- From: Brendan Riordan-Butterworth <Brendan@iab.net>
- Date: Tue, 18 Dec 2012 22:13:28 +0000
- To: "rob@blaeu.com" <rob@blaeu.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Rob, I went to my networking background to think about your points. I came up with the following: In networking, there are two fundamental types of interactions - stateful and stateless. HTTP is a fundamentally stateless protocol, while FTP is fundamentally stateful. If you need more of an explanation, let me know offline. Answer to Question 1: In a value exchange for PII, the terms of use (TOU) or the end user license agreement (EULA) may specify that the relationship between the consumer and the service is either stateful or stateless (although I doubt that either would use the technical terms explicitly). In the former case, it'd be feasible to expect some later control over data use. In the latter case, well, it'd be like asking to control where your dollar goes after you've used it to pay for a newspaper. I'm neither a lawyer nor a legislator, so I'm not on the up-and-up with regards to the rules governing what rights mustn't be modified in a TOU or EULA - and it looks like the FTC is only just now looking into this with a few companies in the data brokerage space: http://www.ftc.gov/opa/2012/12/databrokers.shtm Perhaps we'll see the results of their inquiry published in a timely manner. I think this source (once available) would be the one most relevant to Jonathan's continued questions about industry practices in this area. Answer to Question 2: With regards specifically to the 'out of band consent' - my read of section 6.3 of the Compliance and Scope document is that's implicitly a stateful relationship that the web site operator is expected to have with the user who is providing consent (via EULA, TOS, or other mechanism). Therefore, it'd be feasible to expect some form of persistent consent management, but the discussion around this topic resulted in the line that's in the current Editor's Draft: "This protocol does not define what constitutes explicit consent in any jurisdiction; check with your lawyer." Refocusing Point: The documents describe both a technical solution (6.3 of the TPE) and a business process (6.3 of the Compliance and Scope document) for managing exceptions. I recognize that your second clarifying question pointed to the business process option. My comments were initially focused on the technical solution. Since both options are going to have their adherents during implementation, I simply reiterate: each must be sufficiently well defined that it is more efficient to adopt exceptions than it is to gate and require users disable DNT globally. /brendan. -----Original Message----- From: Rob van Eijk [mailto:rob@blaeu.com] Sent: Tuesday, December 18, 2012 11:19 AM To: public-tracking@w3.org Subject: RE: Tracking names and emails across sites > Consent-based value exchange of PII for access exists now, and will > exist in a DNT world. Brendan, I would like to learn if and how a user's consent can be withdrawn easily in the case of value exchange of PII. Second clarifying question: does such a withdraw of consent also work in the case of 'out of band consent' in a DNT world? Thanks, Rob Brendan Riordan-Butterworth schreef op 2012-12-18 16:53: > Jonathan, > > If you’re interested in registering Stanford to start using the About > Ads icon to identify their adherence to the DAA principles, I suggest > you engage with the DAA directly, outside of this group. > > The most important takeaways from my mail yesterday are that: > > - Consent-based value exchange of PII for access exists now, and will > exist in a DNT world. > > - If the DNT world does not offer sufficiently robust exceptions > management, the pressure on the consumer will be to disable DNT for > access. > > /brendan. > > FROM: Jonathan Mayer [mailto:jmayer@stanford.edu] > SENT: Monday, December 17, 2012 9:29 PM > TO: Brendan Riordan-Butterworth > CC: public-tracking@w3.org > SUBJECT: Re: Tracking names and emails across sites > > Brendan, > > Could you please provide a bit more detail on Point 2 below? In > particular, what control would this company have to provide to comply > with the DAA principles? In my reading of the DAA's documents: none. > > Thanks, > > Jonathan > > On Monday, December 17, 2012 at 10:23 AM, Brendan Riordan-Butterworth > wrote: > >> Point 1: Humor and realism >> >> Facial recognition is such an inefficient method of consumer >> identification. It’d be a much simpler implementation to enhance >> customer loyalty cards with range-readable RFID tags – that way >> you’ve also got opt-in, and the possibility of spinning up a >> consumer-choice portal. >> >> Point 2: Existing Self-Reg >> >> The current self-regulatory guidelines offered via the DAA require >> that Third Parties and Service Providers (like what this “website >> intelligence” network seems to be) provide “clear, meaningful, and >> prominent notice” of what’s being collected, how it’s being used, and >> an opt-out mechanism. You can review starting on page 12 of this >> document: >> >> http://www.aboutads.info/resource/download/seven-principles-07-01-09. >> pdf >> [3] >> >> If they’re not providing this information and control, they’re not in >> line with the DAA principles. >> >> Point 3: DNT World >> >> I don’t think that the business practice of requiring the exchange of >> PII for services or discounts would be eliminated under a DNT regime. >> Specifically, a site that currently blocks access or participation on >> filling in a form that includes being given permission to share the >> consumer’s email address with other parties would need to update >> their form to request the appropriate exceptions via the DNT >> protocol. If the DNT exception protocol isn’t sufficiently robust to >> allow the consumer to give minimal tracking permission, it’s likely >> that these sites will simply require the global disabling of the DNT state. >> >> /brendan. >> >> FROM: Jonathan Mayer [mailto:jmayer@stanford.edu] >> SENT: Wednesday, December 12, 2012 11:52 PM >> TO: public-tracking@w3.org >> SUBJECT: Fw: Tracking names and emails across sites >> >> Spotted this on the public-tracking list. The practice may be a >> helpful future use case to keep in mind as we refine the compliance >> document. It certainly would not be permissible for Do Not Track >> users under a linkability-oriented approach. If I understand >> correctly, current self-regulatory guidelines would allow it. >> >> Jonathan >> >> Forwarded message: >> >>> FROM: Karl Dubost <karld@opera.com> >>> TO: public-privacy@w3.org mailing list) <public-privacy@w3.org> >>> DATE: Wednesday, December 12, 2012 8:24:17 PM >>> SUBJECT: Tracking names and emails across sites >>> >>> FYI, >>> >>> Tracking personal identifiable information across sites. >>> >>> On Thu, 13 Dec 2012 04:23:08 GMT >>> >>> In You’re not anonymous. I know your name, email, and company. >>> >>> At >>> http://42floors.com/blog/youre-not-anonymous-i-know-your-name-email- >>> and-company/ >>> [1] >>> >>> I’ve learned that there is a “website >>> >>> intelligence” network that tracks form submissions >>> >>> across their customer network. So, if a visitors >>> >>> fills out a form on Site A with their name and >>> >>> email, Site B knows their name and email too as >>> >>> soon as they land on the site. >>> >>> -- >>> >>> Karl Dubost - http://dev.opera.com [2]/ >>> >>> Developer Relations, Opera Software > > > > Links: > ------ > [1] > http://42floors.com/blog/youre-not-anonymous-i-know-your-name-email-an > d-company/ > [2] http://dev.opera.com > [3] > http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf
Received on Tuesday, 18 December 2012 22:15:12 UTC