FW: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking

Hi Kimon,

 

If tracking data is gathered without our knowledge or consent then there is
danger that criminals or the legal processes of oppressive governments will
attempt to access it. If we have a choice then who we allow to retain it
will be determined by how far we trust them and their declared access and
security policies. This is how a free market works, and why the human right
to privacy was built into EU treaties.

 

Mike

 

From: Kimon Zorbas [mailto:vp@iabeurope.eu] 
Sent: 14 October 2012 09:54
To: Rigo Wenning; public-tracking@w3.org; Alan Chapell
Cc: Shane Wiley (yahoo); Vincent Toubiana; Jeffrey Chester; Jonathan Mayer
Subject: Re: Third-Party Web Tracking: Policy and Technology Paper outlining
harms of tracking

 

Dear all,

I think we should look a bit less emotional on all issues and more with
common sense (including business sense):

- Harm is difficult to prove and the fact we all sit around the table
demonstrates the willingness to address some of this difficult to quantify /
assess harm (if any). Harm in sense of reducing the window to the world
disregards the independence of the human spirit and over-exaggerates the
importance of online ads. It's still content people look for in the internet
and we still move outside our home, workplace, etc., speak to real people
off screen etc. to form and shape our views and decisions. Our horizon is
larger than the internet. Let's be as concrete as possible on harm - which
brings me to the next point. 

- Law enforcement is neither a real issue to date nor a fair point: we all
have to abide by law. Trying to fix that problem by deleting all data of the
world would be effective to that end (and welcomed by bad guys) but not
realistic. I also seriously question whether OBA profiles are ever good
enough data. As long as I don't see many law enforcement requests for such
data I think it less of an issue for the DNT discussions. We have to comply
with the law - we don't like that, we vote accordingly at the next
elections, not in W3C.

-Rigo, I would LOVE my members to charge 10 times more for OBA ads. But that
number is totally unrealistic. Twice as much would be still good enough and
only top performers can achieve this. Again, we have hardly large data on
this, mostly confidential disclosure from business people, as it's a highly
competitive market and players not keen disclosing figures.


Have a good weekend,
Kimon

----- Reply message -----
From: "Rigo Wenning" <rigo@w3.org>
To: "public-tracking@w3.org" <public-tracking@w3.org>, "Alan Chapell"
<achapell@chapellassociates.com>
Cc: "Shane Wiley (yahoo)" <wileys@yahoo-inc.com>, "Vincent Toubiana"
<v.toubiana@free.fr>, "Jeffrey Chester" <jeff@democraticmedia.org>,
"Jonathan Mayer" <jmayer@stanford.edu>
Subject: Third-Party Web Tracking: Policy and Technology Paper outlining
harms of tracking
Date: Fri, Oct 12, 2012 11:13 pm

 

On Thursday 11 October 2012 16:27:06 Shane Wiley wrote:
> *         No harm ever came to users

Can we please stop that silly discussion and go back to real? 

Alan, it is clear that the concrete harm of profiles done by ad 
networks is very hard to determine in a world that is full of NDAs 
and settlements. And I agree that you need to know about the harms 
in order to determine the protective measures. So you have a point. 
But it is like looking for security breaches. I will still try (and 
this list is not exhaustive or in any way scientific or correct)

The fact that the industry pays over 10 times more for targeted 
advertisement and profiles should be enough evidence that there is 
value. Money is an information system after all. But this value is 
not neutral. The value is the ability of the industry to reduce the 
autonomy of consumers. Apart from annoying pop-ups and targeted 
spams that factor in to the psychology in the market place, people 
find it really creepy that the "unknown" knows so much about them. 
Go read Foucault to assess the chilling effects of that process. 
Reducing autonomy in concrete means manipulation to sell goods at 
higher prices than otherwise possible. 

You look for a smoking gun? I have been long time hesitant to 
provide it. And I still don't. But I can report from the hearing in 
the EU Parliament on the new data protection regulation where two of 
the most respected advocates were reporting people's concerns that 
governments siphon all data and profiles that have been created. It 
is not advertisement as such, it is the profiles created and the 
targets identified. People are not as naive as some other people may 
want to believe. DNT is a way to say: Look the other way and don't 
record for the spooks. They may still find something in your 
accounting data, but less then the full profile and not forever. 

A further psychological component adds to this. We say "do not 
track" and probably, for marketing reasons, can not pedal back 
behind this term. If someone selects "do not track" while there is 
still tracking going on and just the creepy symptoms are suppressed, 
that's even worse and more unpredictable than doing nothing. A 
system has to be predictable and reliable. And if I say to the 
service "please look the other way" and they still look with one and 
a half eye, I'm not really getting what I want. Disappointed 
expectations will add to the hostile environment the ad industry is 
currently working in. This is not the achievement we are looking 
for. 

Last but not least, there is not only concrete abuse, but the 
abstract danger of large amounts of data. I have personal experience 
with this as Legal counsel. Until 2003 W3C kept all logfiles for 
historical reasons (thought was that we invented the Web and have to 
keep stuff for the historians). Then we were the target of a 
multitude of subpoenae that wanted to know who saw what when to 
determine who was willfully infringing what patent (or to create an 
allegation thereof). And I finally convinced the Sys-Team to 
anonymize logs after 6 weeks. This helped. (we have a known script 
and policy for that). Vincent tried to allude to this with the 
Youtube case. There can be many attempts to get your profile. 

Now Alan can ask me: But this is also true for first parties. And 
now I have to confess that I believe personally that the distinction 
between first and third parties doesn't make much sense. Neither in 
a dogmatic (legal) way nor in a risk based thinking. I think the FTC 
found some settlement that made perfect sense for the concrete case 
but created an unfortunate precedent for the US market. HTTP just 
makes requests for elements and can't distinguish between first and 
third parties (apart from same origin). So a harms based discussion 
will always hurt itself with this distinction. On the other hand, 
the TPWG has to accept some outside legal realities. First/Third was 
brought in to reduce the scope of all the effort. Fine. For the EU 
system, the distinction is irrelevant because of statutes, so 
everybody is treated equally there. 

To conclude: If there would be no harm and no social outcry, we 
wouldn't be sitting here and spending our time with this. Alan, I 
also find it somewhat audacious to question the reality of the 
entire data protection circus and the entire research done in this 
space in the past 50 years. All a joke? But maybe the earth is flat 
and we didn't realize. This said, a constructive questioning of the 
concrete harms will bring us forward. But this needs that we come 
out of the trenches and accept that "potential" abuse exists. The 
discussion on harms should really now concentrate on the concrete 
permitted uses. Trying to bomb "marketing" into "permitted uses" in 
the presence of DNT;1 with the "no harm argument" doesn't help at 
all.

So my question is: Alan, what data collection and use do you want 
that you can't do? This is precisely Walter's question (and I may 
have the same cultural bias as Walter has, but please be indulgent 
with us on this aspect) 

Rigo

Received on Sunday, 14 October 2012 10:25:29 UTC