Re: Deciding Exceptions (ISSUE-23, ISSUE-24, ISSUE-25, ISSUE-31, ISSUE-34, ISSUE-49)

On Feb 9, 2012, at 11:51 AM, Jonathan Mayer wrote:

> Some advertising companies won't budge on "operational uses," and some privacy advocates won't accept use-based exceptions.  I don't see another way to resolve this impasse.  If you do, I'm listening.

If an impasse is at hand, objections are raised and we examine what
objections are strongest.  "I have an opinion" is always less of an
objection than "I won't implement this", because the entire purpose of
W3C Recommendations is to reach agreement on what participants are
willing to implement as the standard.

The other side of the balance is the impact of the standard after
it has been implemented.  If regulators (presumably informed by
privacy advocates) determine that implementation of the standard
is not sufficient to satisfy the social need, then they may impose
additional regulations or suggest further changes to the standards
that, when implemented, would make them sufficient.

The good actor companies will implement fixes to specific privacy
vulnerabilities when they are identified, and to specific regulations
when they are in force, regardless of the content of the standard.

Judging from my personal discussions with regulators, I would not
say that data collection constraints are a significant concern.
Data sharing (on purpose or by failure to handle it properly) is
the primary concern.  Data retention beyond that necessary to
support user-consented operational uses, or in a form that is
unnecessary to support operational uses, is a concern.
Obtaining specific and informed consent is a concern.

Violating the terms of consent is not that much of a concern for
the standards because regulators have existing laws that allow
for prosecution of those cases.

I'd love it if we could focus on actual concerns -- problems that
we know exist and can try to solve -- instead of opinions.  If you
have an opinion, that's great: Be sure it is shared with the rest
of the group, but do not expect it to be the basis of the standard
unless we have consensus on that opinion and understand that the
rest of the WG is not here just to satisfy your opinion.

This WG does not exist to be a negotiation between privacy advocates
and implementers.  We are here to find and specify solutions that the
technology companies are willing to implement.  We need privacy advocates
to propose solutions, poke holes in other solutions, and inform us all
when a solution is not sufficient to adequately address some specific
privacy need that the rest of us might not even be thinking about.

If no agreement is reached, the implementers ultimately determine
what the standard contains (or do not implement it at all) and
outside organizations (e.g., NGOs and regulators) determine whether an
implementation of the standard is sufficient to satisfy the social need.


Received on Thursday, 9 February 2012 21:49:52 UTC