[wbs] response to 'Call for Review: Tracking Protection Working Group Charter'

The following answers have been successfully submitted to 'Call for Review:
Tracking Protection Working Group Charter' (Advisory Committee) for Intel
Corporation by Ryan Ware.


The reviewer's organization supports this Charter as is.

Additional comments about the proposal:
   I support this charter for many different reasons.  In the most general
case, I think it fits with Intel's expectations around protecting it's
customers.  Additionally, Jan Philipp Albrecht has outlined 9 very
compelling reasons:

1. The EU General Data Protection Regulation, for which I had the honour of
being rapporteur, will be applied from May 2018. Among other things, it
introduces statutory obligations on any company, wherever it is located,
that collects or processes the personal data of persons in the EU. Personal
data is defined as “any information relating to an identified or
identifiable natural person” and can include data processed for
singling-out individuals online such as “online identifiers provided by
their devices, applications, tools and protocols, such as internet protocol
addresses, cookie identifiers or other identifiers such as radio frequency
identification tags”. Sanctions for breaches of these obligations can be
up to 4% of a company’s annual worldwide turnover or €20 million,
whichever is greater.

2. On many web sites, including those run by the major online publishers,
there can be several hundred “third-party” servers accessed when a page
is visited. If personal data is processed by these servers, the GDPR
requires that the identity of the relevant data controller, its claimed
legal basis and purpose for processing be declared. Other than described in
the Do Not Track Tracking Preference Expression (TPE) document, there is
currently no standardised web platform method for doing this. The current
TPE includes mechanisms allowing companies to inform users, and any privacy
tools that they employ, of the identity and policies of all companies that
respect the DNT signal.

3. The GDPR also requires companies to obtain a user’s informed consent
for, or in some circumstances support an automated right to object to,
online personal data collection and processing, with users being given the
ability to revoke their consent at any time. The Article 29 Working Party
has called for this to be within their user agent as well as via the web
resource. The current TPE includes mechanisms for communicating the
user’s informed consent for tracking to all or to a set of third-parties
on a specific web site, which gives users much more control than that made
available via HTTP cookies or other state persistence mechanism subject to
the Same Origin Policy, as users are far more comfortable giving their
consent in the context of a particular website than across the entire web.
The web platform currently has no API mechanism for doing this, other than
the DNT Consent API.

4. Separating the signalling of user consent to a particular request header
(DNT), supports the ability of sites to use “expiry” based caching via
the “Vary” header. Existing mechanisms for indicating user specific
consent, such as HTTP Cookies, do not allow for this. Legislation such as
the GDPR is bound to introduce much more web traffic that relies on user
consent, and the restrictions on caching could badly affect the performance
of the web platform.

5. Users are increasingly turning to other methods to protect their privacy
online such as content and ad blockers. These are designed to detect
attempts to collect data or particular web servers or resources and block
them, but have to be far blunter tools than they need to be. The building
blocks within the TPE offer ways for them to operate with more finesse and
allows legally compliant companies to establish trust of users making the
use of such tools less necessary.

6. There are other rights for individuals laid out in the GDPR, including
the right to access, amend or erase personal data. The transparency
mechanisms described in the TPE can and should be extended to allow
companies to support these rights.

7. There is evidence that at the moment about 12-14% of web requests to
European websites have the DNT header set, which must reflect the desire of
a significant proportion of Europeans to have their preference  respected.

8. The current draft of the upcoming proposal for a new EU ePrivacy
Regulation
(http://g8fip1kplyr33r3krz5b97d1.wpengine.netdna-cdn.com/wp-content/uploads/2016/12/POLITICO-e-privacy-directive-review-draft-december.pdf)
also addresses the possibility of consenting with technical settings in the
browser, see Article 9(2). It also introduces an obligation for browser
manufacturers to respect the privacy by design principle, see Article
10(2).

9. For all these reasons, there is more work to do in your area of
expertise. I urge you therefore to extend the mandate of the TPWG until
after the end of 2016.



The reviewer's organization:
   - intends to review drafts as they are published and send comments.
   - intends to develop experimental implementations and send experience
reports.
   - intends to develop products based on this work.
   - intends to apply this technology in our operations.
   - would be interested in participating in any press activity connected
with this group.

Answers to this questionnaire can be set and changed at
https://www.w3.org/2002/09/wbs/33280/tracking-2016/ until 2016-12-23.

 Regards,

 The Automatic WBS Mailer

Received on Monday, 19 December 2016 18:57:09 UTC