Re: Mapping DNT to GDPR

Hi Mike,

Thank you for your professional comments. Let me see if I can make my explanation a little clearer. I’m going to break everything down into use cases, but I’ll start with the conclusion.

Conclusion:

  *   The accepted practice in the business world is that ‘business strategy drives IT architecture’. Or in this case Privacy Regulation drives IT architecture. What I see is an attempt to make an IT design fit a privacy strategy that was not even thought of when the idea of DNT was first formerly expressed
  *   If it is determined that meaningful consent cannot be triggered by DNT=1 or DNT is unset (no signal), then why have a DNT header at all, as you will always need obtain meaningful consent when the location equals EU
  *   Rob van Eijk is correct - It is clear however, that it cannot contain all that is needed for valid consent - agreed. DNT transmits a desire, NOT a personal contract with the website for the purposes of processing their personal data.

Facts already in evidence and uncontested:

  *   The W3C working group has designed DNT from the start to be a tri-part state that is designed to operate globally on all web sites
     *   DNT:1 request not to be tracked
     *   DNT:0 agreement to be tracked
     *   Unset
        *   in the US, the user has not made a choice for privacy so it's ok to still track them
        *   in the EU, the user has not consented to tracking, so it's not ok to track them

  *   Compliance regulation - GDPR/ePr Dir. (The proposal aims to be lex specialis to the GDPR)
  *   Note: Currently NO browser that I know of offers the ability to set DNT:0
  *   Note: Currently NO browser can transmit a setting of ‘Unset’ - e.g if I turn on DNT in my browser and do an echo page test I see the DNT header set to 1. If I disable DNT in my browser the DNT header disappears completely. There is no header showing DNT=“”. This means that no matter what, every web server will be parsing the incoming request headers for something that doesn’t exist or might exist, when they really need to determine real time location (browser regionalization doesn’t help here as the user may have simply flown into a GDPR location).

Use case 1: User is physically located in the USA or other region of the world outside of the EU

  *   There is no privacy compliance regulation in the US so setting DNT:1 or DNT:0 or leaving it unset has NO effect on the privacy of the user. Without meaningful compliance, privacy cannot be enforced.

Use case 2: User is physically located in the EU or the browser is using a VPN that places the user in the EU

  *   DNT setting is set to Unset (the protocol default).
     *   We’re now under the GDPR regulation - we’ll start with Recital 32 which is about meaningful consent. There are other recitals to consider as well: 38, 42, 43, 50, 51, 171 - which creates an ever broader array of challenges for DNT… especially if age verification is required as well.
        *   Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
     *   So I have NOT yet consented to tracking so the web site MUST offer me a web page that is a clear and unambiguous statement of agreement for me to consent too.

Use case 3: User is physically located in the EU or the browser is using a VPN that places the user in the EU

  *   DNT:1 is set
     *   There is NO record of consent. I have transmitted a desire ‘Not to be tracked’ however as per GDPR the website MUST present me with a document FIRST that allows me to make a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement

Regarding your statement:

  *   the user can give or revoke their consent in their browser, and the site can equally do that also (registering it in the browser via the UGE API).

True - however in practice this is impossible. Every OEM browser will have to be fully updated to a fully agreed upon protocol which is still many months away. Then EVERY user in the world must update every device they have to support this new capability. Only then will I be able to revoke consent which the web sites have not yet even planned to do as there is nothing to test it against. There is no way this will happen by May 25th 2018.

Regarding your next statement:

  *   This means that, when browsers have fully implemented the protocol, sites will not have to assemble a table of all the sub-resources that may appear on the site, the browser (or extensions) can do that for them. Third-party servers that do not support DNT will be instantly recognizable, and there will be no need to block those, or their cookies, that fully respect a user's preference.

As a user I currently only have two settings - DNT:1 and DNT:Unset - neither use case 2 or use case 3 offer ‘meaningful consent’ via the DNT setting. So the web site has to do it - first OR third parties are irrelevant - all sub resources MUST gain consent (or not, there is no distinguishing between parties anymore). All servers MUST recognize and respect those choices if the users location is in the EU (see article 3 - Territorial Scope) and send the ‘private contract’ to consent to.

