Re: Mandatory Legal Process (ACTION-57, ISSUE-28) from John Simpson on 2012-01-31 (public-tracking@w3.org from January 2012)

From: John Simpson <john@consumerwatchdog.org>
Date: Tue, 31 Jan 2012 11:10:51 -0800
To: "Amy Colando (LCA)" <acolando@microsoft.com>
Cc: Joanne Furtsch <jfurtsch@truste.com>, MeMe Rasmussen <meme@adobe.com>, Shane Wiley <wileys@yahoo-inc.com>, Tom Lowenthal <tom@mozilla.com>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <9CEAFEED-8B59-4F1A-B004-E3EE46A0636C@consumerwatchdog.org>
Is text necessary?  How could a technical specification override applicable laws and regulations? I'd say NO text.


On Jan 30, 2012, at 3:47 PM, Amy Colando (LCA) wrote:

> In order to make sure that W3C process is moving along, I am formally proposing alternative text for Issue 28 as follows:
> 
> either NO text at all on this point, or text that states the fact that "this specification is not intended to override applicable laws and regulations."
> 
> (Matthias, please pester me separately if this is not what you need.)
> 
> -----Original Message-----
> From: Joanne Furtsch [mailto:jfurtsch@truste.com] 
> Sent: Wednesday, January 25, 2012 8:47 PM
> To: MeMe Rasmussen; Amy Colando (LCA)
> Cc: Shane Wiley; Tom Lowenthal; Jonathan Mayer; David Singer; public-tracking@w3.org
> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
> 
> Another +1 to Shane and Amy.  Shane's recommendation makes sense - adding some language to the preamble as to what the standard does not intend do.
> 
> On 1/25/12 11:26 AM, "MeMe Rasmussen" <meme@adobe.com> wrote:
> 
>> +1 to Shane and Amy.  I actually don't even think we need Shane's
>> language.  It goes without saying that parties should comply with the 
>> law and that a standard wouldn't override law.  I don't have a problem 
>> saying it. I just think it is unnecessary. I tend to be a proponent if 
>> less is more.
>> 
>> Sent with my thumbs. Please excuse typos.
>> 
>> On Jan 25, 2012, at 7:13 PM, "Amy Colando (LCA)" 
>> <acolando@microsoft.com>
>> wrote:
>> 
>>> I agree with Shane that the text should simply state that there may 
>>> be legal requirements that this standard is not intended to override.
>>> 
>>> As a very realistic example, not only are entities required to comply 
>>> with potentially differing breach notification laws, but in some cases 
>>> are subject to legal subpoenas (as for example in cases of child 
>>> pornography investigations) where disclosure to the subject is 
>>> expressly prohibited by the terms of the subpoena.
>>> 
>>> I recommend strongly that we stick to the technical standards 
>>> necessary for interpreting the DNT signal without attempting to 
>>> overwrite state and federal laws (and in a very timely manner, EU 
>>> directives) on data breach and required disclosures.  The more 
>>> additional legal requirements we hitch to this standard, the more 
>>> complex and daunting the implementation becomes for websites.
>>> 
>>> -----Original Message-----
>>> From: Shane Wiley [mailto:wileys@yahoo-inc.com]
>>> Sent: Wednesday, January 25, 2012 10:57 AM
>>> To: Tom Lowenthal; Jonathan Mayer
>>> Cc: David Singer; public-tracking@w3.org
>>> Subject: RE: Mandatory Legal Process (ACTION-57, ISSUE-28)
>>> 
>>> Tom,
>>> 
>>> I look forward to broader discussion on this issue.  In many 
>>> jurisdictions we already have both legal process disclosure and 
>>> security breach laws and I don't believe the DNT Specification is the 
>>> appropriate location for use to somehow alter a parties 
>>> responsibilities in those matters.  It honestly feels like an overreach (but a well intended one).
>>> 
>>> - Shane
>>> 
>>> -----Original Message-----
>>> From: Tom Lowenthal [mailto:tom@mozilla.com]
>>> Sent: Wednesday, January 25, 2012 7:50 PM
>>> To: Jonathan Mayer
>>> Cc: David Singer; public-tracking@w3.org; Shane Wiley
>>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>>> 
>>> I think that Jonathan's proposal makes much more sense when 
>>> considered form the perspective of the user, and their threat model 
>>> regarding their data.. When they switch on DNT, they're trying to 
>>> limit their data going to third parties. If we permit third parties to 
>>> collect some data anyway, this third-party data isn't meaningfully 
>>> accounted for in the user's mental model of where their data is. If it 
>>> wanders off, they should be alerted about it.
>>> 
>>> It's an additional safeguard on data collected by third parties. If 
>>> you're a third party then your data collection is significantly 
>>> limited by DNT: you can only collect it for certain enumerated 
>>> purposes, you have to engage in minimization and sometimes reasonable 
>>> technical or operational precautions. This is just another defense 
>>> that users' get for third-party data collection.
>>> 
>>> However, I do agree with you Shane that the addition of this 
>>> responsibility just for legal process is a little odd. It would 
>>> probably make more sense to apply this to involuntary data disclosure 
>>> of any form, whether through legal process or a data breach. I further 
>>> agree with Sean that this is a new provision, and should probably get 
>>> an issue, and some time on the call. On the plus side, we basically 
>>> already have draft text!
>>> 
>>> On Wed 25 Jan 2012 07:25:40 PM CET, Jonathan Mayer wrote:
>>>> Some relevant U.S. legal background: web tracking may soon fall 
>>>> within the Fourth Amendment's compelled disclosure rules.
>>>> 
>>>> From Justice Sotomayor's concurrence in United States v. Jones:
>>>> 
>>>> More fundamentally, it may be necessary to reconsider the premise 
>>>> that an individual has no reasonable expectation of privacy in 
>>>> information voluntarily disclosed to third parties. E.g., Smith, 442 
>>>> U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). 
>>>> This approach is ill suited to the digital age, in which people 
>>>> reveal a great deal of information about themselves to third parties 
>>>> in the course of carrying out mundane tasks. People disclose the 
>>>> phone numbers that they dial or text to their cellular providers; 
>>>> the URLs that they visit and the e-mail addresses with which they 
>>>> correspond to their Internet service providers; and the books, 
>>>> groceries, and medications they purchase to online retailers. 
>>>> Perhaps, as Justice Alito notes, some people may find the tradeoff 
>>>> of privacy for convenience worthwhile, or come to accept this 
>>>> diminution of privacy as inevitable, post, at 10, and perhaps not. I 
>>>> for one doubt that people would accept without complaint the 
>>>> warrantle
>>> ss disclosure to the Government of a list of every Web site they had 
>>> visited in the last week, or month, or year.
>>>> 
>>>> On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote:
>>>> 
>>>>> The text I've proposed addresses web information practices for DNT 
>>>>> users.  By all means argue why organizations shouldn't inform their 
>>>>> users of compelled disclosure, but I think this text is 
>>>>> unambiguously within the working group's scope.
>>>>> 
>>>>> On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote:
>>>>> 
>>>>>> I believe attempts to "add on" to the party responsibilities 
>>>>>> within legal process "outside of the DNT standard" is outside of 
>>>>>> scope of the working group.  Instead I would suggest the preamble 
>>>>>> of each document simply state "this standard is not intended to 
>>>>>> override local, state, or country law."
>>>>>> 
>>>>>> - Shane
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: Tom Lowenthal [mailto:tom@mozilla.com]
>>>>>> Sent: Wednesday, January 25, 2012 7:11 PM
>>>>>> To: David Singer; public-tracking@w3.org
>>>>>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>>>>>> 
>>>>>> I don't think we need anything apart from Jonathan's text. I'd 
>>>>>> argue that for process applied to data collected in a third party 
>>>>>> capacity, notification is a must; for first party data, a should; 
>>>>>> and for any breach where you must notify some users, you must notify all users.
>>>>>> 
>>>>>> On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote:
>>>>>>> 
>>>>>>> On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote:
>>>>>>> 
>>>>>>>> Proposed text:
>>>>>>>> 
>>>>>>>> A party MAY take action contrary to the requirements of this 
>>>>>>>> standard if compelled by mandatory legal process.  To the extent 
>>>>>>>> allowed by law, the party MUST (SHOULD? MAY? non-normative?) 
>>>>>>>> notify affected users.
>>>>>>> 
>>>>>>> which means we need a 'legal exception'?
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> David Singer
>>>>>>> Multimedia and Software Standards, Apple Inc.
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>> 
>> Confidentiality Notice: The contents of this e-mail (including any
>> attachments) may be confidential to the intended recipient, and may 
>> contain information that is privileged and/or exempt from disclosure 
>> under applicable law. If you are not the intended recipient, please 
>> immediately notify the sender and destroy the original e-mail and any 
>> attachments (and any copies that may have been made) from your system 
>> or otherwise. Any unauthorized use, copying, disclosure or distribution 
>> of this information is strictly prohibited. <ACL>
>> 
>> 
> 
> 
> 
> 

----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org
Received on Tuesday, 31 January 2012 19:11:23 UTC