W3C home > Mailing lists > Public > public-tracking-comments@w3.org > June 2014

Last Call Comments

From: Alan Chapell <achapell@chapellassociates.com>
Date: Wed, 18 Jun 2014 11:22:37 -0400
To: <public-tracking-comments@w3.org>
Message-ID: <CFC726FD.5121C%achapell@chapellassociates.com>
Thanks for the opportunity to provide additional comment to the technical
specification document.
As Iım sure this working group is well aware, I have grave concerns about
the process for getting this document to last call (See
Iıve been doing privacy and public policy work for a number of years. In my
experience, when a group is confronted with significant issues that are
relevant to implementation of a privacy standard, they should reflexively
put their foot on the brake. For reasons that have become painfully clear
over the past ten months, the W3Cıs response is to put the pedal to the
metal ­ and let issues of legitimacy be damned.
Iıve shared the TPE document with a handful of colleagues on the legal,
technical and business side. The most common feedback Iıve received is that
the document is difficult to understand and open to multiple interpretations
when exposed to real life use cases.
For example, one colleague believed upon reading the TPE that his company
controlled a context simply by purchasing a particular ad slot on a
publisher page. In other words, he believed that both the advertiser and the
publisher controlled that portion of the page. Other colleagues shared
similar views regarding a branded social networking page being a context
that is controlled by multiple parties. Personally, I found it difficult to
justify some of the distinctions being drawn.
Other colleagues expressed confusion as to how one might infer that a
particular user agent was allowed to turn on DNT by default. For example,
regulators have sometimes viewed Safari as a privacy protective browser
because it blocks third-party cookies by default. Would it therefore be OK
for Safari to turn on DNT by default? Iım not sure ­ and the folks at Apple
certainly havenıt tipped their hand.
In short, it is clear that it will be difficult for smaller entities (i.e.,
ones that canıt afford to hire a team of lawyers) to decipher many of the
definitions and requirements in the TPE document.
A few additional issues and concerns.
The TPE does little to ensure the validity of a DNT signal
Imagine attempting to board a plane at an airport where anyone with a
computer could instantly alter flight patterns; imagine a marketplace where
credit card companies were unable to authenticate their cardholders; or
think about driving a car where anyone could use a police siren to push
their way through traffic on the city streets. We sometimes take for granted
how important it is to trust the validity of signals in life. If you canıt
trust the signal, the entire framework is left open to question.
And thatıs exactly where we are with DNT. Per the TPE, thereıs no
requirement on user agents to ensure that the DNT signal is valid.  And as a
result, thereıs no mechanism for anyone in the digital media ecosystem to
trust any DNT signal they receive. One of the largest browser manufacturers
has already been reported to have violated the spirit of the TPE - so this
isnıt mere speculation. And then there are any number of plugins, routers,
anti-virus software and other entities that are turning on DNT without the
userıs knowledge. 
As a result, the entire framework is open to question. In any other group,
this issue would result in a full stop until the questions are addressed.
Conversely, this working group treats this fundamental flaw as a bug that
may (or may not) be addressed in future revisions ­ a bizarre outcome to say
the least. Iıve thought a good deal about why this might be an acceptable
outcome to those who are running this working group, which brings me to my
second point.
The Definition of tracking favors large companies ­ (See
like-google-facebook/) I wonıt belabor this point, but it has become obvious
that the definitions in the TPE are weighted towards larger companies.
Thereıs understandably little concern around who might be manipulating DNT
signals when youıve successfully exempted your company from the
Unfortunately, the DNT effort operates in a world where victory is defined
solely by ³getting a specification published.² When the only important thing
is winning, and nobody on the outside notices how many errors were committed
during the game or how many calls were missed by the referees ­ sooner or
later, the players start to take their ball and go home.  With that in mind,
weıve seen significant attrition in this working group over the past year.
With all due respect, the W3C can try to call this a working group decision
if theyıd like, but letıs be clear who is really running this working group.
And letıs not kid ourselves into believing that we have achieved anything
resembling consensus in a multi-stakeholder process.

Alan Chapell
Chapell & Associates
Received on Wednesday, 18 June 2014 15:23:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:40:47 UTC