Regarding this statement:

  *   As others have said, how an absent DNT header is interpreted is a local matter and it has been recognized from the start that DNT:1 must be assumed in Europe. But sites with an international audience have always had to be aware of jurisdiction and this can easily be dealt with in the same way.

I disagree. We stated at the beginning this:

     *   DNT:1 request not to be tracked
     *   DNT:0 agreement to be tracked
     *   Unset
        *   in the US, the user has not made a choice for privacy so it's ok to still track them.
        *   in the EU, the user has not consented to tracking, so it's not ok to track them.

There are three settings - location cannot change a setting from Unset to DNT:1 (the protocol doesn’t allow it). A setting of unset in the EU (I assume this is the absence of a DNT header because you can’t actually set a setting of unset) is now irrelevant because as soon as the location is determined and compliance is required, then meaningful consent needs to be transmitted TO the data subject for them to agree to. There is no assumption of DNT:1 ever. The value remains unset until the user changes it and then we revert back to use case 3 and get the same ‘user experience’.

The way that the DNT protocol is currently written it’s of little value when it comes to meaningful consent - in the US there is no compliance document by which to enforce privacy, and in the EU I can leave it unset or set it and still not send meaningful consent because at the time the data subject MAKES the request in the browser they have no idea what they are meant to be consenting to or not consenting to.



Peter

Peter Cranstone
CEO, 3PHealth

COMS:
Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs
Skype: cranstone
Website | www.3phealth.com<http://www.3phealth.com>  (Healthcare Patient Engagement and Data Interoperability)
Website | www.3pmobile.com<http://www.3pmobile.com> (Privacy by Design Platform for GDPR and ePrivacy reg.)

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.





On Oct 17, 2017, at 12:09 PM, Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>> wrote:

Hi Peter,

Thanks for mentioning Bouncer, but I take issue with some of this.

The point of DNT is that there is a common understanding between sites and browsers of what signal indicates user consent. The browser communicates to every server (for sites as well as third-parties) a specific-to-them indication i.e. if they do not receive DNT:0 the user has not given their consent to that domain (there is an out-of-band indication mechanism also, but this is only useful while browser have not implemented the API).

This means the  user can give or revoke their consent in their browser, and the site can equally do that also (registering it in the browser via the UGE API).

Similarly servers have a protocol for communicating their identity and, if want to track, why.  They can explain what their purposes for tracking are, and the browser can record that when consent is given, so the user can be reminded of it - perhaps to revoke it later. This means that, when browsers have fully implemented the protocol, sites will not have to assemble a table of all the subresources that may appear on the site, the browser (or extensions) can do that for them. Third-party servers that do not support DNT will be instantly recognisable, and there will be no need to block those, or their cookies, that fully respect a user’s preference.

As others have said, how an absent DNT header is interpreted is a local matter and it has been recognised from the start that DNT:1 must be assumed in Europe. But sites with an international audience have always had to be aware of jurisdiction and this can easily be dealt with in the same way.

Also, referring back to another of your posts, automatic expiry has been part of the DNT protocol since 2014 (the maxAge parameter for the API).



Mike





From: Peter Cranstone [mailto:peter.cranstone@3phealth.com]
Sent: 17 October 2017 17:12
To: Robin Berjon <robin.berjon@nytimes.com<mailto:robin.berjon@nytimes.com>>
Cc: Aleecia M. McDonald <aleecia@aleecia.com<mailto:aleecia@aleecia.com>>; public-tracking-comments w3.org<http://w3.org/> <public-tracking-comments@w3.org<mailto:public-tracking-comments@w3.org>>
Subject: Re: Mapping DNT to GDPR

Hi Robin,

I would like to suggest an alternative approach to understanding the core problem you face with GDPR… Meaningful Consent.

It seems to be the one thing nobody really wants to address, and yet it is fundamental to Privacy.

