- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Sun, 14 Oct 2012 11:24:58 +0100
- To: <public-tracking@w3.org>
- Message-ID: <04b001cda9f6$29cd6cf0$7d6846d0$@baycloud.com>
Hi Kimon, If tracking data is gathered without our knowledge or consent then there is danger that criminals or the legal processes of oppressive governments will attempt to access it. If we have a choice then who we allow to retain it will be determined by how far we trust them and their declared access and security policies. This is how a free market works, and why the human right to privacy was built into EU treaties. Mike From: Kimon Zorbas [mailto:vp@iabeurope.eu] Sent: 14 October 2012 09:54 To: Rigo Wenning; public-tracking@w3.org; Alan Chapell Cc: Shane Wiley (yahoo); Vincent Toubiana; Jeffrey Chester; Jonathan Mayer Subject: Re: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking Dear all, I think we should look a bit less emotional on all issues and more with common sense (including business sense): - Harm is difficult to prove and the fact we all sit around the table demonstrates the willingness to address some of this difficult to quantify / assess harm (if any). Harm in sense of reducing the window to the world disregards the independence of the human spirit and over-exaggerates the importance of online ads. It's still content people look for in the internet and we still move outside our home, workplace, etc., speak to real people off screen etc. to form and shape our views and decisions. Our horizon is larger than the internet. Let's be as concrete as possible on harm - which brings me to the next point. - Law enforcement is neither a real issue to date nor a fair point: we all have to abide by law. Trying to fix that problem by deleting all data of the world would be effective to that end (and welcomed by bad guys) but not realistic. I also seriously question whether OBA profiles are ever good enough data. As long as I don't see many law enforcement requests for such data I think it less of an issue for the DNT discussions. We have to comply with the law - we don't like that, we vote accordingly at the next elections, not in W3C. -Rigo, I would LOVE my members to charge 10 times more for OBA ads. But that number is totally unrealistic. Twice as much would be still good enough and only top performers can achieve this. Again, we have hardly large data on this, mostly confidential disclosure from business people, as it's a highly competitive market and players not keen disclosing figures. Have a good weekend, Kimon ----- Reply message ----- From: "Rigo Wenning" <rigo@w3.org> To: "public-tracking@w3.org" <public-tracking@w3.org>, "Alan Chapell" <achapell@chapellassociates.com> Cc: "Shane Wiley (yahoo)" <wileys@yahoo-inc.com>, "Vincent Toubiana" <v.toubiana@free.fr>, "Jeffrey Chester" <jeff@democraticmedia.org>, "Jonathan Mayer" <jmayer@stanford.edu> Subject: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking Date: Fri, Oct 12, 2012 11:13 pm On Thursday 11 October 2012 16:27:06 Shane Wiley wrote: > * No harm ever came to users Can we please stop that silly discussion and go back to real? Alan, it is clear that the concrete harm of profiles done by ad networks is very hard to determine in a world that is full of NDAs and settlements. And I agree that you need to know about the harms in order to determine the protective measures. So you have a point. But it is like looking for security breaches. I will still try (and this list is not exhaustive or in any way scientific or correct) The fact that the industry pays over 10 times more for targeted advertisement and profiles should be enough evidence that there is value. Money is an information system after all. But this value is not neutral. The value is the ability of the industry to reduce the autonomy of consumers. Apart from annoying pop-ups and targeted spams that factor in to the psychology in the market place, people find it really creepy that the "unknown" knows so much about them. Go read Foucault to assess the chilling effects of that process. Reducing autonomy in concrete means manipulation to sell goods at higher prices than otherwise possible. You look for a smoking gun? I have been long time hesitant to provide it. And I still don't. But I can report from the hearing in the EU Parliament on the new data protection regulation where two of the most respected advocates were reporting people's concerns that governments siphon all data and profiles that have been created. It is not advertisement as such, it is the profiles created and the targets identified. People are not as naive as some other people may want to believe. DNT is a way to say: Look the other way and don't record for the spooks. They may still find something in your accounting data, but less then the full profile and not forever. A further psychological component adds to this. We say "do not track" and probably, for marketing reasons, can not pedal back behind this term. If someone selects "do not track" while there is still tracking going on and just the creepy symptoms are suppressed, that's even worse and more unpredictable than doing nothing. A system has to be predictable and reliable. And if I say to the service "please look the other way" and they still look with one and a half eye, I'm not really getting what I want. Disappointed expectations will add to the hostile environment the ad industry is currently working in. This is not the achievement we are looking for. Last but not least, there is not only concrete abuse, but the abstract danger of large amounts of data. I have personal experience with this as Legal counsel. Until 2003 W3C kept all logfiles for historical reasons (thought was that we invented the Web and have to keep stuff for the historians). Then we were the target of a multitude of subpoenae that wanted to know who saw what when to determine who was willfully infringing what patent (or to create an allegation thereof). And I finally convinced the Sys-Team to anonymize logs after 6 weeks. This helped. (we have a known script and policy for that). Vincent tried to allude to this with the Youtube case. There can be many attempts to get your profile. Now Alan can ask me: But this is also true for first parties. And now I have to confess that I believe personally that the distinction between first and third parties doesn't make much sense. Neither in a dogmatic (legal) way nor in a risk based thinking. I think the FTC found some settlement that made perfect sense for the concrete case but created an unfortunate precedent for the US market. HTTP just makes requests for elements and can't distinguish between first and third parties (apart from same origin). So a harms based discussion will always hurt itself with this distinction. On the other hand, the TPWG has to accept some outside legal realities. First/Third was brought in to reduce the scope of all the effort. Fine. For the EU system, the distinction is irrelevant because of statutes, so everybody is treated equally there. To conclude: If there would be no harm and no social outcry, we wouldn't be sitting here and spending our time with this. Alan, I also find it somewhat audacious to question the reality of the entire data protection circus and the entire research done in this space in the past 50 years. All a joke? But maybe the earth is flat and we didn't realize. This said, a constructive questioning of the concrete harms will bring us forward. But this needs that we come out of the trenches and accept that "potential" abuse exists. The discussion on harms should really now concentrate on the concrete permitted uses. Trying to bomb "marketing" into "permitted uses" in the presence of DNT;1 with the "no harm argument" doesn't help at all. So my question is: Alan, what data collection and use do you want that you can't do? This is precisely Walter's question (and I may have the same cultural bias as Walter has, but please be indulgent with us on this aspect) Rigo
Received on Sunday, 14 October 2012 10:25:29 UTC