Re: Comments on tracking-compliance.html from Justin Brookman on 2011-10-26 (public-tracking@w3.org from October 2011)

From: Justin Brookman <justin@cdt.org>
Date: Wed, 26 Oct 2011 15:45:15 -0400
To: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4EA8634B.3070407@cdt.org>
You keep using this term, "out of scope."  I do not think it means what 
you think it means.  The scope of the group is, /inter alia/, to define 
"specifications for a simple machine-readable preference expression 
mechanism ('Do Not Track') and technologies for selectively allowing or 
blocking tracking elements"and to "define the scope of the user 
preference and practices for compliance with it in a way that will 
inform and be informed by the technical specification."  The purpose of 
the group is to delineate that practices that are necessary to 
meaningfully comply with a DNT header.  I believe that (1) a statement 
that you are complying with the header (I have expressed flexibility as 
to how this should look---"DNT honored here" flag may be enough) and (2) 
a requirement that permission to ignore the header be clear and 
prominent are both necessary for the setting to function as intended.  
Without them, the spec will not work.  I suppose the group could have 
been chartered to just decide the syntax of what a DNT header looks 
like, but the scope of the group is broader than that.  This is not a 
question of "fix[ing] privacy regulation around the world."  This is a 
question of determining how to comply with a DNT-header instruction.  
Determining how consent should be obtained in order to comply with a 
spec is ordinarily within the scope of a W3C mandate 
(http://www.w3.org/TR/2010/NOTE-dap-privacy-reqs-20100629/#privacy-consent)

Justin Brookman
Director, Consumer Privacy Project
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 10/26/2011 3:00 PM, David Wainberg wrote:
> I agree that would be a perverse result. It's likely the scenario you 
> describe would be an unfair trade practice under FTC jurisdiction (in 
> the US). I agree more broadly that appropriate notice for users is an 
> issue. I just don't think it's a problem we should try to solve. It's 
> not our job to fix privacy regulation around the world. We're going to 
> have to let go a bit, and see what regulatory bodies, users, and 
> software makers do with the tools we give them. A simple "DNT honored 
> here" flag in the headers, for example, provides meaningful and 
> actionable information to users (via the client). Let the client 
> software decide how to present it to users. Let regulatory 
> organizations build the rest of the framework around enforcement.
>
> On 10/25/11 11:16 PM, Justin Brookman wrote:
>> Fair enough, but the legal definition of consent is actually incredibly
>> vague in many jurisdictions, and we may wish to specify a higher
>> standard for users in those places where the requirements are weak or
>> unclear.  For instance, it would be a perverse result if a company's
>> privacy policy could say both "we comply with 'Do Not Track'" and "oh,
>> by the way, we reserve the right to track you."  One way to avoid the
>> legal inconsistency problem would be to define "Affirmative Informed
>> Consent" as AT LEAST in response to a clear and prominent request
>> separate from other permissions/disclosures.
>>
>
>
Received on Wednesday, 26 October 2011 19:45:50 UTC