W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: explicit-explicit exception pairs

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 8 May 2012 15:16:56 -0700
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <DCCDDDEF-D2AA-498E-935E-DDBD1CCB9EF4@gbiv.com>
To: rob@blaeu.com
On May 8, 2012, at 11:34 AM, Rob van Eijk wrote:

> Well,
> 
> At least one thing is for sure: tracking cookies need prior consent of the user. There is no uncertainty about that. There is some debate on a possibly very limited list of functional cookies.
> 
> One of the latest public documents on the status of the implementation is here ( disclaimer: I haven't checked it in detail):
> http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePrivacy_Directive-Apr2012.pdf
> 
> There is a catch-22 here, because law makers are looking closely to the outcome of W3C DNT process. Some find it very hopefull, some think it will not lead to compliance.
> 
> So I encourage the group to try to get the TPE out of the impasse. Please tell me, if DNT is not going to have any additional value in comparison to the current opt-out systems. Because if DNT will not be able to offer a rich granular dialog 'under the hood' of the browser, DNT is not going to have the outcome many of us have been hoping for.

As far as I can tell, DNT won't have that outcome.  There are
at least three reasons so far:

 1) DNT only addresses consent for third-party tracking, whereas
    the ePrivacy Directive includes first-party cookie setting.

 2) Sites cannot obtain specific and informed consent with a
    browser-driven dialog system that has no conception of the
    purpose for which the data is being collected. Tracking,
    even if we agree how to define it, is not a purpose.
    "DNT: 0" does not describe a purpose. Therefore, each site
    must construct its own consent dialog, with its own unique
    opt-in for EU participants, to ensure that the permission
    it has requested is reasonably understood by its audience
    and sufficiently descriptive of the data collection purpose.

 3) If consent for a specific purpose must be obtained from each
    data controller, individually, as opposed to once by the
    first party that caused a chain of requests to occur, then
    the first party cannot rely on third-party subrequests to
    perform its functionality in a way that can be adequately
    controlled (for UX) and monetized (for copyright).

    Even if we manage to design the perfect exception mechanism,
    user agents can't be trusted to process client-side conditionals,
    servers can't be trusted to query a user's list of exceptions,
    and neither one can be trusted to use "DNT: 0" consistently.
    Hence, the reaction to "DNT: 1" (or an EU default) will be
    to deny full services until full consent os obtained, most
    likely through a subscription service wherein the consent
    for third parties can be checked by the first party and
    managed as part of the first party settings for that user.


As I see it, the only way to address the ePrivacy Directive with
DNT would be to expand the scope to include first-party tracking,
process exceptions only for the first party (wherein the first party
supplies the text necessary to inform the user of what is being
consented and the purpose for which the data is collected), and
then allow first parties to transitively pass that consent to their
third parties (via the third-party references) if and only if the
data is used only for the consented purpose and not retained in
a form that is linkable to the same user, user agent, or device
across multiple parties.

This would allow a first party to obtain consent for its own needs,
including ads based on information learned within the context of
that first party, without imposing the UX hell of multiple dialogs
or the anti-competitive hell wherein only the huge conglomerates
that control their own analytics, advertising, and fraud control
services can have nice EU websites.

In such a universe, third-party data collection that remains
linkable across parties, such as profiles gathered from behavior
across multiple first parties or correlation of interactions
recorded via multiple first parties, would still require a separate
consent be obtained directly by the third party, via some other
means, in order to comply with the directive.

(And, by data collection, I mean retention or sharing of data,
beyond the scope of processing the immediate request, in a form
that can be correlated; I do not mean mere receipt of data.)

I could write such a standard, but I have no reason to believe
that the WG would accept it, nor do I think that it would satisfy
the fundamental problem of EU citizens not wanting to pass though
a consent dialog for every new site that they visit.  There is
no evidence to suggest that even a web-wide "DNT: 0" setting,
deliberately chosen by the user, would be sufficient to satisfy
all of the requirements that the working party has associated
with consent, and hence I don't see how DNT could provide any
significant usefulness within the EU, beyond the current morass
of site-specific dialogs, without some corresponding changes to
the ePrivacy Directive itself to remove the focus on cookies
and replace that with constraints on collection of profiles.

....Roy
Received on Tuesday, 8 May 2012 22:17:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC