Re: Towards a DNT Grand Bargain from Jonathan Mayer on 2012-06-10 (public-tracking@w3.org from June 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Sun, 10 Jun 2012 16:45:29 -0700
To: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <D690356D8B364EB4BC31A5971A4515B2@gmail.com>

(swapping threads for organization)

Our proposal does not allow for ID cookies (or equivalents), unless a) the user consents, or b) there's some reason to believe the user is attempting fraud or security breach.  I'm uncertain how you came to be confused on this point.

Jonathan  


On Sunday, June 10, 2012 at 3:08 PM, Shane Wiley wrote:

>  
> Jonathan,
>  
>  
>  
> They collect the identifier only for delivery of the service and move to unlinkability within a short period of time – I thought that outcome was provided for in your proposal.  Are you saying no identifiers, of any type, may be used in your proposal?
>  
>  
>   
>  
>  
> - Shane
>  
>  
>   
>  
>  
> From: Jonathan Mayer [mailto:jmayer@stanford.edu]  
> Sent: Sunday, June 10, 2012 3:06 PM
> To: Shane Wiley
> Cc: Justin Brookman; public-tracking@w3.org (mailto:public-tracking@w3.org)
> Subject: Re: Considering browser vendor as a third party
>  
>  
>  
>   
>  
>  
>   
>  
>  
> On Sunday, June 10, 2012 at 2:37 PM, Shane Wiley wrote:
> >  
> > Jonathan,
> >  
> >  
> >   
> >  
> >  
> > For the examples I listed, I’ve seen a step in either install or first use of the browser where I’ve been asked to consider participation (research panel, phishing scanning) and/or how I would like a certain option configured (default search engine for example).  With respect to the “proxy traffic” example - I had a Kindle Fire for a brief time and they “collect” very little information, for a limited period of time, and only retain aggregate (unlinkable) data – but was NOT shown this information in a separate “pop-up” during first use (has that changed – no longer have the Kindle Fire so I can’t check).
> >  
> >  
> >  
> >  
>  
>  
> Ok, so we're on the same page—some products in this space get explicit consent ex ante, while many (most? almost all?) don't.
>  
>  
> >  
> > I would have thought based on your proposal they would be in the clear for not needing consent based on the limits they place on their business practices (and their PP is crystal clear on this feature for anyone with questions).  Based on your current proposal, if you were to treat as a 3rd party (non-service provider), would they require opt-in consent based on their limited use and retention of the data collected – or would their approach be covered under your grace period?
> >  
> >  
> >  
> >  
>  
>  
> These products collect a user's browsing history in connection with a unique identifier.  Moreover, the identifier is in some instances an unchangeable hardware value or deliberately linked to a user's identity.  The practices plainly exceed "protocol information" as defined in the compromise proposal.
>  
>  
> >  
> > - Shane
> >  
> >  
> >  
> >  
>  
>  
>  
>

Received on Sunday, 10 June 2012 23:45:59 UTC