RE: Request for thoughts: US, EU, and international DNT

Thanks Aleecia. Following your encouragement this morning, I'm sharing my questions and concerns on the proposal below.

First of all, I read parts of the proposal below ("In some of the EU, no DNT signal gets viewed as "users did not consent to tracking"  and treated as DNT: 1.") as the technical specification stating that the default should be DNT:1 - at least for some users.  I thought that we had agreed that our Boston F2F<https://www.w3.org/2011/tracking-protection/track/issues/4/edit> (day one) that standards as to whether the default setting for DNT should be ON or OFF are out of scope for this technical working group.  Instead, we have been focusing our discussions on DNT as an avenue to express the choice or preference of the user, as nicely expressed by Sid Stamm here<http://blog.mozilla.com/privacy/2011/11/09/dnt-cannot-be-default/>.  The Buhr slides you cite (very interesting, thanks for passing them on) also note that "unset DNT" is an open issue possibly solved by additional user prompts and education, rather than suggesting that DNT should be assumed to be ON.  Can you help me understand how this discussion will not end up in a place where we are recommending default settings depending on the geographic location of the user?

Secondly, I'm concerned that we are again trying to solve legal issues in a technical specification.  In our Santa Clara F2F<http://www.w3.org/2011/11/01-dnt-minutes.html> (day two), we raised the issue of specific legal compliance/adherence and appeared to agree that it could be a consideration for adopting companies, but that a requirement of adherence to various national laws should not be a deliverable of the technical specification.  Are there other technical specifications that include compliance with specific national laws?  Is there a reason to revisit those discussions in Santa Clara and elsewhere? What if countries have not implemented the ePrivacy directive yet, or explained how they interpret the regulation?

Finally, I am concerned that we have many unresolved technical issues, and I believe that it would be more effective to concentrate on those items, rather than delve deeper into legal and policy issues - even on a non-normative basis - that regulators and commissioners are still resolving in the EU.

Thanks,

Amy



From: Aleecia M. McDonald [mailto:aleecia@aleecia.com]
Sent: Tuesday, January 10, 2012 2:26 AM
To: Tracking Protection Working Group WG
Subject: Request for thoughts: US, EU, and international DNT

Greetings,

I've been giving some thought to how we can make our work relevant in the EU and US, despite some strong differences. Nations have borders but the Internet does not. How can we support different regional cultures, norms, and laws on the Internet? I am putting this out as some things to think about and discuss further.

Here are a few of my starting assumptions:

            * In the US, a first v. third party distinction is very important to businesses.
               In many (but not all) EU countries, first party is not an interesting or meaningful way to look at things.
            * Key word in Europe: Consent
                        - Users who do not consent to data practices must have their privacy protected.
                        - A global consent may not be sufficient; consent must be particular to a company and to a description of data use (in at least some countries)
                        - We should at least address Article 5(3) of the 2002 ePrivacy Directive [1]
                        - There is wide interest in finding a way to implement the revised framework of the Article 5(3) ePrivacy Directive without a deeply painful (on business or users) implementation, and DNT may help [2]
                        - The exemptions we consider would not be valid in the EU without specific consent [3]
            * Key word in US: Choice
                        - Users who choose to interact with a site do not need as much privacy protection as they do from sites they do not choose to interact with
                        - We should at least fulfill the requirements for DNT set out in the FTC staff report [4]
                        - We should co-exist with existing industry self-regulation mechanisms [5]

Here are three areas where I think we can have a uniform underlying technical standard that is flexible enough to accommodate different national and regional policy priorities:

            (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable DNT, DNT: 0 means do not enable DNT, and nothing sent means users have not made a selection.
                        In the US, no DNT signal gets viewed as "users did not choose to enable DNT" and treated as DNT: 0.
                        In some of the EU, no DNT signal gets viewed as "users did not consent to tracking"  and treated as DNT: 1.
            (B) In the US, site-specific exceptions will allow users to "opt back in" for specific first and third party pairs (perhaps along the likes of what Shane and Nick co-authored). In the EU, some (but not all) countries will require consent on a site-by-site basis, rather than a global "DNT: 0" signal or no DNT signal at all. The site-specific exemptions mechanism becomes the path to enable users to consent per site.
            (C) In the US, first parties have minimal responsibilities when receiving a DNT: 1 signal (perhaps along the lines of what Jonathan and Tom co-authored). In some (but not all) EU countries, there may be nothing that applies globally to all first and third parties, (and more to the point, the data controller) perhaps making the first/third party distinction irrelevant.

I think this could be good enough in enough different ways for enough different interests. I'd like to hear other reactions. Does anyone have better or simpler ideas? Is this still too US-centric to work in Europe?

If we find something we think will work, we could add a non-normative section to one of the specifications, or we could issue a note. Either way, I think specifications shouldn't be hard-coded to specific regulations and laws. However, since I think this approach could be confusing to those implementing the specification, I would like to give implementors a fighting chance by providing our opinions (and not legal advice!) with pointers to additional information. How does this approach sound?

And last but not least: any volunteers to work on these topics?

            Aleecia

Thanks to a few TPWG members for taking time to step me through some of the issues here. All mistakes are, of course, my own. Citations and useful reading:

[1] For the before & after versions of 5(3), see [7], p 7
[2] See slides from Carl Christian Buhr, a member of Commissioner Kroes' Cabinet (European Commission), particularly slides 11-13, suggesting DNT could satisfy 5(3): http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum
[3] As per 5(3), "Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user" is a given, but are other exemptions allowed? Recital 25 reads to me as: yes with consent, and no without consent. For example, billing for ad impressions is not part of the service explicitly requested, and seems to require informed consent. See [7], p 8
[4] FTC staff report, starting p 63, http://www.ftc.gov/os/2010/12/101201privacyreport.pdf
[5] In particular, it would be unfortunate if DNT off with an opt-out cookie was interpreted one way by self-regulatory bodies, and another way in the DNT recommendations. We likely will reach different end points than the self-regulation guidelines, but they remain a very fruitful source of background information, including the recent multi-site data principles (http://www.aboutads.info/msdprinciples) and the OBA principles (http://www.aboutads.info/obaprinciples).
[6] A very readable summary of [7] discussing where industry self-regulation is seen to fall short of 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie.
[7] The actual report itself: ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf<http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf> (COCOM10-34, Implementation of the revised Framework- Article 5(3) of the ePrivacy Directive)
[8] The whole text is worth at least skimming, including a brief note on children under 12. In particular the section on consent for cookies starting on p 8, and examples of consent not using pop ups on p 9: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf

Received on Thursday, 12 January 2012 00:06:45 UTC