W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: Propose to drop from the strawman: requirement for privacy policy disclosure

From: David Singer <singer@apple.com>
Date: Wed, 26 Oct 2011 08:22:48 -0700
Message-id: <E6318134-0D43-40A6-9A31-A67C3C0A13F6@apple.com>
Cc: Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
To: John Simpson <john@consumerwatchdog.org>


Sent from my iPad

On Oct 25, 2011, at 5:32 PM, John Simpson <john@consumerwatchdog.org> wrote:

> I agree with Justin.
> 
> On Oct 25, 2011, at 2:50 PM, Justin Brookman wrote:
> 
>> A lot of this effort is dedicated to verifiability --- isn't that why we've spent so much time discussing the sending of compliance headers?  Having an accountable statement of compliance is another effort at that.  I suppose you could make an argument that it should be in the technical spec instead of the compliance spec (though I would disagree), but especially if third-party header responses are deemed optional or a Bad Idea, the spec needs to lay out how to communicate to consumers that the header is being respected.  If the header just flies into the blue with no standardized way to disclose compliance,

I think it is unlikely that we will write a spec. that mandates that the UA ignores a response.  Given that, the presence of a response leaves in the user's hands the option of choosing a UA that conveys what they wish to know, and how it conveys it.  That is the user's prerogative, and removing the response header takes that away.

Perhaps the only reason to not want a response, is to enable sites, particularly third parties that the user is probably unaware that they are even visiting, to change their practices and policies at will and completely hidden from the users, so that users may only find out that they have been tracked much later, if at all.

Do not track is not like Do not call.  If someone calls me, I know in the moment of the violation.  If someone tracks me, I want to know, in the moment, who they are and bat they are doing it.

At the moment, the only alternative I can see to being informed is to block the majority of third party sites (basically, everyone except bona-fide content sites). I don't think that is good for the ad industry.


>> this process seems destined to fail; if nothing else, privacy policy disclosure should be considered as an alternative to automated header responses.
>> Justin Brookman
>> Director, Consumer Privacy Project
>> Center for Democracy & Technology
>> 1634 I Street NW, Suite 1100
>> Washington, DC 20006
>> tel 202.407.8812
>> fax 202.637.0969
>> justin@cdt.org
>> http://www.cdt.org
>> @CenDemTech
>> @JustinBrookman
>> 
>> On 10/25/2011 5:16 PM, David Wainberg wrote:
>>> 
>>> Section 6.4 of the Compliance and Scope document states, "In order to be compliant with this specification, an operator of a third-party domain must clearly and unambiguously assert in the privacy policy governing that domain that it is in compliance with this specification." Such a requirement is out of scope of this standard and should not be included in the strawman. While it may be in scope to create tools that facilitate auditing and enforcement by other entities, it is not the role of this technical standard to impose legal requirements for compliance. Any such requirements will come from entities with relevant authority, e.g. Congress or the FTC in the US.
> 
> ----------
> John M. Simpson
> Consumer Advocate
> Consumer Watchdog
> 1750 Ocean Park Blvd. ,Suite 200
> Santa Monica, CA,90405
> Tel: 310-392-7041
> Cell: 310-292-1902
> www.ConsumerWatchdog.org
> john@consumerwatchdog.org
> 
Received on Wednesday, 26 October 2011 15:23:40 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC