- From: Maciej Stachowiak <mjs@apple.com>
- Date: Tue, 18 Feb 2020 18:38:30 -0800
- To: Kris Chapman <kristen.chapman@salesforce.com>
- Cc: Jeffrey Yasskin <jyasskin@google.com>, public-privacy <public-privacy@w3.org>
- Message-id: <D516F402-FB12-45C8-94E5-3218F8CE05C9@apple.com>
[snipped the quoted sections] > On Feb 18, 2020, at 11:36 AM, Kris Chapman <kristen.chapman@salesforce.com> wrote: > > There are companies out there that are trying to identify and block abusive behavior(for example https://tallpoppy.io/ <https://tallpoppy.io/> or https://www.getspectrum.io/ <https://www.getspectrum.io/>). I know of HR platforms that do cross-site tracking because they use different vendors for things like online education (and in at least one case, they don't want to force employees to share personal data with the vendor too). Without a doubt, online advertising is much more prevalent, of course - but it's not the only industry doing user tracking online. > > That said, I completely agree that it's not this group's job to make people more responsible online. However, it is this group's responsibility to consider the impact of privacy decisions, and I do think one is where you want to draw the line on personal responsibility. I think people have the right to speak anonymously online, even if some may abuse that right. Just as, in the US for instance, people have that right in the real world. If someone posts a rude anonymous flyer on a public bulletin board, we don’t leap to dusting it for fingerprints. We especially don’t leap to dusting every flyer for fingerprints, just in case one is later found to be rude. > This is why, personally, I'm more in favor of a design like what Tim Berners-Lee's start-up Inrupt <https://inrupt.com/> is trying do - where some level of data would be fully controlled by the consumer, but there could still be user tracking done for different types of use cases. I would deny no one the right to opt into such a model. I would strenuously object to putting users into it against their will. This design seems to come from a “transparency and control” mindset about privacy, when what we need to move to is privacy by default. > > I don’t personally support employers monitoring their employee’s web browsing. But it’s legal in many jurisdictions and many consider it legitimate. However, employers generally do not monitor employee web browsing by using cross-site tracking technologies. Rather, they install filtering/monitoring firewalls, perhaps even TLS middleboxes; or they install local spyware. Technologies like that are probably outside the scope of the privacy threat model. > > I was actually bringing this up because employee monitoring isn't usually done via the browser. What I was worried about was the browser 's stressing their data privacy features, and consumers then thinking they're safe from employer tracking when they're actually not. Browsers should be clear about what protection they provide. But that’s not part of the threat model as stated. (Of course, depending on the browser and the OS, it’s possible users may have some protections against employer spyware.) Regards, Maciej
Received on Wednesday, 19 February 2020 02:38:57 UTC