- From: イアンフェッティ <ifette@google.com>
- Date: Mon, 18 Jun 2012 10:50:25 -0700
- To: Jonathan Mayer <jmayer@stanford.edu>
- Cc: Alan Chapell <achapell@chapellassociates.com>, rob@blaeu.com, Tamir Israel <tisrael@cippic.ca>, Rigo Wenning <rigo@w3.org>, Jeffrey Chester <jeff@democraticmedia.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "JC Cannon (Microsoft)" <jccannon@microsoft.com>, Kimon Zorbas <vp@iabeurope.eu>, Shane Wiley <wileys@yahoo-inc.com>, Mike Zaneis <mike@iab.net>
- Message-ID: <CAF4kx8fSywXs8D8pFUwXK28a7RjEjmMLj5ti2O15=f1_RCvmYg@mail.gmail.com>
Jonathan, I never suggested sending back dnt 1 and then tracking the user, which I think people would infer from "do whatever they want". "Do whatever they want" is a gross mischaracterization. On Jun 18, 2012 10:37 AM, "Jonathan Mayer" <jmayer@stanford.edu> wrote: > Ian, > > I stand by that quote in its entirety. > > You have frequently expressed the view that companies, including Google, > are under no obligation to implement Do Not Track. And if a company does > implement Do Not Track, it is free to deviate from the W3C standard so long > as it is transparent. You have reaffirmed this view on the mailing list a > number of times. Here are snippets from five separate emails: > > There's other people in the working group, myself included, who feel that > since you are under no obligation to honor DNT in the first place (it is > voluntary and nothing is binding until you tell the user "Yes, I am > honoring your DNT request") that you already have an option to reject a > DNT:1 request (for instance, by sending no DNT response headers). > > With all due respect, I think you've already heard from a number of > companies that they will not honor such a signal. The question at hand is > not whether or not that should be allowed -- the W3C has no power to force > a company to honor DNT -- but rather how that company's decision should be > signaled. > > A site is already under no obligation to conform to DNT. > > From the beginning, I thought everyone understood that no one could force > a website to implement DNT. . . . I'm trying to take a pragmatic view here, > and merely ask the question "If a website chooses to implement DNT for a > subset of users, what is the best way for the website to signal that." > > If the site says "I support DNT under the following circumstances" and is > clear about that, and you are outside of those circumstances, I don't think > you have any reason to be surprised. > > While the minutes of the call are (as usual) a bit thin, here are a three > instances where you appear to have expressed the same view: > > <ifette> no one requires a site to implement DNT > > ifette: nothing requiring site to honor DNT, site can just say 'nope, not > compliant'. > > <ifette> the site then has to decide whether to accept that expression of > your preference or not. It shouldn't lie to you about what it's doing, but > it's under no obligation -- you don't get to dictate terms ;-) > > As for the latter part of the quote: while it is no secret to members of > this group that economic considerations are a leading cause of objections > to Do Not Track, many advertising companies had been quite reluctant to > publicly note as much following the White House festivities. Arguments > tended instead to be couched in terms of user empowerment and choice. > > The renewed focus on defaults changed that. Many advertising companies > began emphasizing the possible negative economic effects of large numbers > of DNT users. You yourself got into a lengthy, contentious debate of the > topic with Lorrie Cranor on a CMU mailing list. (I'm not going to post > that conversation since, as I understand it, the list is closed.) > > Let me wrap by explaining how these press interactions work. I don't > solicit media coverage; reporters call me. They ask what's going on with > Do Not Track. Given the premium I place on public transparency in this > process, I answer candidly. I make every effort to ensure that I am > accurate and fair. And I direct reporters to other members of the group to > confirm details. > > I've now burned a couple hours on a take-home exam responding to Do Not > Track emails. I don't expect I'll be able to chime in again before the > Bellevue meeting. If you or anyone else would like to discuss this > further, I'd be glad to chat during a break. > > Jonathan > > On Monday, June 18, 2012 at 9:36 AM, Jeffrey Chester wrote: > > I hadn't seen this. But I think Jonathan was correct in his > characterization. Many privacy advocates hope that Google will provide > greater leadership to adopt meaningful DNT standard. We are waiting to > see its plans to ensure the spec protects privacy. > > Jeff > > > On Jun 18, 2012, at 12:31 PM, Ian Fette (イアンフェッティ) wrote: > > Jeff, > > With respect, > > > "It's not clear to what extent we'll get an agreement on this," Mayer told > CNNMoney. "One of