- From: John Simpson <john@consumerwatchdog.org>
- Date: Thu, 9 Feb 2012 21:16:36 -0800
- To: Mike Zaneis <mike@iab.net>
- Cc: Lee Tien <tien@eff.org>, Shane Wiley <wileys@yahoo-inc.com>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, JC Cannon <jccannon@microsoft.com>
Call me a starry eyed optimist, but I am hard pressed to see where the working group is anywhere near impasse. Seems to me that under the guidance of our two talented and knowledgeable co-chairs we are making real progress. We are getting issues on the table and will, I suspect, reach consensus. That is my goal. I don' t understand how anything about that process is " absurd." Moreover, to my admittedly inexperienced eye when it comes to agreeing standards specifications, I am of the view that the W3C staff is playing precisely the right role. But then, it could well be the case that I am a naive idiot. It would hardly be the first time that was the case as my wife and daughters remind me ... ---------------- John M. Simpson Consumer Advocate Consumer Watchdog Tel: 310-392-7041 On Feb 9, 2012, at 6:55 PM, Mike Zaneis <mike@iab.net> wrote: > I am afraid that the group's discussion is veering into the realm of the absurd. Over the past 2 weeks I have seen legislative bills, draft regulations, dicta in concurring legal opinions, and statements from legislators and regulators presented as support for what this group should or should not do - on both sides. Generally, I think we can all agree that in Europe industry was steamrolled some 15 years ago with essentially an opt in requirement (which has never been enforced) while in the U.S. the privacy advocates have been rebuked and there is no general legal requirement on notice and choice for these types of data practices. Therefore, this group has come together to try and find a middle ground that helps advance consumer privacy. We will never achieve a standard that satisfies "regulators", because the global viewpoints are too varied. > > Moving forward, I would call upon the W3C staff to take control of this process to address the key issues that are holding us up. If Jonathan Myer is correct, and we have reached an impasse on key issues such as exceptions, data retention, and possibly first party data practices, then we need the leadership of the W3C to step in and either resolve these issues or decide the next steps for the group. Continuing to go round and round on these issues is not productive and the Working Group has already delayed too many key decisions to keep "kicking the can down the street". > > I would also hope that we would heed Roy's prime objective expressed earlier tonight - adoption/implementation. This process will prove a colossal failure, no matter what the group produces, if there is not near universal implementation several years after adoption of a standard. I hope we are not wasting our time so certain interests can develop a document for mere publicity and advocacy sake. I hope we are all here to help advance consumer privacy and not our personal political agendas. > > Mike Zaneis > SVP and General Counsel, IAB > (202) 253-1466 > > ________________________________________ > From: Lee Tien [tien@eff.org] > Sent: Thursday, February 09, 2012 7:01 PM > To: Shane Wiley > Cc: John Simpson; Rigo Wenning; public-tracking@w3.org; JC Cannon > Subject: Re: ACTION-75: Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track > > Shane, > > I don't know the current time spans, but this blog post suggests that > 18 months is quite a long starting point for thinking about a > retention standard. > > http://michaelzimmer.org/2010/01/19/microsoft-to-delete-ip-addresses-from-bing-search-logs-after-6-months/ > > Even HR 1981, which if enacted would mandate data retention for > commercial providers, was amended to 12 months. > > Also, I'm now uncertain about Yahoo!'s policy. I'd thought that > > [quote] > > Under Yahoo’s new policy, the company will strip out portions of > users’ IP addresses, alter small tracking files known as ”cookies” and > delete other potential personally identifiable information after 90 > days in most cases. In cases involving fraud and data security, the > company will anonymize the data after six months. > Sunnyvale, Calif.