- From: John Simpson <john@consumerwatchdog.org>
- Date: Tue, 31 Jan 2012 11:10:51 -0800
- To: "Amy Colando (LCA)" <acolando@microsoft.com>
- Cc: Joanne Furtsch <jfurtsch@truste.com>, MeMe Rasmussen <meme@adobe.com>, Shane Wiley <wileys@yahoo-inc.com>, Tom Lowenthal <tom@mozilla.com>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-Id: <9CEAFEED-8B59-4F1A-B004-E3EE46A0636C@consumerwatchdog.org>
Is text necessary? How could a technical specification override applicable laws and regulations? I'd say NO text. On Jan 30, 2012, at 3:47 PM, Amy Colando (LCA) wrote: > In order to make sure that W3C process is moving along, I am formally proposing alternative text for Issue 28 as follows: > > either NO text at all on this point, or text that states the fact that "this specification is not intended to override applicable laws and regulations." > > (Matthias, please pester me separately if this is not what you need.) > > -----Original Message----- > From: Joanne Furtsch [mailto:jfurtsch@truste.com] > Sent: Wednesday, January 25, 2012 8:47 PM > To: MeMe Rasmussen; Amy Colando (LCA) > Cc: Shane Wiley; Tom Lowenthal; Jonathan Mayer; David Singer; public-tracking@w3.org > Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28) > > Another +1 to Shane and Amy. Shane's recommendation makes sense - adding some language to the preamble as to what the standard does not intend do. > > On 1/25/12 11:26 AM, "MeMe Rasmussen" <meme@adobe.com> wrote: > >> +1 to Shane and Amy. I actually don't even think we need Shane's >> language. It goes without saying that parties should comply with the >> law and that a standard wouldn't override law. I don't have a problem >> saying it. I just think it is unnecessary. I tend to be a proponent if >> less is more. >> >> Sent with my thumbs. Please excuse typos. >> >> On Jan 25, 2012, at 7:13 PM, "Amy Colando (LCA)" >> <acolando@microsoft.com> >> wrote: >> >>> I agree with Shane that the text should simply state that there may >>> be legal requirements that this standard is not intended to override. >>> >>> As a very realistic example, not only are entities required to comply >>> with potentially differing breach notification laws, but in some cases >>> are subject to legal subpoenas (as for example in cases of child >>> pornography investigations) where disclosure to the subject is >>> expressly prohibited by the terms of the subpoena. >>> >>> I recommend strongly that we stick to the technical standards >>> necessary for interpreting the DNT signal without attempting to >>> overwrite state and federal laws (and in a very timely manner, EU >>> directives) on data breach and required disclosures. The more >>> additional legal requirements we hitch to this standard, the more >>> complex and daunting the implementation becomes for websites. >>> >>> -----Original Message----- >>> From: Shane Wiley [mailto:wileys@yahoo-inc.com] >>> Sent: Wednesday, January 25, 2012 10:57 AM >>> To: Tom Lowenthal; Jonathan Mayer >>> Cc: David Singer; public-tracking@w3.org >>> Subject: RE: Mandatory Legal Process (ACTION-57, ISSUE-28) >>> >>> Tom, >>> >>> I look forward to broader discussion on this issue. In many >>> jurisdictions we already have both legal process disclosure and >>> security breach laws and I don't believe the DNT Specification is the >>> appropriate location for use to somehow alter a parties >>> responsibilities in those matters. It honestly feels like an overreach (but a well intended one). >>> >>> - Shane >>> >>> -----Original Message----- >>> From: Tom Lowenthal [mailto:tom@mozilla.com] >>> Sent: Wednesday, January 25, 2012 7:50 PM >>> To: Jonathan Mayer >>> Cc: David Singer; public-tracking@w3.org; Shane Wiley >>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28) >>> >>> I think that Jonathan's proposal makes much more sense when >>> considered form the perspective of the user, and their threat model >>> regarding their data.. When they switch on DNT, they're trying to >>> limit their data going to third parties. If we permit third parties to >>> collect some data anyway, this third-party data isn't meaningfully >>> accounted for in the user's mental model of where their data is. If it >>> wanders off, they should be alerted about it. >>> >>> It's an additional safeguard on data collected by third parties. If >>> you're a third party then your data collection is significantly >>> limited by DNT: you can only collect it for certain enumerated >>> purposes, you have to engage in minimization and sometimes reasonable >>> technical or operational precautions. This is just another defense >>> that users' get for third-party data collection. >>> >>> However, I do agree with you Shane