RE: ACTION-152 - Write up logged-in-means-out-of-band-consent

Justin,

My comments are two-dimensional in this case.  Dimension one – attempting to speak to broad privacy issues in the context of only DNT.  I don’t believe this is realistic and that any agreements we make here on broader topics such as appropriate consent paradigms, data retention, etc. will be applied to discussions outside of DNT.  I believe its naive to believe otherwise.

Dimension two - I believe we’re largely on the same page with respect to out-of-band consent overriding DNT.  if an entity states they support DNT and they want to override this support, then this must be stated to the user as part of gaining their consent.  It’s the approach and context that some were beginning to speak to that I wanted to avoid having the discussion in this forum (for example, you should have a checkbox somewhere) as I believe it will take a long-time to come to agreement on specifics such as location, language, flow, recourse, transparency in context, choice in context, etc.

“Clear” and “prominent” are interesting terms in this context as they are highly subjective.  This is where we have the complex intersection of philosophy and practice.  For example, I philosophically agree on clear notices and always strive for them, but in practice you may disagree that I’ve achieved this outcome.  It’s for this reason that I suggest turning to local legal guidance/process to determine if the intended outcome has been achieved (appropriate consent).  On the use of “prominent”, more and more practices are often deemed to need to be “prominent” such that placing the whole privacy policy in front of the user (which many already do today) is required to cover all the elements that require “prominence”.  Then many argue this is too much information for consumers.

If online entities are not finding the right balance here, then it’s my hope that consumer advocates and industry peers would call this out, regulators will then investigate and act appropriately, and consumers always have their vote to avoid that service.  Attempting to be prescriptive in this context in the standard, while helpful to the larger privacy debate, will take considerable time to arrive at agreement – if that is even possible.

- Shane

From: Justin Brookman [mailto:jbrookman@cdt.org]
Sent: Monday, April 02, 2012 10:47 AM
To: public-tracking@w3.org
Subject: Fw: ACTION-152 - Write up logged-in-means-out-of-band-consent

Sorry, meant to send this to the public list.  Comments below.


-----Original message-----
From: Justin Brookman <jbrookman@cdt.org>
To: Shane Wiley <wileys@yahoo-inc.com>
Sent: Mon, Apr 2, 2012 17:32:33 GMT+00:00
Subject: RE: ACTION-152 - Write up logged-in-means-out-of-band-consent
Shane, no one is trying to solve all consumer consent issues with this standard.  Under any legal regime, different types of processing require different types of consent---opt-in, opt-out, no consent at all, etc.  What this standard says will and should have no bearing on when Amazon can give my mailing address info to FedEx, or when my doctor can sell my records for research purposes, or when Facebook can deliver first-party ads based on my user profile.  All we are trying to decide is WITHIN THE PARAMETERS OF A STATED DNT INSTRUCTION, how a consumer should signal that a party may act contrary to that DNT instruction.

I don't think anyone here is arguing that it would be an appropriate result for the New York Times to be able to say in para 178 on a EULA that the user is granting permission for all of the NYT's third-party partners to ignore DNT.  I fail to see how requiring a clear and prominent permission should be remotely controversial.

If I have told you quite clearly not to eat my cake, you should make clear that you would like to eat my cake despite my instruction.  Otherwise, users won't be able to trust that the standard works.

Sent via mobile, please excuse curtness and typos


-----Original message-----
From: Shane Wiley <wileys@yahoo-inc.com>
To: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Cc: Alan Chapell <achapell@chapellassociates.com>, Jeffrey Chester <jeff@democraticmedia.org>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, John Simpson <john@consumerwatchdog.org>
Sent: Mon, Apr 2, 2012 15:41:46 GMT+00:00
Subject: RE: ACTION-152 - Write up logged-in-means-out-of-band-consent
Rigo,

Interestingly I believe it is your argument that attempts at eating its cake and having it too.

The issues this group is wrestling with will have impacts on the privacy debate far beyond the reach of DNT. I'm not sure how often you work in the internet advertising world or how much history you have the specifics of the privacy legal debate both in the US and the EU, but there will be no way to isolate the "appropriate consent" structure as applying only to DNT. This is exactly the reason advocates in this conversation are pushing so hard on these dimensions as they see this as an opportunity to solve multiple privacy topics in a single pass (Jonathan has said as much in email and in f2f meetings). While I'm supportive of solving all of the privacy debate, I believe it will be impossible to do this in our stated timeframe - if ever - as I believe many of these debates will live far into the future as our cultures and the Internet evolve together.

I don't see the disconnect (eat/have cake) between saying out-of-band consent trumps DNT and then allowing local law to define what is appropriate consent. In fact, I believe there will be many areas of this standard that will need to follow this formula. We've already agreed as a working group that we don't believe direct references to regional laws are appropriate in the standards documents (fine for conversation as a testing mechanism) - rather we'd simply state "in compliance with local law". I see several conversations within the TPWG as attempting to override local law by setting some default, pan-global privacy standard outside of DNT - "appropriate consent" is just one of these.

- Shane

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org]
Sent: Monday, April 02, 2012 7:48 AM
To: public-tracking@w3.org
Cc: Shane Wiley; Alan Chapell; Jeffrey Chester; Jonathan Mayer; David Singer; John Simpson
Subject: Re: ACTION-152 - Write up logged-in-means-out-of-band-consent

Shane,

On Sunday 01 April 2012 20:54:12 Shane Wiley wrote:
> I disagree with your basic premise here: '"Out-of-band" is creating the
> trouble, because it imports troubles from outside in our definition space
> and we have to decide in how far we accept that (see below).'

You can't have the cake and eat it too.

Either you take some rule from outside (out of band is superior of what we
define here) and you accept that the discussion about quality of out of band
agreements for DNT compliance is in scope for our Group.

Or you say, those out of band agreements have some legal value outside DNT and
we do not discuss it here but manage the semantic clash in our legal
department. In this case you may well say that because you have out of band
agreement, you break DNT compliance without legal consequences.

Or we create some rules under which out of band is taken into account by DNT
while still maintaining DNT compliance. That needs definition of some
requirements for out-of-band agreement as accepted for compliance with the
_Specification_.

But what we should not accept is allowing services to say "we do DNT" while
basically ignoring DNT-rules because of an undefined out of band agreement.
This is so prone to abuse that DNT would become meaningless IMHO.

Best,

Rigo