RE: Mandatory Legal Process (ACTION-57, ISSUE-28) from Amy Colando (LCA) on 2012-02-02 (public-tracking@w3.org from February 2012)

From: Amy Colando (LCA) <acolando@microsoft.com>
Date: Thu, 2 Feb 2012 02:31:30 +0000
To: John Simpson <john@consumerwatchdog.org>, Justin Brookman <justin@cdt.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <81152EDFE766CB4692EA39AECD2AA5B6023D1435@TK5EX14MBXC296.redmond.corp.microsoft.>

Hey all - I am looking into this some more in order to add some additional facts to the this debate.  In the meantime, can you help me understand how you think that this requirement would realistically operate for the passively collected pseudonymous data (cookies, IP addresses) that would be the subject of the DNT signal?  Would each website be required to host a page with  a list like "COOKIEACDEFG123 was subject to legal requirements that differed from DNT specification"?   Although even that statement is not quite correct, as I think we have discussed (not yet decided) that legal process is a permitted exception.

From: John Simpson [mailto:john@consumerwatchdog.org]
Sent: Wednesday, February 01, 2012 12:40 PM
To: Justin Brookman
Cc: public-tracking@w3.org
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

This is is different than saying that the standard does not attempt to override applicable laws.  Justin's language is aimed at telling the user that a party has been legally required to gather data despite DNT 1.  I like it and would be inclined to make it a "must."

On Jan 31, 2012, at 1:01 PM, Justin Brookman wrote:

Revising Jonathan's text based on this string:

A party MAY take action contrary to the requirements of this standard if compelled by applicable law.  If compelled by applicable law to collect, retain, or transmit data  despite receiving a DNT:1 signal for which there is no exception or exemption, the party SHOULD notify affected users to the extent practical and allowed by law.

I suggest "applicable law" instead of "mandatory legal process" both to accommodate David's concern about using contract to compel and because a statute could mandate the retention of IP logs (for example) without serving a subpoena or court order (which is what "process" means to me).  Feel free to revise the terms "exception or exemption" --- I was trying to convey the two scenarios of

(1) operational data collection/use/retention is allowed even if DNT is on and/or

(2) the user has given permission to a company to track,

but I haven't gotten all the way through the ponderous thread on the meanings of exception/exemption.

I also don't think a requirement to tell users when DNT is being ignored because of government action is at all out of scope.  I'm suggesting SHOULD as a placeholder but think a MUST is worth a discussion.  However, it's relevant to note that we don't require (or even offer SHOULD guidance) that companies inform users about operational collection/usage/retention (exceptions???) that is allowed despite the DNT header.

Justin Brookman

Director, Consumer Privacy Project

Center for Democracy & Technology

1634 I Street NW, Suite 1100

Washington, DC 20006

tel 202.407.8812

fax 202.637.0969

justin@cdt.org<mailto:justin@cdt.org>

http://www.cdt.org<http://www.cdt.org/>

@CenDemTech

@JustinBrookman

On 1/31/2012 2:40 PM, Shane Wiley wrote:
If the concern is that a party can somehow contract their way out of DNT compliance (versus other types of legal/government obligations) then I'm fine with calling that out more directly.

- Shane

From: David Singer [mailto:singer@apple.com]
Sent: Tuesday, January 31, 2012 12:36 PM
To: Shane Wiley
Cc: John Simpson; Amy Colando (LCA); Joanne Furtsch; MeMe Rasmussen; Tom Lowenthal; Jonathan Mayer; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

On Jan 31, 2012, at 19:22 , Shane Wiley wrote:

Agreed - NO text seems like the appropriate path (in agreement with Amy and John).

well, the rationale was way back at the end of the thread.  it's two-fold:

a) you can send DNT, but don't forget that tracking may still happen if legally required - there is a 'legislation exception'
b) a notification of a 'legislation exception taken' will be signaled if legally possible, but under some laws, notification itself is not allowed.

we can also explain that having a *contract* that 'forces' you to track is not a valid exception...

David Singer
Multimedia and Software Standards, Apple Inc.

----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org>
john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>

Received on Thursday, 2 February 2012 02:32:16 UTC