Here’s a simple use case for you:

•        Install Chrome
•        Install the BayCloud Bouncer extension (link<https://chrome.google.com/webstore/detail/baycloud-bouncer/bplgfejjkplajgmkcbbgaeceamceohkc?hl=en-US>)
•        Remove ALL ad blocking software from Chrome (or disable it)
•        Visit the NYT web site and then click on the extension for information

That’s it. You will see approximately (it changes) 10 first parties and 76 third parties.

Based on GDPR, and where meaningful consent is REQUIRED, the NYT will have to provide a page BEFORE anything else loads that lists each and every Party with an explanation of what each is doing with my data. The data subject then has the ability to either opt in or opt out.

Here is where your challenge really appears - and where DNT is not designed to go.

You are essentially having a private conversation, a negotiation if you will, with the consumer. You really want them to opt in otherwise you’ll be serving generic ads and the value of that person to you will decrease.

Once the data subject has made a decision, then from that point on the NYT will have to recognize them, respect their choices and then respond appropriately to them. Privacy just became contextual. No one person will likely be the same as the next. You will not only have to track them all - you will have to send different pages to each of them. This is all about the user generated exception database that is missing from the spec. (Out of scope).

And that right there is where DNT fails and also where the browser extension also fails. It does a wonderful job of implementing the API and allowing you to block everything, but the NYT has NO IDEA of what just happened, because nothing was communicated back to them. Essentially by blocking all third parties it became an ad blocker on steroids.

That is NOT what you want. You need to engage in a digital conversation with the data subject in real time and record their choices (preferences) and then respond accordingly.

If you want you can refer to Aleecia’s paper - https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2588086 Go to page 35 Appendix A where she has the AP News example.

Here’s the code…
IF user is in the EU THEN
IF DNT:0 /* there is consent to track */
THEN read, set, and process unique identifiers as
ELSE treat as DNT:1 is today; delete cookies
ELSE /* applies only to non-EU users */
proceed exactly as today
DNT:0 is irrelevant because consent is required - however you CANNOT delete the cookies because you haven’t installed any yet. You have to load a page which I just checked has 1 first party and 20 third parties all of which require consent.

To be compliant requires meaningful consent which is a ‘private contract’ between the data subject and the data processor/controller. And each time the user changes their location - say I fly backwards and forwards from NY to Paris twice a month, the settings will change. Plus this all has to work on mobile where it is even harder to determine location with resorting to GPS and then responding with the appropriate mobile page that the user can read and consent to.

Cheers,


Peter
Peter Cranstone
CEO, 3PHealth

COMS:
Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs
Skype: cranstone
Website | www.3phealth.com<http://www.3phealth.com/>  (Healthcare Patient Engagement and Data Interoperability)
Website | www.3pmobile.com<http://www.3pmobile.com/> (Privacy by Design Platform for GDPR and ePrivacy reg.)

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.





On Oct 17, 2017, at 8:59 AM, Robin Berjon <robin.berjon@nytimes.com<mailto:robin.berjon@nytimes.com>> wrote:

Dear all,

many thanks for your input. Your suggestions and clarifications largely match my expectations; I expect it will take time before we get around to actually taking DNT into account (as you expect we have our work cut out for GDPR) but it is something that I will keep on my radar and get to when possible.

On 10/12/17 6:18 PM, Aleecia M. McDonald wrote:

A co-author and I argue that DNT may be used to fulfill GDPR depending on how browsers work [1].

Thanks a lot for that paper; this is definitely a useful read for me.


The W3C working group has designed DNT from the start to be a tri-part state.
DNT:1- request not to be tracked
DNT:0- agreement to be tracked
unset- in the US, the user has not made a choice for privacy so it’s ok to still track them.
- in the EU, the user has not consented to tracking, so it’s not ok to track them.
This is related to the point Roy raised, but a little different. Basically tracking as opt-in v. opt-out flips based on where the user is located.

Yes, that is also our expectation.

Thank you!

--
Robin Berjon
The New York Times Company
Executive Director, Data Governance
robin.berjon@nytimes.com<mailto:robin.berjon@nytimes.com>