that the addition of this >>> responsibility just for legal process is a little odd. It would >>> probably make more sense to apply this to involuntary data disclosure >>> of any form, whether through legal process or a data breach. I further >>> agree with Sean that this is a new provision, and should probably get >>> an issue, and some time on the call. On the plus side, we basically >>> already have draft text! >>> >>> On Wed 25 Jan 2012 07:25:40 PM CET, Jonathan Mayer wrote: >>>> Some relevant U.S. legal background: web tracking may soon fall >>>> within the Fourth Amendment's compelled disclosure rules. >>>> >>>> From Justice Sotomayor's concurrence in United States v. Jones: >>>> >>>> More fundamentally, it may be necessary to reconsider the premise >>>> that an individual has no reasonable expectation of privacy in >>>> information voluntarily disclosed to third parties. E.g., Smith, 442 >>>> U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). >>>> This approach is ill suited to the digital age, in which people >>>> reveal a great deal of information about themselves to third parties >>>> in the course of carrying out mundane tasks. People disclose the >>>> phone numbers that they dial or text to their cellular providers; >>>> the URLs that they visit and the e-mail addresses with which they >>>> correspond to their Internet service providers; and the books, >>>> groceries, and medications they purchase to online retailers. >>>> Perhaps, as Justice Alito notes, some people may find the tradeoff >>>> of privacy for convenience worthwhile, or come to accept this >>>> diminution of privacy as inevitable, post, at 10, and perhaps not. I >>>> for one doubt that people would accept without complaint the >>>> warrantle >>> ss disclosure to the Government of a list of every Web site they had >>> visited in the last week, or month, or year. >>>> >>>> On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote: >>>> >>>>> The text I've proposed addresses web information practices for DNT >>>>> users. By all means argue why organizations shouldn't inform their >>>>> users of compelled disclosure, but I think this text is >>>>> unambiguously within the working group's scope. >>>>> >>>>> On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote: >>>>> >>>>>> I believe attempts to "add on" to the party responsibilities >>>>>> within legal process "outside of the DNT standard" is outside of >>>>>> scope of the working group. Instead I would suggest the preamble >>>>>> of each document simply state "this standard is not intended to >>>>>> override local, state, or country law." >>>>>> >>>>>> - Shane >>>>>> >>>>>> -----Original Message----- >>>>>> From: Tom Lowenthal [mailto:tom@mozilla.com] >>>>>> Sent: Wednesday, January 25, 2012 7:11 PM >>>>>> To: David Singer; public-tracking@w3.org >>>>>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28) >>>>>> >>>>>> I don't think we need anything apart from Jonathan's text. I'd >>>>>> argue that for process applied to data collected in a third party >>>>>> capacity, notification is a must; for first party data, a should; >>>>>> and for any breach where you must notify some users, you must notify all users. >>>>>> >>>>>> On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote: >>>>>>> >>>>>>> On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote: >>>>>>> >>>>>>>> Proposed text: >>>>>>>> >>>>>>>> A party MAY take action contrary to the requirements of this >>>>>>>> standard if compelled by mandatory legal process. To the extent >>>>>>>> allowed by law, the party MUST (SHOULD? MAY? non-normative?) >>>>>>>> notify affected users. >>>>>>> >>>>>>> which means we need a 'legal exception'? >>>>>>> >>>>>>> >>>>>>> >>>>>>> David Singer >>>>>>> Multimedia and Software Standards, Apple Inc. >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>> >> >> Confidentiality Notice: The contents of this e-mail (including any >> attachments) may be confidential to the intended recipient, and may >> contain information that is privileged and/or exempt from disclosure >> under applicable law. If you are not the intended recipient, please >> immediately notify the sender and destroy the original e-mail and any >> attachments (and any copies that may have been made) from your system >> or otherwise. Any unauthorized use, copying, disclosure or distribution >> of this information is strictly prohibited. <ACL> >> >> > > > > ---------- John M. Simpson Consumer Advocate Consumer Watchdog 1750 Ocean Park Blvd. ,Suite 200 Santa Monica, CA,90405 Tel: 310-392-7041 Cell: 310-292-1902 www.ConsumerWatchdog.org john@consumerwatchdog.org
Received on Tuesday, 31 January 2012 19:11:23 UTC