Wiley wrote:
>>>>>>> Tamir,
>>>>>>>
>>>>>>> While I agree it does add a degree of uncertainty initially, as 
>>>>>>> long as the outcome is completely transparent to the user then I 
>>>>>>> believe the appropriate outcome has been reached.
>>>>>>>
>>>>>>> We are attempting to resolve this in the specification by 
>>>>>>> appropriately signaling to a user that they will not honor the 
>>>>>>> DNT signal from a specific UA.
>>>>>>>
>>>>>>> - Shane
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Tamir Israel [mailto:tisrael@cippic.ca 
>>>>>>> <mailto:tisrael@cippic.ca>]
>>>>>>> Sent: Friday, June 08, 2012 8:11 AM
>>>>>>> To: Shane Wiley
>>>>>>> Cc: Jeffrey Chester; Ninja Marnau; Rigo Wenning; 
>>>>>>> ifette@google.com <mailto:ifette@google.com>; Bjoern Hoehrmann; 
>>>>>>> David Singer; public-tracking@w3.org 
>>>>>>> <mailto:public-tracking@w3.org> (public-tracking@w3.org 
>>>>>>> <mailto:public-tracking@w3.org>)
>>>>>>> Subject: Re: Today's call: summary on user agent compliance
>>>>>>>
>>>>>>> Hi Shane,
>>>>>>>
>>>>>>> I suppose the question is what the objective here is.
>>>>>>>
>>>>>>> Allowing any entity to unilaterally question the validity of a 
>>>>>>> facially
>>>>>>> valid signal introduces a great degree of uncertainty into the 
>>>>>>> equation,
>>>>>>> and since this is an anticipated source of disagreement and 
>>>>>>> confusion,
>>>>>>> it might be better to explore addressing it within the spec.
>>>>>>>
>>>>>>> On 6/8/2012 10:16 AM, Shane Wiley wrote:
>>>>>>>> Jeff and Ninja,
>>>>>>>>
>>>>>>>> I respectfully disagree and believe any standard that has 
>>>>>>>> outlined what a valid signal should consist of (in our case, 
>>>>>>>> that a user has activated this signal directly) then any signal 
>>>>>>>> not meeting the standard is itself non-compliant and therefore 
>>>>>>>> should allow Servers to appropriately respond to users that 
>>>>>>>> their current UA is non-compliant and therefore will not be 
>>>>>>>> honored - again, hopefully with options for valid UAs the user 
>>>>>>>> can access their free services with.  If the user doesn't feel 
>>>>>>>> comfortable with this outcome WHICH IS COMPLETELY TRANSPARENT, 
>>>>>>>> they can decide to keep consuming those free services with DNT 
>>>>>>>> not being honored, not access the free content from that 
>>>>>>>> particular site, or switch to a compliant UA so their DNT 
>>>>>>>> signal is honored while interacting with that site.  With 
>>>>>>>> transparent and clear messaging to the user, this places the 
>>>>>>>> power within the user's hands to decide how best to move 
>>>>>>>> forward.  I believe this is much better than the user being 
>>>>>>>> left in the dark, or alternately no publishers supporting DNT 
>>>>>>>> since they are forced to honor non-compliant signals.
>>>>>>>>
>>>>>>>> Predictability - The user is clearly messaged in all cases - so 
>>>>>>>> outcomes are completely "predictable".
>>>>>>> I'm not clear that there is any obligation for the user to be 
>>>>>>> clearly
>>>>>>> messaged here. In any case, how would that play out? User: don't 
>>>>>>> track
>>>>>>> me; UA: server does not acknowledge. What's the next step here?
>>>>>>>
>>>>>>>> Only for "uncompliant" UAs?  - Yes, but this is subjective 
>>>>>>>> choice by the Server and they must defend their position. 
>>>>>>>>  Since messaging is transparent, consumers can quickly raise 
>>>>>>>> concerns if they feel a UA is being ignored incorrectly.
>>>>>>>>
>>>>>>>> Who decides wether a UA is "uncompliant"?  - The Server does.
>>>>>>> You are correct that ultimately, this could be referred to a 
>>>>>>> regulator
>>>>>>> if the customer disagrees with the server's decision.
>>>>>>>
>>>>>>>> Liability issues - disagree on your assessment of liability in 
>>>>>>>> this case as the claim is directly tied to a voluntary code and 
>>>>>>>> therefore the only legal enforcement is that the Server must 
>>>>>>>> follow through on what it says it will (contract).
>>>>>>>>
>>>>>>>> Hindering privacy-by-default - It is FAR too early in the 
>>>>>>>> process to attempt to quote draft regulations that will go 
>>>>>>>> through tremendous change over the next two years prior to 
>>>>>>>> becoming a regulation in force.
>>>>>>>>
>>>>>>>> - Shane
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Jeffrey Chester [mailto:jeff@democraticmedia.org 
>>>>>>>> <mailto:jeff@democraticmedia.org>]
>>>>>>>> Sent: Friday, June 08, 2012 3:52 AM
>>>>>>>> To: Ninja Marnau
>>>>>>>> Cc: Rigo Wenning; ifette@google.com <mailto:ifette@google.com>; 
>>>>>>>> Bjoern Hoehrmann; David Singer; public-tracking@w3.org 
>>>>>>>> <mailto:public-tracking@w3.org> (public-tracking@w3.org 
>>>>>>>> <mailto:public-tracking@w3.org>)
>>>>>>>> Subject: Re: Today's call: summary on user agent compliance
>>>>>>>>
>>>>>>>> I support what Ninja says below, and the concerns Jonathan 
>>>>>>>> raises.  There shouldn't be "cherry-picking" allowed in the 
>>>>>>>> spec.  When sites receive DNT, they should honor it.  The W3C 
>>>>>>>> should not develop a policy that permits the over-riding of 
>>>>>>>> requests/intent of global Internet users.
