(unknown charset) RE: RE: FW: Deciding Exceptions (ISSUE-23, ISSUE-24, ISSUE-25, ISSUE-31, ISSUE-34, ISSUE-49) from (unknown charset) Matthias Schunter on 2012-02-21 (public-tracking@w3.org from February 2012)

From: (unknown charset) Matthias Schunter <mts@zurich.ibm.com>
Date: Tue, 21 Feb 2012 18:23:36 +0100
To: (unknown charset) "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4F43D318.9010207@zurich.ibm.com>

Hi Team,

enclosed is an off-the-list email exchange I had with Shane some days
ago.
We felt that it might be interesting to re-post our thoughts to the
wider audience

Regards,
matthias & shane

-------- Original Message --------
Subject: RE: FW: Deciding Exceptions (ISSUE-23, ISSUE-24, ISSUE-25,
ISSUE-31, ISSUE-34, ISSUE-49)
Date: Sun, 12 Feb 2012 15:26:31 -0800
From: Shane Wiley <wileys@yahoo-inc.com>
To: Matthias Schunter <mts@zurich.ibm.com>

Matthias,

Thank you for the response.  I think we're quickly approaching a
consensus point on the larger issues - at least at the 80/20 mark.

On your specific issues:

[Matthias] it would be nice if we can incentivize privacy-enhancing
technologies (SHOUD/MAY)
[Shane]  Agree - this is why I believe it should remain a SHOULD to
help drive large players to develop open source tech in this area.

[Matthias] Some statements should be made about collection. It is a
concern if the data stored across all servers can easily be used to
recreate all profiles once the company has a new CEO or is acquired.
[Shane]  Bad Actors - if a new CEO comes on board or a company is
acquired, per its privacy policy statements it could not use
previously collected with the DNT signal to build profiles.  To do so
would be a breach of the privacy policy under which the data was
collected.  This would be illegal in both the US and EU (and most
other jurisdictions).  By requiring (MUST) companies to state their
compliance in their privacy policies, we setup the conditions such
that a bad actor will be legally liable for compliance.

[Matthias] I do not know what best to say about collection but just
saying "collect whatever you like" does not do the job. At least
something like "SHOULD collect only data actually needed" would be
nice + retention / use / sharing limitations.
[Shane]  I would go further to state companies that collect data for
operational purpose exceptions MUST employ data minimization standards
AND state this publically to setup Legal liability for their attestations.

[Matthias]I need to rely on guidance what limitations are efficiently
doable on a global scale (-> MUST) and what are sometimes difficult to
do (->SHOULD).
[Shane]  I'm doing my best to provide this to the group.   If we keep
a shared goal of rapid, mass market adoption, , I'm hopeful that the
positions that focus only on privacy (and less on cost of
implementation) will not be seen as being in the 80 part of the 80/20.
 :-)

Thank you,
Shane

Received on Tuesday, 21 February 2012 17:24:13 UTC