Comments on the Tracking Compliance and Scope draft

EFF is in an unusual situation in commenting on the W3C TCS draft, in that
we have an alternative DNT compliance policy deployed and in the field (
https://eff.org/dnt-policy ;
https://www.eff.org/press/releases/coalition-announces-new-do-not-track-standard-web-browsing
;
https://www.eff.org/press/releases/online-ad-company-adopts-new-do-not-track-standard-web-browsing
).

Our DNT Policy document was first published as a draft with our Privacy
Badger extension in May last year; version 1.0 was released in August.
That policy was largely based on the EFF-Stanford-Mozilla compromise
proposal previously discussed in this Working Group, with a few important
changes.  Given the difficulty building consensus in this WG, and the
urgent practical need for a a way for Privacy Badger and other tracker
blocking software to let third party domains signal that they had
implemented a strong privacy opt-out, we have been focused on something
that actually allows DNT to work in deployment as a privacy mechanism.

For the TPWG audience, it's probably worth looking at the places where our
policy wound up being different from the current TCS Last Call draft, which
we don't think is workable from a privacy perspective in its current form.

1. PERMITTED ACTIVITIES AND USES:

There is an important set of activities that are permitted by the TCS LC
draft but prohibited or tightly circumscribed under the EFF 1.0 Policy.
Some of these are of particular acute concern to us:

   - allowing third parties to use tracking cookies, supercookies,
fingerprints and other types of unique identifiers to record people's
reading habits and browsing histories without meaningful consent.

   - allowing the continuation of specific advertising industry practices
(especially frequency capping and ad display auditing) using algorithms and
data flows that were not originally designed to preserve the privacy of
users' reading habits. These become a straightforward path by which a very
large number of companies wind up getting copies of the user's browsing
history without appropriate consent.

   - potentially allowing extremely long retention periods for the above
types of data

Each of the above categories of activities is subjected to a
"reasonableness" requirement in the TCS draft.  The problem that we and I
believe many other organizations have with that test is that
"reasonableness" is decided unilaterally by the companies involved, and not
by users or any impartial authority.  It would understandable for legal
counsel for various types of tracking companies to conclude that
continuation of preexisting industry practices was "reasonable" and
required by business constraints, while users being tracked by those
companies might hold a wildly diverging view of those business practices
and their reasonableness.

For the above reasons, we believe that any plausible Do Not Track policy
*must* offer users more concrete guarantees about the circumstances under
which their reading habits will be collected, retained, or shared by
various parties.  In the absence of such guarantees, users who wish to not
be tracked will need to block interactions with most or all advertising,
analytics and widget-serving domains.

2. FIRST AND THIRD PARTIES

The disagreements I mention above have existed in this working group since
its inception.  There was another giant topic of debate in the WG around
the scope of the definition of a "first party".

We came to conclude that the attempt to define first parties, and define
them as inherently excluded, was a mistake.  As a result, our DNT Policy is
either implemented or not implemented on a per-subdomain basis, at the
website's discretion.  Some of the companies that are implementing it our
policy have chosen to do so for all of their domains and services; others
have chosen to do it only on specific domains that serve scripts or widgets
for embedding on other domains.

As a matter of enforcement, our Privacy Badger software currently on
creates strong incentives for implementation by third parties, but that may
change in the future.  For instance, a first party news website that
implemented the policy is likely to have all of its third parties unblocked
in the future, because it has made representations about tightly limiting
the data flows to those parties.  Other first-party features of privacy
software, such as attempting to prevent link-click-tracking, could
similarly be contingent on the absence of a first-party commitment to the
DNT Policy.

We think this approach of making DNT first/third party neutral is much
cleaner. It eliminates any advantage / disadvantage that accrues to
companies based on the size of their corporate family trees, removes the
perceived advantages of third parties that are also major first parties,
simplifies the document, and allows companies to implement or not implement
for whatever services they believe DNT compliance is appropriate for.

3. OVERALL SIMPLICITY

Wordcount: we tried hard to draft for concision; the EFF Do Not Track
Policy is a bit less than half the length of the TCS last call draft.

-- 
Peter

Received on Wednesday, 7 October 2015 20:10:52 UTC