W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: Comments on tracking-compliance.html

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 26 Oct 2011 06:59:12 +0200
To: Justin Brookman <justin@cdt.org>
Cc: public-tracking@w3.org
Message-ID: <1rvea7df0dbn8uvacntrvslkt7s4ohcnd2@hive.bjoern.hoehrmann.de>
* Justin Brookman wrote:
>Fair enough, but the legal definition of consent is actually incredibly 
>vague in many jurisdictions, and we may wish to specify a higher 
>standard for users in those places where the requirements are weak or 
>unclear.  For instance, it would be a perverse result if a company's 
>privacy policy could say both "we comply with 'Do Not Track'" and "oh, 
>by the way, we reserve the right to track you."  One way to avoid the 
>legal inconsistency problem would be to define "Affirmative Informed 
>Consent" as AT LEAST in response to a clear and prominent request 
>separate from other permissions/disclosures.

At the moment there are only a few third parties that obtain data that
can be used to track people on a global scale. If the Working Group was
to define "consent", I would think it to be quite reasonable to look how
these few organize their "consent to privacy policy" systems, which may,
in the future, include provisions saying their logged-in users consent
to be tracked by them even when visiting unrelated web sites that just
happen to embed some widget they offer. Let's say Acme, Inc. offers some
social networking web site with a billion users and they put a provision
like that into their privacy policy. Some people might argue that Acme
has designed their signup process so that people are discouraged to read
the privacy policy and users do not actually affirm their consent when
they sign up. That would lead the Working Group to argue about whether
some entity is engaging in jailtime criminal conduct, and the result may
be that the specification says such and such is good enough even though,
in some jurisdictions, actually doing "that" puts you in jail.

I do think the document can say useful things about consent, but it's a
highly sensitive matter where a very specific definition specifically
for "DNT" provides only very limited value, so the matter should be
handled in a manner that is unlikely to create much controversy.

>> Various sections refer to "behavioral tracking". That seems borderline
>> tautological to me.
>"Behavioral tracking" is specifically defined in 3.4.

I think "behavioral tracking" needs to be notably different from just
"tracking" in order to justify using a different term. Based on my own
understanding of the terms and the draft, I find it difficult to argue
the terms are notably different. If you consider more traditional cases
of tracking, like a hunter may do in the woods in winter, it's hard to
imagine data the hunter may obtain that's not based on behavior. It may
be okay to use the term "behavioral tracking", but the document would
have to explain more clearly how "behavioral tracking" is a very special
form of "tracking".
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 26 October 2011 04:59:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:26 UTC