W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

RE: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Thu, 11 Oct 2012 13:36:09 -0700
To: Alan Chapell <achapell@chapellassociates.com>, Jeffrey Chester <jeff@democraticmedia.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>, Jonathan Mayer <jmayer@stanford.edu>
Message-ID: <63294A1959410048A33AEE161379C802747DFD8DAC@SP2-EX07VS02.ds.corp.yahoo.com>
To further support Alan's fair desire to understand real-world, tangible harms to consumers, I believe understanding harms will help us in several aspects of defining the standard:


1.       Problem Solving - In developing any solution, you should first understand the problem you're attempting to solve.  In this case, we have two differing views of the problem and rather than resolve that divide, the working group has decided to instead develop a solution and then decide what problem we solved once the solution is in hand.  Creating a shared view of the problem would allow us to short-cut this odd approach and fast track to a solution.

2.       Proportionality - In developing a DNT solution, it's helpful to understand the forms and degrees of harm being addressed to ensure the solution is proportional to the problem.  For example, a pencil can be used to stab another individual - a real and tangible harm.  In reality this doesn't occur often and the resulting injury is rarely life-threatening.  Hence, we still sell pencils in an unregulated way and don't go out of our way to ensure documentation devices as devoid of their ability to harm others.  If the incidence or degree of harm was different (common place and result was severe/permanent injury) we'd of course see a very different approach to solving for the problem.

So I don't see the request for understand real-world, tangible harms as somehow questioning the fundamental role of this working group; rather it's a important tool that we can all use to quickly come to consensus on a solution to address those harms.

Again - please help us understand real-world, tangible harms to consumers from the existence of data attached to pseudo/anonymous identifiers that is not used to directly alter a user's experience (no profiling/targeting).  We've discussed breach concerns and government intrusion but have no documented cases - are there others?

Thank you,
Shane

From: Alan Chapell [mailto:achapell@chapellassociates.com]
Sent: Thursday, October 11, 2012 1:18 PM
To: Jeffrey Chester
Cc: public-tracking@w3.org; Jonathan Mayer
Subject: Re: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking

Actually, Jeff, my statement says a great deal about my view of the clarity of scope and overall progress of this particular working group. But that isn't exactly anything new.

I suppose I can't stop you from attempting to misrepresent my views and reading much more into my statements - you've already demonstrated that you're a rather creative guy.  (:

Since we're putting things on the record - is it fair to say that you are unable to come up with a set of tangible, real world examples of harms that this group is tailored to address? I've asked a number of times.

Please answer that question on the record - with real examples.




From: Jeffrey Chester <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>>
Date: Thursday, October 11, 2012 4:08 PM
To: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>
Cc: <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>>
Subject: Re: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking

Thanks Alan for putting this on the record.   You "struggle to find the harm that this group is attempting to address."  This clearly says a great deal about your view of privacy and contemporary online marketing data collection practices.    Such a perspective, which appears to be shared by the DAA/US, raises questions about how the group can accomplish its critical task in a meaningful manner.   But I still have hopes that we can develop a consensus that moves us ahead.

Jeff




Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org<http://www.democraticmedia.org>
www.digitalads.org<http://www.digitalads.org>
202-986-2220

On Oct 11, 2012, at 3:33 PM, Alan Chapell wrote:


Hi Jeff -

It is significantly more productive to tie it back to what harms are purportedly going to be addressed by the DNT standard.

As I'm providing input into Permitted Uses, I've argued for some flexibility so as to avoid putting third parties in a position where they are conflicting either with DNT or another competing standard. This argument has received some pushback. Some in the group believe that DNT should just trump all competing or conflicting standards - which I believe is impractical.

As a result, I've asked you, Jonathan and others for some real-life examples on the harms they are trying to minimize so that I can help tailor Permitted Uses to address those harms. Thus far, I've received information on a) harms that are out of the scope of DNT, b) high level examples that are incredibly vague to as to make it almost impossible to find practical approaches to address the purported harms in our work here. If this is all they can offer, well then it might be time to remove those objections to flexibility in Permitted Users so the group can move forward productively.