>>>>>>>>
>>>>>>>> The key issue for us to address is the need to limit collection 
>>>>>>>> and retention.  I hope we can discuss and build support for a 
>>>>>>>> consensus on the proposal sent the other day by EFF/Mozilla and 
>>>>>>>> Jonathan.  Without meaningful collection and retention policy, 
>>>>>>>> we risk not having a spec that can receive the support from 
>>>>>>>> many stakeholders (esp civil society).  That is critical to the 
>>>>>>>> fate of the privacy and digital consumer protection debates, 
>>>>>>>> esp. both sides of the Atlantic.
>>>>>>>>
>>>>>>>> Finally, I want to add that in my view and fairly quickly a 
>>>>>>>> site that doesn't honor DNT will not be considered "brand 
>>>>>>>> safe."  Responsible advertisers and brands concerned about 
>>>>>>>> their reputation will need to respect a robust DNT.  They will 
>>>>>>>> have to add DNT to the blacklist/whitelist systems in place. 
>>>>>>>>  It behooves us to continue to advance the process of ensuring 
>>>>>>>> monetization and privacy can thrive together in the digital 
>>>>>>>> economy.
>>>>>>>>
>>>>>>>> Jeff
>>>>>>>>
>>>>>>>> On Jun 8, 2012, at 5:26 AM, Ninja Marnau wrote:
>>>>>>>>
>>>>>>>>> We are discussing two different issues here.
>>>>>>>>>
>>>>>>>>> First is, I support that servers should give the users a clear 
>>>>>>>>> answer wether their DNT request is honored. There should be an 
>>>>>>>>> option to answer NACK.
>>>>>>>>>
>>>>>>>>> Second is, a company claiming "We will honor DNT when it's 
>>>>>>>>> coming from the following user agents" or "We will honor DNT 
>>>>>>>>> from all user agents except for the following" (I am quoting 
>>>>>>>>> Ian's example here) is honest - and I appreciate that. But 
>>>>>>>>> whether it is "compliant" to the DNT recommendation or not, is 
>>>>>>>>> up to us as a working group. It is our task to discuss whether 
>>>>>>>>> we want the spec to allow this cherry-picking. (Don't get me 
>>>>>>>>> wrong, companies can stll do so. But will they be able to 
>>>>>>>>> claim DNT compliance?).
>>>>>>>>> I oppose this. I think the spec should state that when you 
>>>>>>>>> receive a valid signal, no matter from what UA, you have to 
>>>>>>>>> honor it in order to claim DNT compliance.
>>>>>>>>>
>>>>>>>>> There are several reasons for this:
>>>>>>>>> 1) predictability
>>>>>>>>> David raised this point and I agree: "Defining that "I'll stop 
>>>>>>>>> tracking unless I don't feel like it" as *compliant* makes it 
>>>>>>>>> basically unpredictable what will happen."
>>>>>>>>>
>>>>>>>>> 2) only for "uncompliant" UAs?
>>>>>>>>> If we open the spec to cherry-picking. Will it stop at 
>>>>>>>>> "uncompliant"? Or will the spec just stay silent or explicitly 
>>>>>>>>> allow for other motivations? Patent lawsuits, harming 
>>>>>>>>> competitors, just feeling like it - for painting a very black 
>>>>>>>>> picture.
>>>>>>>>> I don't support this as being considered DNT compliant.
>>>>>>>>>
>>>>>>>>> 3) Who decides wether a UA is "uncompliant"?
>>>>>>>>> As long as there is no judgement by a competent authority, 
>>>>>>>>> this is a very critical statement.
>>>>>>>>>
>>>>>>>>> 4) liability issues
>>>>>>>>> If the spec allows to NACK the DNT requests of "uncompliant" 
>>>>>>>>> UAs, and I site claims to "honor DNT from all user agents 
>>>>>>>>> except for the following ..." it makes a legally relevant 
>>>>>>>>> statement about these UAs. Which may lead to liability and 
>>>>>>>>> claims for damages by these UAs if the judgement is wrong.
>>>>>>>>> If the spec is more open ->   issue 2.
>>>>>>>>>
>>>>>>>>> 5) hindering privacy-by-default
>>>>>>>>> The proposed Data Protection Regulation of the EC explicitly 
>>>>>>>>> asks for privacy by default. (Art. 23)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ninja
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Am 08.06.2012 10:25, schrieb Rigo Wenning:
>>>>>>>>>> On Thursday 07 June 2012 18:25:27 Ian Fette wrote:
>>>>>>>>>>> A site is already under no obligation to conform to DNT. 
>>>>>>>>>>> Would you
>>>>>>>>>>> rather have the user be clear that their request is being
>>>>>>>>>>> ignored, or left to wonder?
>>>>>>>>>> Precisely my point! Thanks Ian
>>>>>>>>>>
>>>>>>>>>> Rigo
>>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>>
>>>>>>>>> Ninja Marnau
>>>>>>>>> mail: NMarnau@datenschutzzentrum.de 
>>>>>>>>> <mailto:NMarnau@datenschutzzentrum.de> - 
>>>>>>>>> http://www.datenschutzzentrum.de
>>>>>>>>> Telefon: +49 431/988-1285 <tel:%2B49%20431%2F988-1285>, Fax 
>>>>>>>>> +49 431/988-1223 <tel:%2B49%20431%2F988-1223>
>>>>>>>>> Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
>>>>>>>>> Independent Centre for Privacy Protection Schleswig-Holstein
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>>
>
Received on Sunday, 10 June 2012 19:53:38 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC