RE: Mandatory Legal Process (ACTION-57, ISSUE-28)


I look forward to broader discussion on this issue.  In many jurisdictions we already have both legal process disclosure and security breach laws and I don't believe the DNT Specification is the appropriate location for use to somehow alter a parties responsibilities in those matters.  It honestly feels like an overreach (but a well intended one).

- Shane

-----Original Message-----
From: Tom Lowenthal [] 
Sent: Wednesday, January 25, 2012 7:50 PM
To: Jonathan Mayer
Cc: David Singer;; Shane Wiley
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

I think that Jonathan's proposal makes much more sense when considered form the perspective of the user, and their threat model regarding their data. When they switch on DNT, they're trying to limit their data going to third parties. If we permit third parties to collect some data anyway, this third-party data isn't meaningfully accounted for in the user's mental model of where their data is. If it wanders off, they should be alerted about it.

It's an additional safeguard on data collected by third parties. If you're a third party then your data collection is significantly limited by DNT: you can only collect it for certain enumerated purposes, you have to engage in minimization and sometimes reasonable technical or operational precautions. This is just another defense that users' get for third-party data collection.

However, I do agree with you Shane that the addition of this responsibility just for legal process is a little odd. It would probably make more sense to apply this to involuntary data disclosure of any form, whether through legal process or a data breach. I further agree with Sean that this is a new provision, and should probably get an issue, and some time on the call. On the plus side, we basically already have draft text!

On Wed 25 Jan 2012 07:25:40 PM CET, Jonathan Mayer wrote:
> Some relevant U.S. legal background: web tracking may soon fall within the Fourth Amendment's compelled disclosure rules.
> From Justice Sotomayor's concurrence in United States v. Jones:
> More fundamentally, it may be necessary to reconsider the premise that 
> an individual has no reasonable expectation of privacy in information 
> voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 
> 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach 
> is ill suited to the digital age, in which people reveal a great deal 
> of information about themselves to third parties in the course of 
> carrying out mundane tasks. People disclose the phone numbers that 
> they dial or text to their cellular providers; the URLs that they 
> visit and the e-mail addresses with which they correspond to their 
> Internet service providers; and the books, groceries, and medications 
> they purchase to online retailers. Perhaps, as Justice Alito notes, 
> some people may find the tradeoff of privacy for convenience 
> worthwhile, or come to accept this diminution of privacy as 
> inevitable, post, at 10, and perhaps not. I for one doubt that people 
> would accept without complaint the warrantle
ss disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year.
> On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote:
>> The text I've proposed addresses web information practices for DNT users.  By all means argue why organizations shouldn't inform their users of compelled disclosure, but I think this text is unambiguously within the working group's scope.
>> On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote:
>>> I believe attempts to "add on" to the party responsibilities within legal process "outside of the DNT standard" is outside of scope of the working group.  Instead I would suggest the preamble of each document simply state "this standard is not intended to override local, state, or country law."
>>> - Shane
>>> -----Original Message-----
>>> From: Tom Lowenthal []
>>> Sent: Wednesday, January 25, 2012 7:11 PM
>>> To: David Singer;
>>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>>> I don't think we need anything apart from Jonathan's text. I'd argue that for process applied to data collected in a third party capacity, notification is a must; for first party data, a should; and for any breach where you must notify some users, you must notify all users.
>>> On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote:
>>>> On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote:
>>>>> Proposed text:
>>>>> A party MAY take action contrary to the requirements of this standard if compelled by mandatory legal process.  To the extent allowed by law, the party MUST (SHOULD? MAY? non-normative?) notify affected users.
>>>> which means we need a 'legal exception'?
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 25 January 2012 18:58:09 UTC