-based Yahoo also said it will expand the scope of > data that it anonymizes to encompass not only search engine logs, but > also page views, page clicks, ad views and ad clicks. That information > is used to personalize online content and advertising. > > Yahoo will begin implementing the new policy next month and says it > will be effective across all the company’s services by mid-2010. > > [end quote] > > http://michaelzimmer.org/2008/12/17/yahoo-to-anonymize-data-after-90-days/ > > I don't track this stuff regularly, though, so I might be missing > something really obvious here. > > Lee > > PS What one means by "anonymization" is of course a separate issue. > > > > > On Feb 9, 2012, at 1:08 PM, Shane Wiley wrote: > >> John, >> >> The IP Address is only one field within a log file though. Yahoo! >> is anonymize at 6 months. J >> >> - Shane >> >> From: John Simpson [mailto:john@consumerwatchdog.org] >> Sent: Thursday, February 09, 2012 11:44 AM >> To: Shane Wiley >> Cc: Rigo Wenning; public-tracking@w3.org; JC Cannon >> Subject: Re: ACTION-75: Write-up a hybrid of Do Not Profile and Do >> Not Cross-Site Track >> >> Doesn't Microsoft delete IP addresses after six months? Google >> "anonymize" after nine months? And yahoo "anonymize" after 90 days? >> >> On Feb 9, 2012, at 9:16 AM, Shane Wiley wrote: >> >> >> If we're going to use arbitrary time spans for retention, I would >> recommend that we leverage 18 months as the standard. This is the >> time Google, MSFT, and Yahoo! currently use for search logs and have >> shared this policy with all of the EU DPAs and A29WP. As the >> advocates in this working group will likely share the perspective of >> wanting this to be lower in common with EU DPAs, it's a helpful >> starting point. Otherwise we can stop using arbitrary numbers and >> leverage minimization principles instead - which I personally >> believe are the better standard to apply to varied business models >> and can stand the test of time and innovation. >> >> - Shane >> >> -----Original Message----- >> From: Rigo Wenning [mailto:rigo@w3.org] >> Sent: Thursday, February 09, 2012 9:06 AM >> To: public-tracking@w3.org >> Cc: JC Cannon >> Subject: Re: ACTION-75: Write-up a hybrid of Do Not Profile and Do >> Not Cross-Site Track >> >> I concur JC, >> >> On Tuesday 07 February 2012 18:51:27 JC Cannon wrote: >> >> It seems that we are still conflating collection with receipt of >> logs by a >> server and processing of those logs for placement in a profile or >> otherwise. >> >> I believe we all agreed that web servers must be able to receive >> logs in >> order for the Internet to work as it does. I would like to propose >> that the >> mere receipt of logs by a web server should not be considered >> collection or >> be constrained by the rules of collection. >> >> However, any processing of the logs should be considered collection >> and be >> governed by our DNT standard. >> >> Inasmuch as the logs will include a DNT signal, any retention policy >> that >> comes out of our standard should apply to those logs. >> >> Whereas 22 of the ePrivacy Directive says: >> >> The prohibition of storage of communications and the related traffic >> data by >> persons other than the users or without their consent is not >> intended to >> prohibit any automatic, intermediate and transient storage of this >> information >> in so far as this takes place for the sole purpose of carrying out the >> transmission in the electronic communications network and provided >> that the >> information is not stored for any period longer than is necessary >> for the >> transmission and for traffic management purposes, and that during >> the period of >> storage the confidentiality remains guaranteed. Where this is >> necessary for >> making more efficient the onward transmission of any publicly >> accessible >> information to other recipients of the service upon their request, >> this >> Directive should not prevent such information from being further >> stored, >> provided that this information would in any case be accessible to >> the public >> without restriction and that any data referring to the individual >> subscribers >> or users requesting such information are erased. >> >> As long as we talk about some defaults for retention and logging for >> the >> purpose of carrying out the communication, we shouldn't prevent >> logging. I >> think our task is beyond. We MAY give some hint when we believe >> those logs are >> not necessary anymore. >> >> So while writing logs is collection of data, we may declare normal >> web logs >> out of scope as long as they do not serve to build profiles and as >> long as they >> have some expiry set. (One may be as scared about logs that last >> forever then >> I would be scared about profile creation) >> >> Consequently, a third party that is not in an outsourcing context >> may not >> collect data beyond normal web logs and should anonymize or erase >> those logs >> after 60 Days (just to throw in some arbitrary count) This would be my >> suggestion. >> >> Best, >> >> Rigo >> >> >> >> ---------- >> John M. Simpson >> Consumer Advocate >> Consumer Watchdog >> 1750 Ocean Park Blvd. ,Suite 200 >> Santa Monica, CA,90405 >> Tel: 310-392-7041 >> Cell: 310-292-1902 >> www.ConsumerWatchdog.org >> john@consumerwatchdog.org >> > >
Received on Friday, 10 February 2012 05:17:13 UTC