Strawman compliance spec from Justin Brookman on 2011-10-25 (public-tracking@w3.org from October 2011)

From: Justin Brookman <justin@cdt.org>
Date: Tue, 25 Oct 2011 18:09:05 -0400
To: public-tracking@w3.org
Message-ID: <4EA73381.9090103@cdt.org>

In case you did not see the draft compliance spec in Matthias's agenda 
for tomorrow, here is the link: 
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html

Heather tried to send an email to the working group last night, but it 
didn't go through.

Justin Brookman
Director, Consumer Privacy Project
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 10/25/2011 5:50 PM, Justin Brookman wrote:
> A lot of this effort is dedicated to verifiability --- isn't that why 
> we've spent so much time discussing the sending of compliance 
> headers?  Having an accountable statement of compliance is another 
> effort at that.  I suppose you could make an argument that it should 
> be in the technical spec instead of the compliance spec (though I 
> would disagree), but especially if third-party header responses are 
> deemed optional or a Bad Idea, the spec needs to lay out how to 
> communicate to consumers that the header is being respected.  If the 
> header just flies into the blue with no standardized way to disclose 
> compliance, this process seems destined to fail; if nothing else, 
> privacy policy disclosure should be considered as an alternative to 
> automated header responses.
> Justin Brookman
> Director, Consumer Privacy Project
> Center for Democracy&  Technology
> 1634 I Street NW, Suite 1100
> Washington, DC 20006
> tel 202.407.8812
> fax 202.637.0969
> justin@cdt.org
> http://www.cdt.org
> @CenDemTech
> @JustinBrookman
>
> On 10/25/2011 5:16 PM, David Wainberg wrote:
>> Section 6.4 of the Compliance and Scope document states, "In order to 
>> be compliant with this specification, an operator of a third-party 
>> domain must clearly and unambiguously assert in the privacy policy 
>> governing that domain that it is in compliance with this 
>> specification." Such a requirement is out of scope of this standard 
>> and should not be included in the strawman. While it may be in scope 
>> to create tools that facilitate auditing and enforcement by other 
>> entities, it is not the role of this technical standard to impose 
>> legal requirements for compliance. Any such requirements will come 
>> from entities with relevant authority, e.g. Congress or the FTC in 
>> the US.

Received on Tuesday, 25 October 2011 22:09:43 UTC