Re: Alternative 6

Here are the further  comments I expressed in the meeting:

The history of policy-focused work in W3C has demonstrated to us that W3C
works most effectively when it focuses on protocols (including APIs), data
formats, and related User Agent requirements. In areas of policy expression
and compliance, it has been less successful, due to the complexities of
representing policy choices for users through browser UI, combined with the
unfamiliarity of W3C with dealing with the rapidly evolving complexities of
Internet business models, service architectures, and the roles of various
market stakeholders. We hope that the introduction of the Community Group
process will help W3C gain a broader and deeper perspective on the
Web-enabled services marketplace. But in the short term, which is the most
important term for DNT, we believe that in order to make a fast, positive
influence on user privacy on the Internet, the W3C should focus on what it
does best by focusing on the expression of user intent and related User
Agent requirements. It should tackle the more complex issues of policy and
compliance through the community group process and collaboration with
existing compliance forums, while the market gains experience with the DNT
standard. If those compliance forums need to step up their game to address
market-specific requirements, that I believe is possible, but it is not
necessary or helpful to replicate or supplant that existing process of
market-based self-regulation with a one-size-fits-all proscriptive set of
policy rules, through W3C.

From:  Bryan Sullivan <blsaws@gmail.com>
Date:  Tue, 10 Apr 2012 18:23:19 -0400
To:  <public-tracking@w3.org>
Subject:  Alternative 6

Here is the proposal I have for how we can best use our time tomorrow, at
least one additional alternative to those presented so far.

I do not believe the TP WG will be successful in defining policies (i.e.
normative requirements) that are universally applicable, as normative
statements re contextually permitted uses across 1st/3rd parties.

To achieve something in the desired timeframe (Q3 2012), the TP WG should
limit its scope to:
- in the TPE spec, defining how a user expresses their intent, and
optionally how sites express compliance
- in the TCS spec
- Defining what the DNT signal means (e.g. "don't remember me", "don't track
me", "don't share me" etc)
- Defining the overall responsibility sites have for communicating to users
their privacy practices (including discoverability of site relatiohships)
and how those practices will change with a DNT signal from the user.
- If the TCS spec addresses data uses, it should do so only as an
informative set of guidelines that are consistent with (or reference) the
approach being taken in compliance programs

This way, we can avoid the unecessary (and increasingly cloudy) definition
of 1st vs 3rd parties, and the incomplete/procrustean definition of
acceptable / commonly accepted business practices.

I believe we can fulfill the charter for the TPE, and for the TCS by using
the approach above. This will provide time for the market to gain experience
with the DNT standard, while the compliance issues continue to be discussed
and worked within the existing compliance-focused forums.

Thanks,
Bryan Sullivan