- From: Justin Brookman <justin@cdt.org>
- Date: Wed, 26 Oct 2011 10:43:15 -0400
- To: public-tracking@w3.org
On 10/26/2011 12:59 AM, Bjoern Hoehrmann wrote: > At the moment there are only a few third parties that obtain data that > can be used to track people on a global scale. If the Working Group was > to define "consent", I would think it to be quite reasonable to look how > these few organize their "consent to privacy policy" systems, which may, > in the future, include provisions saying their logged-in users consent > to be tracked by them even when visiting unrelated web sites that just > happen to embed some widget they offer. Let's say Acme, Inc. offers some > social networking web site with a billion users and they put a provision > like that into their privacy policy. Some people might argue that Acme > has designed their signup process so that people are discouraged to read > the privacy policy and users do not actually affirm their consent when > they sign up. That would lead the Working Group to argue about whether > some entity is engaging in jailtime criminal conduct, and the result may > be that the specification says such and such is good enough even though, > in some jurisdictions, actually doing "that" puts you in jail. > > I do think the document can say useful things about consent, but it's a > highly sensitive matter where a very specific definition specifically > for "DNT" provides only very limited value, so the matter should be > handled in a manner that is unlikely to create much controversy. The document is not attempting to define what constitutes "Affirmative, Informed Consent" in any or all jurisdictions. We do not have the power to do that. We are defining that term for this particular protocol. Jailtime does not come into consideration. Companies will have to follow each country's specific laws regardless of what we do. All this spec says is that the request for permission has to be somewhere the user will be likely to notice. Complying with that will not violate any law. If a country imposes greater obligations --- request for permission has to be in 30-pt Comic Sans --- they can do that and companies will have to comply, but it doesn't effect our spec. If a user today sets her browser to "block third party cookies," a third party cannot evade that control by putting in a license agreement "you consent to our placing third party cookies despite any browser settings." Similarly, if a user sets her browser to "Do Not Track" (or whatever her browser calls the setting), Acme shouldn't be able to ignore that instruction by reserving the right to ignore that instruction in a place the user is unlikely to notice. The whole point of this process is to give users a relatively simple and straight-forward control to limit cross-site tracking; if a third party wants to ignore the instruction, it should be upfront and get the informed consent of the user to ignore her personal setting. I don't see how idea is controversial. Users are going to be extremely confused and frustrated if their browser controls can be vitiated by obscure boilerplate. The point of this process, however, is standardization, and it is appropriate for the group to give some clear guidance to third parties wishing to comply in good faith with the header how to ask for permission to track despite the setting. > I think "behavioral tracking" needs to be notably different from just > "tracking" in order to justify using a different term. Based on my own > understanding of the terms and the draft, I find it difficult to argue > the terms are notably different. If you consider more traditional cases > of tracking, like a hunter may do in the woods in winter, it's hard to > imagine data the hunter may obtain that's not based on behavior. It may > be okay to use the term "behavioral tracking", but the document would > have to explain more clearly how "behavioral tracking" is a very special > form of "tracking". I think I agree with this? I don't care whether what we call it, "tracking" or "behavioral tracking" --- we should just pick a term and then define it to make clear that the spec applies to the the collection of passively-transmitted .url data (and whatever else we decide is in scope) instead of following deer in the woods.
Received on Wednesday, 26 October 2011 14:43:49 UTC