RE: Towards a DNT Grand Bargain

Thank you Jonathan – I was not following the use of IDs during the grace period – this makes it much clearer (outside of security, no IDs whatsoever).  As there are other permitted uses outside of security/fraud that require an identifier, your proposal as it stands would significantly harm the current internet ecosystem.  Without an identifier even a pathway to aggregation is unreachable as you need an anonymous identifier to link events to properly aggregate them (simplest example here is a “returning visitors” metric).

Thank you again,
- Shane

From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Sunday, June 10, 2012 4:45 PM
To: public-tracking@w3.org
Subject: Re: Towards a DNT Grand Bargain

(swapping threads for organization)

Our proposal does not allow for ID cookies (or equivalents), unless a) the user consents, or b) there's some reason to believe the user is attempting fraud or security breach.  I'm uncertain how you came to be confused on this point.

Jonathan

On Sunday, June 10, 2012 at 3:08 PM, Shane Wiley wrote:

Jonathan,

They collect the identifier only for delivery of the service and move to unlinkability within a short period of time – I thought that outcome was provided for in your proposal.  Are you saying no identifiers, of any type, may be used in your proposal?



- Shane



From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Sunday, June 10, 2012 3:06 PM
To: Shane Wiley
Cc: Justin Brookman; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Considering browser vendor as a third party





On Sunday, June 10, 2012 at 2:37 PM, Shane Wiley wrote:

Jonathan,



For the examples I listed, I’ve seen a step in either install or first use of the browser where I’ve been asked to consider participation (research panel, phishing scanning) and/or how I would like a certain option configured (default search engine for example).  With respect to the “proxy traffic” example - I had a Kindle Fire for a brief time and they “collect” very little information, for a limited period of time, and only retain aggregate (unlinkable) data – but was NOT shown this information in a separate “pop-up” during first use (has that changed – no longer have the Kindle Fire so I can’t check).

Ok, so we're on the same page—some products in this space get explicit consent ex ante, while many (most? almost all?) don't.

I would have thought based on your proposal they would be in the clear for not needing consent based on the limits they place on their business practices (and their PP is crystal clear on this feature for anyone with questions).  Based on your current proposal, if you were to treat as a 3rd party (non-service provider), would they require opt-in consent based on their limited use and retention of the data collected – or would their approach be covered under your grace period?

These products collect a user's browsing history in connection with a unique identifier.  Moreover, the identifier is in some instances an unchangeable hardware value or deliberately linked to a user's identity.  The practices plainly exceed "protocol information" as defined in the compromise proposal.

- Shane

Received on Monday, 11 June 2012 00:47:03 UTC