W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

From: Joanne Furtsch <jfurtsch@truste.com>
Date: Wed, 25 Jan 2012 20:46:36 -0800
To: MeMe Rasmussen <meme@adobe.com>, "Amy Colando (LCA)" <acolando@microsoft.com>
CC: Shane Wiley <wileys@yahoo-inc.com>, Tom Lowenthal <tom@mozilla.com>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CB461743.27B56%jfurtsch@truste.com>
Another +1 to Shane and Amy.  Shane's recommendation makes sense - adding
some language to the preamble as to what the standard does not intend do.
On 1/25/12 11:26 AM, "MeMe Rasmussen" <meme@adobe.com> wrote:

>+1 to Shane and Amy.  I actually don't even think we need Shane's
>language.  It goes without saying that parties should comply with the law
>and that a standard wouldn't override law.  I don't have a problem saying
>it. I just think it is unnecessary. I tend to be a proponent if less is
>Sent with my thumbs. Please excuse typos.
>On Jan 25, 2012, at 7:13 PM, "Amy Colando (LCA)" <acolando@microsoft.com>
>> I agree with Shane that the text should simply state that there may be
>>legal requirements that this standard is not intended to override.
>> As a very realistic example, not only are entities required to comply
>>with potentially differing breach notification laws, but in some cases
>>are subject to legal subpoenas (as for example in cases of child
>>pornography investigations) where disclosure to the subject is expressly
>>prohibited by the terms of the subpoena.
>> I recommend strongly that we stick to the technical standards necessary
>>for interpreting the DNT signal without attempting to overwrite state
>>and federal laws (and in a very timely manner, EU directives) on data
>>breach and required disclosures.  The more additional legal requirements
>>we hitch to this standard, the more complex and daunting the
>>implementation becomes for websites.
>> -----Original Message-----
>> From: Shane Wiley [mailto:wileys@yahoo-inc.com]
>> Sent: Wednesday, January 25, 2012 10:57 AM
>> To: Tom Lowenthal; Jonathan Mayer
>> Cc: David Singer; public-tracking@w3.org
>> Subject: RE: Mandatory Legal Process (ACTION-57, ISSUE-28)
>> Tom,
>> I look forward to broader discussion on this issue.  In many
>>jurisdictions we already have both legal process disclosure and security
>>breach laws and I don't believe the DNT Specification is the appropriate
>>location for use to somehow alter a parties responsibilities in those
>>matters.  It honestly feels like an overreach (but a well intended one).
>> - Shane
>> -----Original Message-----
>> From: Tom Lowenthal [mailto:tom@mozilla.com]
>> Sent: Wednesday, January 25, 2012 7:50 PM
>> To: Jonathan Mayer
>> Cc: David Singer; public-tracking@w3.org; Shane Wiley
>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>> I think that Jonathan's proposal makes much more sense when considered
>>form the perspective of the user, and their threat model regarding their
>>data.. When they switch on DNT, they're trying to limit their data going
>>to third parties. If we permit third parties to collect some data
>>anyway, this third-party data isn't meaningfully accounted for in the
>>user's mental model of where their data is. If it wanders off, they
>>should be alerted about it.
>> It's an additional safeguard on data collected by third parties. If
>>you're a third party then your data collection is significantly limited
>>by DNT: you can only collect it for certain enumerated purposes, you
>>have to engage in minimization and sometimes reasonable technical or
>>operational precautions. This is just another defense that users' get
>>for third-party data collection.
>> However, I do agree with you Shane that the addition of this
>>responsibility just for legal process is a little odd. It would probably
>>make more sense to apply this to involuntary data disclosure of any
>>form, whether through legal process or a data breach. I further agree
>>with Sean that this is a new provision, and should probably get an
>>issue, and some time on the call. On the plus side, we basically already
>>have draft text!
>> On Wed 25 Jan 2012 07:25:40 PM CET, Jonathan Mayer wrote:
>>> Some relevant U.S. legal background: web tracking may soon fall within
>>>the Fourth Amendment's compelled disclosure rules.
>>> From Justice Sotomayor's concurrence in United States v. Jones:
>>> More fundamentally, it may be necessary to reconsider the premise that
>>> an individual has no reasonable expectation of privacy in information
>>> voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at
>>> 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach
>>> is ill suited to the digital age, in which people reveal a great deal
>>> of information about themselves to third parties in the course of
>>> carrying out mundane tasks. People disclose the phone numbers that
>>> they dial or text to their cellular providers; the URLs that they
>>> visit and the e-mail addresses with which they correspond to their
>>> Internet service providers; and the books, groceries, and medications
>>> they purchase to online retailers. Perhaps, as Justice Alito notes,
>>> some people may find the tradeoff of privacy for convenience
>>> worthwhile, or come to accept this diminution of privacy as
>>> inevitable, post, at 10, and perhaps not. I for one doubt that people
>>> would accept without complaint the warrantle
>> ss disclosure to the Government of a list of every Web site they had
>>visited in the last week, or month, or year.
>>> On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote:
>>>> The text I've proposed addresses web information practices for DNT
>>>>users.  By all means argue why organizations shouldn't inform their
>>>>users of compelled disclosure, but I think this text is unambiguously
>>>>within the working group's scope.
>>>> On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote:
>>>>> I believe attempts to "add on" to the party responsibilities within
>>>>>legal process "outside of the DNT standard" is outside of scope of
>>>>>the working group.  Instead I would suggest the preamble of each
>>>>>document simply state "this standard is not intended to override
>>>>>local, state, or country law."
>>>>> - Shane
>>>>> -----Original Message-----
>>>>> From: Tom Lowenthal [mailto:tom@mozilla.com]
>>>>> Sent: Wednesday, January 25, 2012 7:11 PM
>>>>> To: David Singer; public-tracking@w3.org
>>>>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>>>>> I don't think we need anything apart from Jonathan's text. I'd argue
>>>>>that for process applied to data collected in a third party capacity,
>>>>>notification is a must; for first party data, a should; and for any
>>>>>breach where you must notify some users, you must notify all users.
>>>>> On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote:
>>>>>> On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote:
>>>>>>> Proposed text:
>>>>>>> A party MAY take action contrary to the requirements of this
>>>>>>>standard if compelled by mandatory legal process.  To the extent
>>>>>>>allowed by law, the party MUST (SHOULD? MAY? non-normative?) notify
>>>>>>>affected users.
>>>>>> which means we need a 'legal exception'?
>>>>>> David Singer
>>>>>> Multimedia and Software Standards, Apple Inc.
>Confidentiality Notice: The contents of this e-mail (including any
>attachments) may be confidential to the intended recipient, and may
>contain information that is privileged and/or exempt from disclosure
>under applicable law. If you are not the intended recipient, please
>immediately notify the sender and destroy the original e-mail and any
>attachments (and any copies that may have been made) from your system or
>otherwise. Any unauthorized use, copying, disclosure or distribution of
>this information is strictly prohibited. <ACL>
Received on Thursday, 26 January 2012 04:47:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC