Re: Mandatory Legal Process (ACTION-57, ISSUE-28) from Tom Lowenthal on 2012-01-25 (public-tracking@w3.org from January 2012)

From: Tom Lowenthal <tom@mozilla.com>
Date: Wed, 25 Jan 2012 19:50:09 +0100
To: Jonathan Mayer <jmayer@stanford.edu>
CC: David Singer <singer@apple.com>, "public-tracking@w3.org" <public-tracking@w3.org>, Shane Wiley <wileys@yahoo-inc.com>
Message-ID: <4F204EE1.8090806@mozilla.com>
I think that Jonathan's proposal makes much more sense when considered 
form the perspective of the user, and their threat model regarding 
their data. When they switch on DNT, they're trying to limit their data 
going to third parties. If we permit third parties to collect some data 
anyway, this third-party data isn't meaningfully accounted for in the 
user's mental model of where their data is. If it wanders off, they 
should be alerted about it.

It's an additional safeguard on data collected by third parties. If 
you're a third party then your data collection is significantly limited 
by DNT: you can only collect it for certain enumerated purposes, you 
have to engage in minimization and sometimes reasonable technical or 
operational precautions. This is just another defense that users' get 
for third-party data collection.

However, I do agree with you Shane that the addition of this 
responsibility just for legal process is a little odd. It would 
probably make more sense to apply this to involuntary data disclosure 
of any form, whether through legal process or a data breach. I further 
agree with Sean that this is a new provision, and should probably get 
an issue, and some time on the call. On the plus side, we basically 
already have draft text!

On Wed 25 Jan 2012 07:25:40 PM CET, Jonathan Mayer wrote:
> Some relevant U.S. legal background: web tracking may soon fall within the Fourth Amendment's compelled disclosure rules.
>
> From Justice Sotomayor's concurrence in United States v. Jones:
>
> More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as Justice Alito notes, some people may find the tradeoff of privacy for convenience worthwhile, or come to accept this diminution of privacy as inevitable, post, at 10, and perhaps not. I for one doubt that people would accept without complaint the warrantle
ss disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year.
>
> On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote:
>
>> The text I've proposed addresses web information practices for DNT users.  By all means argue why organizations shouldn't inform their users of compelled disclosure, but I think this text is unambiguously within the working group's scope.
>>
>> On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote:
>>
>>> I believe attempts to "add on" to the party responsibilities within legal process "outside of the DNT standard" is outside of scope of the working group.  Instead I would suggest the preamble of each document simply state "this standard is not intended to override local, state, or country law."
>>>
>>> - Shane
>>>
>>> -----Original Message-----
>>> From: Tom Lowenthal [mailto:tom@mozilla.com] 
>>> Sent: Wednesday, January 25, 2012 7:11 PM
>>> To: David Singer; public-tracking@w3.org
>>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>>>
>>> I don't think we need anything apart from Jonathan's text. I'd argue that for process applied to data collected in a third party capacity, notification is a must; for first party data, a should; and for any breach where you must notify some users, you must notify all users.
>>>
>>> On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote:
>>>>
>>>> On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote:
>>>>
>>>>> Proposed text:
>>>>>
>>>>> A party MAY take action contrary to the requirements of this standard if compelled by mandatory legal process.  To the extent allowed by law, the party MUST (SHOULD? MAY? non-normative?) notify affected users.
>>>>
>>>> which means we need a 'legal exception'?
>>>>
>>>>
>>>>
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>>>>
>>>>
>>>
>>
>
>
Received on Wednesday, 25 January 2012 18:51:18 UTC