- From: Christopher Soghoian <chris@soghoian.net>
- Date: Tue, 31 Jan 2012 18:40:19 +0100
- To: public-tracking@w3.org
Hi all, Apologies for my lateness in responding to this issue - I am not on the DNT list. A few days ago, Amy Colando from Microsoft wrote the following to this list: "As a very realistic example, not only are entities required to comply with potentially differing breach notification laws, but in some cases are subject to legal subpoenas (as for example in cases of child pornography investigations) where disclosure to the subject is expressly prohibited by the terms of the subpoena." I know that several people involved in this W3C effort are not lawyers (even though there appear to be quite a few involved), so I just want to clarify the state of US law for those who might not be experts in ECPA. A subpoena cannot prohibit disclosure by the ISP to the user whose data has been requested. If the government wishes to use a subpoena to get user data and doesn't want the user to be told, they can seek an order under 18 USC 2705 (b), but then, an independent judge will have to issue this order (as compared to a subpoena, which often is not issued by a judge). With regard to legal process and DNT, I would like to see a situation in which recipients of the DNT header are obligated to inform users that they will not respect the DNT header due to some form of legal process, unless they are also prohibited from telling the user due to a court order of some kind. The reason I propose this, is that just because companies are _permitted_ to tell users when they receive a subpoena for their data, they are under no obligation under US law to do so. Some companies, like Twitter, choose to tell users. Many other firms, which, I suspect, include Microsoft, as a matter of policy, do not tell users about such requests. Thanks, Chris
Received on Tuesday, 31 January 2012 17:46:37 UTC