RE: Mandatory Legal Process (ACTION-57, ISSUE-28)


I don't disagree with Justice Sotomayor's general points in this case - and would argue modifications to both ECPA and the Patriot Act will achieve the desired outcome in the US context.  But until then, I don't believe the DNT Specification is the correction location to try to solve those Legally specific issues.

- Shane

From: Jonathan Mayer []
Sent: Wednesday, January 25, 2012 7:26 PM
To: Shane Wiley
Cc: Tom Lowenthal; David Singer;
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

Some relevant U.S. legal background: web tracking may soon fall within the Fourth Amendment's compelled disclosure rules.

>From Justice Sotomayor's concurrence in United States v. Jones:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as Justice Alito notes, some people may find the tradeoff of privacy for convenience worthwhile, or come to accept this diminution of privacy as inevitable, post, at 10, and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year.

On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote:

The text I've proposed addresses web information practices for DNT users.  By all means argue why organizations shouldn't inform their users of compelled disclosure, but I think this text is unambiguously within the working group's scope.

On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote:

I believe attempts to "add on" to the party responsibilities within legal process "outside of the DNT standard" is outside of scope of the working group.  Instead I would suggest the preamble of each document simply state "this standard is not intended to override local, state, or country law."

- Shane

-----Original Message-----
From: Tom Lowenthal []
Sent: Wednesday, January 25, 2012 7:11 PM
To: David Singer;<>
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

I don't think we need anything apart from Jonathan's text. I'd argue that for process applied to data collected in a third party capacity, notification is a must; for first party data, a should; and for any breach where you must notify some users, you must notify all users.

On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote:

On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote:

Proposed text:

A party MAY take action contrary to the requirements of this standard if compelled by mandatory legal process.  To the extent allowed by law, the party MUST (SHOULD? MAY? non-normative?) notify affected users.

which means we need a 'legal exception'?

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 25 January 2012 18:33:29 UTC