- From: Alan Chapell <achapell@chapellassociates.com>
- Date: Wed, 18 Jun 2014 11:22:37 -0400
- To: <public-tracking-comments@w3.org>
- Message-ID: <CFC726FD.5121C%achapell@chapellassociates.com>
Thanks for the opportunity to provide additional comment to the technical specification document. As Iım sure this working group is well aware, I have grave concerns about the process for getting this document to last call (See http://lists.w3.org/Archives/Public/public-tracking/2014Apr/0100.html). Iıve been doing privacy and public policy work for a number of years. In my experience, when a group is confronted with significant issues that are relevant to implementation of a privacy standard, they should reflexively put their foot on the brake. For reasons that have become painfully clear over the past ten months, the W3Cıs response is to put the pedal to the metal and let issues of legitimacy be damned. Iıve shared the TPE document with a handful of colleagues on the legal, technical and business side. The most common feedback Iıve received is that the document is difficult to understand and open to multiple interpretations when exposed to real life use cases. For example, one colleague believed upon reading the TPE that his company controlled a context simply by purchasing a particular ad slot on a publisher page. In other words, he believed that both the advertiser and the publisher controlled that portion of the page. Other colleagues shared similar views regarding a branded social networking page being a context that is controlled by multiple parties. Personally, I found it difficult to justify some of the distinctions being drawn. Other colleagues expressed confusion as to how one might infer that a particular user agent was allowed to turn on DNT by default. For example, regulators have sometimes viewed Safari as a privacy protective browser because it blocks third-party cookies by default. Would it therefore be OK for Safari to turn on DNT by default? Iım not sure and the folks at Apple certainly havenıt tipped their hand. In short, it is clear that it will be difficult for smaller entities (i.e., ones that canıt afford to hire a team of lawyers) to decipher many of the definitions and requirements in the TPE document. A few additional issues and concerns. The TPE does little to ensure the validity of a DNT signal Imagine attempting to board a plane at an airport where anyone with a computer could instantly alter flight patterns; imagine a marketplace where credit card companies were unable to authenticate their cardholders; or think about driving a car where anyone could use a police siren to push their way through traffic on the city streets. We sometimes take for granted how important it is to trust the validity of signals in life. If you canıt trust the signal, the entire framework is left open to question. And thatıs exactly where we are with DNT. Per the TPE, thereıs no requirement on user agents to ensure that the DNT signal is valid. And as a result, thereıs no mechanism for anyone in the digital media ecosystem to trust any DNT signal they receive. One of the largest browser manufacturers has already been reported to have violated the spirit of the TPE - so this isnıt mere speculation. And then there are any number of plugins, routers, anti-virus software and other entities that are turning on DNT without the userıs knowledge. As a result, the entire framework is open to question. In any other group, this issue would result in a full stop until the questions are addressed. Conversely, this working group treats this fundamental flaw as a bug that may (or may not) be addressed in future revisions a bizarre outcome to say the least. Iıve thought a good deal about why this might be an acceptable outcome to those who are running this working group, which brings me to my second point. The Definition of tracking favors large companies (See http://www.adexchanger.com/data-driven-thinking/track-great-internet-giants- like-google-facebook/) I wonıt belabor this point, but it has become obvious that the definitions in the TPE are weighted towards larger companies. Thereıs understandably little concern around who might be manipulating DNT signals when youıve successfully exempted your company from the specification. Unfortunately, the DNT effort operates in a world where victory is defined solely by ³getting a specification published.² When the only important thing is winning, and nobody on the outside notices how many errors were committed during the game or how many calls were missed by the referees sooner or later, the players start to take their ball and go home. With that in mind, weıve seen significant attrition in this working group over the past year. With all due respect, the W3C can try to call this a working group decision if theyıd like, but letıs be clear who is really running this working group. And letıs not kid ourselves into believing that we have achieved anything resembling consensus in a multi-stakeholder process. Respectfully, Alan Chapell Chapell & Associates
Received on Wednesday, 18 June 2014 15:23:09 UTC