W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Proportionate Response for Fraud Prevention and Security (ISSUE-24)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 14 Mar 2012 03:22:13 -0700
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <32C08E35-135E-48EC-B6AB-57DE79A4137C@gbiv.com>
To: Jonathan Mayer <jmayer@stanford.edu>
On Mar 14, 2012, at 1:09 AM, Jonathan Mayer wrote:

> I think there are two lines of thinking to unpack here.
> 
> 1) What does Do Not Track do to third-party services that provide fraud prevention and security functionality for first-party websites (e.g. 41st Parameter, BlueCava)?
> 
> My proposal isn't about those services.  At present they get the same treatment as any other third party; in many cases they'll qualify for the outsourcing exception.  If a stakeholder wants to propose a special exception for those services, we could discuss it.

They would qualify for the exemption for fraud prevention, assuming
the data use and retention is so limited.  I did not consider them
under the outsourcing exemption because siloing their data per
first-party would be unusual.

> 2) How can Do Not Track accommodate fraud prevention and security for pure third-party services without being overly prescriptive?
> 
> My proposed text gives quite broad latitude to third party websites.  What is "reasonable" will vary by industry and company.  I agree that guiding examples would be valuable.

No, my point was that DNT cannot have an impact on fraud control, period.
If it did, then the presence of DNT:1 would be indicative of
"reasonable grounds to believe the user or user agent is presently
attempting to commit fraud".

In any case, the nature of data collection for fraud prevention is
to collect a lot of data on non-fraudulent behavior, so that when
an anomalous set of behavior is encountered the "alarm" is triggered.
The premise on which your two operative texts are based is that the
fraud control engine can determine "reasonable grounds" without
first collecting or using data about the user agent.  It does not
work that way (and I am not just talking about advertising fraud).

I am not saying this isn't a privacy concern.  I am saying it won't
be addressed by DNT because lessening fraud control on the basis of
a signal received from the client is simply not a viable option.
I would encourage the regulators to find a solution to this concern
outside of DNT, since it has nothing to do with preferences/consent.

....Roy
Received on Wednesday, 14 March 2012 10:22:45 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC