W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

RE: ACTION-152 - Write up logged-in-means-out-of-band-consent

From: SULLIVAN, BRYAN L <bs3131@att.com>
Date: Thu, 29 Mar 2012 04:56:53 +0000
To: Jonathan Mayer <jmayer@stanford.edu>, JC Cannon <jccannon@microsoft.com>
CC: Shane Wiley <wileys@yahoo-inc.com>, David Singer <singer@apple.com>, John Simpson <john@consumerwatchdog.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <59A39E87EA9F964A836299497B686C350F488A15@WABOTH9MSGUSR8A.ITServices.sbc.com>
We should be careful to not over-reach on the goals of the group relative to solving the central issues well, the first time. I believe that user consent mechanisms and content, analogous to the way that a browser UI will enable the user to make exceptions or set preferences, should be out of scope for this release. If in the end a reasonably enabling effort is not made to ensure user informed consent (or worse, a misleading effort is made), then I believe those that are monitoring compliance will fulfill their role and step in.

Thanks,
Bryan Sullivan

From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Wednesday, March 28, 2012 9:34 PM
To: JC Cannon
Cc: Shane Wiley; David Singer; John Simpson; public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent

Do you think it should be permissible for a website to circumvent Do Not Track with a mere blurb in its privacy policy?  If the answer's no - and I think it has to be no - then we need to specify a consent standard.

As for the notion that setting a consent standard would take inordinate time, I don't follow.  We've made progress, we have good models to build from, and as David showed much of a consent standard could be expressed with bright-line rules (e.g. no default, separate choice).

Jonathan

On Mar 28, 2012, at 9:20 PM, JC Cannon wrote:


We should be able to say that websites can provide a consent mechanism and move on. There is no reason to belabor the point.

JC

From: Shane Wiley [mailto:wileys@yahoo-inc.com]
Sent: Wednesday, March 28, 2012 9:12 PM
To: Jonathan Mayer
Cc: David Singer; John Simpson; public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: RE: ACTION-152 - Write up logged-in-means-out-of-band-consent

Jonathan,

We can agree to disagree on the details.  I believe for us to meaningfully take a deep dive into "consent standards" would be another working group effort that would deservedly take several months if not more to tease through all the details this significant of a topic would require.  I would recommend academics and advocates perhaps come together to publish a paper of what you believe "appropriate consent" models should be.  I continue to believe this is not within the scope of the working group (out of band is out of scope for this group to address).  If you're comfortable having a one-sided conversation on the topic (without much industry involvement), then please continue.

Co-Chairs,

I'd like to understand the appropriate process where a large number of the working group feels a topic is out of scope (and a small group feels it is in scope).  Is there a way to take a straw poll to close on this topic so we can get back to core issues at hand?

Thank you,
Shane

From: Jonathan Mayer [mailto:jmayer@stanford.edu]<mailto:[mailto:jmayer@stanford.edu]>
Sent: Thursday, March 29, 2012 12:03 AM
To: Shane Wiley
Cc: David Singer; John Simpson; public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent

Consent standards are plainly within the group's charter.  Shane is wrong on this point.

As for whether we should specify consent standards: yes, we should.  Some of the issues that could arise if we don't:

-A U.S. website may circumvent U.S. user preferences wholesale by stuffing an exception clause in its privacy policy.
-A U.S. website may circumvent U.S. user preferences near-wholesale by stuffing a default exception in signup or login flow.
-Regional DNT implementations could fragment.  U.S. websites and users might live in a world of privacy policy gotchas; EU/Canada websites and users would have to use browser APIs and other more explicit choice mechanisms.

I don't follow how conversations on consent standards are "wasteful."  There's been good discussion on the list and even better discussion off-list.

In sum, specifying consent standards is in scope, essential, and proceeding apace.

Jonathan

On Mar 28, 2012, at 8:12 PM, Shane Wiley wrote:

I respectfully but strongly disagree with you both.  It is FAR outside the scope of this working group to attempt to define what is and is not permissible in a registration process or an out-of-band consent event.  In my opinion, this is wasteful for the working group to continue to explore.  Please leave these details to regional laws and let's get back to the core business of DNT.

Thank you,
- Shane

From: David Singer [mailto:singer@apple.com]<mailto:[mailto:singer@apple.com]>
Sent: Wednesday, March 28, 2012 7:54 PM
To: John Simpson
Cc: public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent


On Mar 28, 2012, at 16:43 , John Simpson wrote:



I would think that the default would be that if I have enabled DNT:1, I could not be tracked by a widget even if logged into the site, unless I interacted with the widget when it was a third party, right?

Yes, I think the default would be to respect the sent DNT signal - don't track me unless I interact.  Being logged in PLUS expressing a permission would be needed to do more than that.





On Mar 28, 2012, at 4:35 PM, David Singer wrote:




On Mar 28, 2012, at 16:22 , John Simpson wrote:



David,

I'm trying to understand what your suggesting.  Is this essentially  the scenario you have in mind:  When I register for a service and login I would be presented with a series of choices of how the site's widgets would interact with me when I'm off the site.  If one explicit preference was track me, then that would be OK if I had checked it.  Another option might be JC's goal of show me my friends' likes, but don't show them mine.  I suppose another could be Do Not Track me unless I explicitly interact with the widget...  Is the sort of scenario you have in mind?

Yes, that's it. I think we need to consider whether this choice needs to be separately offered to the user, not set for everyone by the service and bundled into the overall policy.




Thanks,
John


On Mar 28, 2012, at 3:51 PM, David Singer wrote:



There are several levels to disconnecting yourself from a service:

1 logout;
2 uncheck the 'remember me' so that your identity is no longer remembered;
3 delete cookies etc. just in case there is a lingering cookie that still remembers you;
[4 start using TOR :-(]
[5 go off-the-net :-(]

I actually have experimented with myself, trying to do up to (1), (2) or (3), and I found it a pain in the neck. So, as Shane says, let's focus on 'consent'.

The model I am exploring is saying that the consent to being tracked when logged-in or remembered needs to be a distinct, separate, choice for the user - which, as you say, gives the user more flexibility.  In this model, that consent cannot be simply "well, you agreed to our policy and here it is on page 8", because that's (a) hard to find for most users and (b) IMHO, insufficiently granular; it basically says you have to stop using the service if you don't want 'social buttons' to track you, which is harsh (and for many users, not a meaningful choice).

As I say, I am not terribly keen on the rather subtle option "yes, you can know who I am and tell me about my friends, but no, you cannot track what I am doing (and hence, not tell my friends about it)" -- I fear it's rather subtle, but it seems to be what JC prefers. I don't see a problem with offering it as an option such as "Identify me and tell me relevant info, but don't record anything about me".

so, here is a strawman:

"User registration and login often are bundled with a set of preferences for the user.  If a preference directly address interactions with users off of the 1st parties direct web site, such as through Widgets or other interactions with a user in a logged-in or 'remembered' state, in an open and transparent manner, then this is considered an out-of-band user consent and DNT requests may be met with a response that consent has been given, and tracking to the extent expressed by the preference performed."

On Mar 28, 2012, at 8:30 , JC Cannon wrote:



I'm more inclined to agree with Shane here. I always want to vote on the side of greater flexibility for the consumer.

David, by following your model I would have to click on the Like button to determine if my friends Liked an article, at the same time permitting FB to track me, which is what I don't want. Show me how in your model I can have the level of flexibility and privacy I describe.

JC

From: Shane Wiley [mailto:wileys@yahoo-inc.com]<mailto:[mailto:wileys@yahoo-inc.com]>
Sent: Tuesday, March 27, 2012 7:52 PM
To: David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: RE: ACTION-152 - Write up logged-in-means-out-of-band-consent

David,

I disagree that asking users to manage their logged-in state is a non-starter.  What leads you to that conclusion?  Facebook charges $700K/day to post an ad on their logout page.  J  (I hope I've quoted that from recent press articles correctly.)

But I believe that's a red herring for this discussion and would instead focus on the "consent" element.

First, I didn't intend to state that UAs won't continue to send DNT:1 for a logged-in user, I'm stating that if its sent and the party has out-of-band consent from the user for tracking in that circumstance that the DNT signal will be ignored.  Also, why are we discussing cookies here?

Second, on the concepts of bundling and product features, while I agree that "open and transparent" notices are best practice, I don't believe it's appropriate for this group to attempt to set standards of acceptable consent paradigms that will vary significantly based on situation.  As we've discussed on similar topics, it's more appropriate to allow local legal structures to continue to manage the required level of disclosure.  For example, in the US we have the Sears Consent Order to draw upon.

I'd ask that we focus on the core issues with DNT and resist the temptation to solve the broader set of online privacy debates in one pass.

Thank you,
- Shane

From: David Singer [mailto:singer@apple.com]<mailto:[mailto:singer@apple.com]>
Sent: Tuesday, March 27, 2012 7:50 PM
To: public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent


On Mar 27, 2012, at 5:54 , Shane Wiley wrote:


Per my action item from last week, here is a position statement with respect to setting new business rules for "logged-in users" with respect to personalization off of the 1st party site and DNT.

"User registration and login often are bundled with a set of sign-up flow notices, Terms of Service, and Privacy Policy by which a 1st party will operate.  If these notices directly address interactions with users off of the 1st parties direct web site, such as through Widgets or other interactions with a user in a logged-in state, in an open and transparent manner, then this is considered an out-of-band user consent and DNT signals will be ignored."

Shane

I don't think we can tell users "if you want privacy, remember to log out all the time".  That's a non-starter. So I agree, a general "logged-in exception" doesn't fly, for me.

Nor do I think we can tell UAs "don't send cookies with DNT:1" because then trivial things will stop working (e.g. a cookie that selected the language or size of the 'like' button itself).  Sites will have to expect to get DNT and cookies, and we need to say what that means if the cookies are actually identifying the user.


I think the text needs to be more explicit, and say that permitting the site to track the user has to be a distinct choice, not 'bundled' with any other (e.g. a check-box in the preferences).  Otherwise I fear that sites will say that merely by signing up you made that choice.  I would prefer it not even be a choice, I think, but I am open to debate.

Otherwise, what Jonathan has said holds - that if you set DNT, and not the preference (if any), then you'll need to interact directly with the third party before they will recognize you and track you. I don't think it's too bad; click on the button, and now it can track you, for example.

Treating me as someone you know, but about whom you *remember* nothing, is intriguing but (IMHO) excessively subtle.


David Singer
Multimedia and Software Standards, Apple Inc.

David Singer
Multimedia and Software Standards, Apple Inc.



----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org/>
john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>


David Singer
Multimedia and Software Standards, Apple Inc.


----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org/>
john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>


David Singer
Multimedia and Software Standards, Apple Inc.
Received on Thursday, 29 March 2012 04:58:17 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC