RE: Eprivacy Regulation EP Rapporteurs draft report from Mike O'Neill on 2017-06-15 (public-tracking@w3.org from June 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 15 Jun 2017 17:25:59 +0100
To: "'Aleecia M. McDonald'" <aleecia@aleecia.com>, "'Roy T. Fielding'" <fielding@gbiv.com>
Cc: "'Rob van Eijk'" <rob@blaeu.com>, <public-tracking@w3.org>
Message-ID: <0adc01d2e5f4$136bd2a0$3a4377e0$@baycloud.com>

The assumption has been that only DNT:0 has relevance to European ePrivacy, but the draft suggests that DNT:1 could assert a stronger objection (than DNT unset). 

 

Article 8.2c (that’s my numbering because the drafts was a bit confusing) says IP addresses and other “data emitted” can be processed without consent if there are certain mitigations, and one of these is  “the users shall be given effective opt-out possibilities” A8.3d

 

So in that circumstance DNT:1 could mean “really, really Do Not Track me”

 

Mike

 

 

From: Aleecia M. McDonald [mailto:aleecia@aleecia.com] 
Sent: 15 June 2017 16:52
To: Roy T. Fielding <fielding@gbiv.com>
Cc: Rob van Eijk <rob@blaeu.com>; public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org) <public-tracking@w3.org>
Subject: Re: Eprivacy Regulation EP Rapporteurs draft report

 

I have long thought that particular bit of text is poorly drafted, and it is my own fault for allowing it to be so. I’ve raised this a few times to no avail.

 

That it is being misread is a strong argument for fixing it. I fear the answer, but is it too late to add non-normative text that explains more clearly? I would be happy to trust the editors to make the intent clearer during a clean up pass.

 

               Aleecia

 

On Jun 15, 2017, at 8:16 AM, Roy T. Fielding <fielding@gbiv.com <mailto:fielding@gbiv.com> > wrote:

 

On Jun 15, 2017, at 1:35 AM, Rob van Eijk <rob@blaeu.com <mailto:rob@blaeu.com> > wrote:


Moreover, please note the remarks of the EU lawmaker on DNT (p. 87 of the draft report). I believe that it shows that there is clear support and appreciation for our work.

Article 10 of the proposal refers to options for privacy settings of tools and software used to enable users to prevent other parties from storing information on terminal equipment, or processing information stored on the equipment (Do-Not-Track mechanisms -DNTs-). The rapporteur shares the objective of the proposal but she considers that, in order to reflect the essential core principles of Union data protection law (privacy by design and by default), it must be amended. Indeed, these basic principles are not efficiently integrated in the ePrivacy proposal of the Commission. Therefore it is proposed first, that DNTs are technologically neutral to cover different kinds of technical equipment and software and, second, that DNTs, by default must configure their settings in a manner that prevents other parties from storing information on the terminal equipment or processing information stored on the equipment without the consent of the user, at the same time users should be granted the possibility to change or confirm the default privacy settings options at any moment upon installation. The settings should allow for granulation of consent by the user, taking into account the functionality of cookies and tracking techniques and DNTs should send signals to the other parties informing them of the user’s privacy settings. Compliance with these settings should be legally binding and enforceable against all other parties.

Regards,
Rob

 

Rob, to me that reads as if the Rapporteur expects user agents to send DNT:1 by default even

when the user has taken no action to configure a signal be sent. This would be in spite of the fact

that the TPE default of no signal is defined by regional context, meaning that in the EU sending

no explicit signal is equivalent to DNT:1 (for the same reasons given above) without wasting

network traffic.

 

Is that the case?

 

....Roy

Received on Thursday, 15 June 2017 16:27:02 UTC