So I'm not sure why you're asking me this question. I struggle to find the harm that this group is attempting to address. You and your colleagues are the ones telling the world the the proverbial sky is falling. And if the professionals who have made these issues their life's work are unable to provide specific, real world examples, please point me to those who are...



From: Jeffrey Chester <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>>
Date: Thursday, October 11, 2012 1:19 PM
To: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>
Cc: <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>>
Subject: Re: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking

Alan.  Could you please clarify.  Are you saying that you and/or your clients believe that the loss of privacy from contemporary digital marketing practices is not a "harm."  This will help in the discussion.

Regards,

Jeff




Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org<http://www.democraticmedia.org/>
www.digitalads.org<http://www.digitalads.org/>
202-986-2220

On Oct 10, 2012, at 4:55 PM, Alan Chapell wrote:


Hi Jonathan -

In addition to my questions below, I'm curious whether your research has documented specific examples of these harms occurring in the real world?

Thanks again,

Alan

From: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>
Date: Saturday, October 6, 2012 5:14 AM
To: <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>>
Subject: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking

Hi Jonathan -

A few days ago, you invited me (via IRC) to review your recent paper which - among other items - outlines some of the potential harms of tracking. (See https://www.stanford.edu/~jmayer/papers/trackingsurvey12.pdf)

Thanks - As you may have noticed, I've been asking a number of folks in the WG for examples of harms and haven't received very much information in response. So I want to applaud your effort to help provide additional information and to facilitate a dialog. That said, I want to make sure I understand your thinking here - or at least help clarify some of the distinctions you may be drawing.

I'm curious whether your position is that those harms are equally apparent in a first party setting - where a first party utilizes their own data for ad targeting across the internet? For example, in your scenario where "an actor that causes harm to a consumer." Is that not also possible in a first party context? Does the first party not have both "the means", "the access" and at least potentially, the ability to take the  "action" that causes the harms you lay out? (e.g., "Publication, a less favorable offer, denial of a benefit, or termination of employment. Last, a particular harm that is inflicted. The harm might be physical, psychological, or economic.")
Do you believe that a direct relationship between consumers and first party websites completely mitigates that risk of harm - even where the first parties have significant stores of personally identifiable data?

Has your position evolved over the past few months? Correct me if I'm mistaken, but I believe that one of the proposals offered by Mozilla / Stanford and EFF sought to address forms of first party tracking. Do I have that correct?

Thanks - I look forward to hearing your thoughts.





Excerpt from your paper for the convenience of others.


"When considering harmful web tracking scenarios, we find it helpful to focus on four variables. First, an actor that causes harm to a consumer. The actor might, for example, be an authorized employee, malicious employee, competitor, acquirer, hacker, or government agency. Second, a means of access that enables the actor to use tracking data. The data might be voluntarily transferred, sold, stolen, misplaced, or accidentally distributed. Third, an action that harms the consumer. The action could be, for example, publication, a less favorable offer, denial of a benefit, or termination of employment. Last, a particular harm that is inflicted. The harm might be physical, psychological, or economic.
The countless combinations of these variables result in countless possible bad outcomes for consumers. To ex- emplify ourthinking, here is one commonly considered scenario: A hacker (actor) breaksinto a tracking company (means of access) and publishes its tracking information (action), causing some embarrassing fact about the consumer to become known and inflicting emotional distress (harm).9
Risks associated with third-party tracking are heightened by the lack of market pressure to exercise good security and privacy practices. If a first-party website is untrustworthy, users may decline to visit it. But, since users are unaware of the very existence of many third-party websites, they cannot reward responsible sites and penalize irresponsible sites.10"
Received on Thursday, 11 October 2012 20:36:52 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:36 UTC