Google's representatives said on the call that the > company will be able to do whatever it wants anyways. I'm stunned at how > transparent some of these companies were -- they just want to minimize the > number of Do Not Track users, period." > > http://money.cnn.com/2012/06/07/technology/do-not-track/index.htm > > That type of behaviour is not something one would expect from someone who > bills themselves as being a "tough-but-fair negotiator." > > -Ian > > On Mon, Jun 18, 2012 at 9:27 AM, Jeffrey Chester <jeff@democraticmedia.org > > wrote: > > Ian: I suggest that what reporters are doing is merely reading the texts > posted. That what's been written says a great deal about both personal > views and--one assumes--the position taken by the CEO and board on DNT and > the spec. There hasn't been anything taken out of context I know about. > See you soon. > > Jeff > > > > On Jun 18, 2012, at 12:24 PM, Ian Fette (イアンフェッティ) wrote: > > Jeff, > > That's precisely the problem. Certain people from this working group seem > to have no problem taking statements made on calls and feeding warped > versions of those statements to reporters; such tactics do not typically go > far when one is trying to be a "negotiator" to reach a "grand compromise". > (Also, most "negotiators" whom I have seen be successful in the past, > hostage negotiators excepted, have been neutral uninterested third parties, > not someone with a clear axe to grind.) > > -Ian > > On Mon, Jun 18, 2012 at 9:21 AM, Jeffrey Chester <jeff@democraticmedia.org > > wrote: > > Alan: I find your language and tone troubling. I hope you know that many > people are looking at this thread. Our communications say a great deal > about ourselves, inc to the EU, FTC and media watching this thread closely. > Maybe even Fox News! > > Jeff > > > > On Jun 18, 2012, at 12:17 PM, Alan Chapell wrote: > > I have no issue with your personality. My issue is with your tactics. > Assuming you can cease utilizing tactics that seem unproductive at best, > then I think you will see fewer emails directed at you; criticizing those > tactics. > > This will be my last note on this matter – I'm hopeful and optimistic that > we can move forward productively from here…. > > > Alan > > > From: Jonathan Mayer <jmayer@stanford.edu> > Date: Monday, June 18, 2012 12:08 PM > To: Jeffrey Chester <jeff@democraticmedia.org> > Cc: Alan Chapell <achapell@chapellassociates.com>, Mike Zaneis < > mike@iab.net>, Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel < > tisrael@cippic.ca>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" < > public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas < > vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon > (Microsoft)" <jccannon@microsoft.com> > Subject: Re: Identity providers as first parties > > This thread has devolved into a Fox News-esque referendum on my > personality. It's both a distraction and ineffectual—those who have > collaborated with me over the past year know I'm a tireless, tough-but-fair > negotiator. > > Enough. Back to substance. > > Jonathan > > On Monday, June 18, 2012 at 5:33 AM, Jeffrey Chester wrote: > > Jonathan has played an extraordinary productive role, with insights, > urging compromise (when people like me looked with dismay about the lack > of progress in achieving real privacy safeguards so far), and leadership. > As I have explained to officials, we have not yet seen serious compromise > from industry to ensure DNT is a spec that protects privacy. Jonathan > wants us to all do better, as do I. We all know--or should--that what we > are doing is being closely watched on both sides of the Atlantic by the > press and policymakers. It would be a serious loss if we don't make > progress in Seattle. > > Jeff Chester > Center for Digital Democracy > Washington DC > www.democraticmedia.org > Jeff@democraticmedia.org > > On Jun 18, 2012, at 5:19 AM, Alan Chapell <achapell@chapellassociates.com> > wrote: > > Jonathan, > > Taking you at your word that your goal is to attain consensus, I would > humbly suggest that the tactics you are using – particularly over the past > several weeks – seem at odds with that goal. I'm hopeful that your latest > email is an indication that we'll see more compromise and fewer juvenile barbs > when we arrive in Bellevue. > > And for the record, as someone from industry – I strongly favor the > proposal proffered by Shane et al. > > Cheers, > > Alan Chapell > Chapell & Associates > 917 318 8440 > > > From: Jonathan Mayer <jmayer@stanford.edu> > Date: Monday, June 18, 2012 2:06 AM > To: Mike Zaneis <mike@iab.net> > Cc: Shane Wiley <wileys@yahoo-inc.com>, Tamir Israel <tisrael@cippic.ca>, > Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" < > public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>, Kimon Zorbas < > vp@iabeurope.eu>, "ifette@google.com" <ifette@google.com>, "JC Cannon > (Microsoft)" <jccannon@microsoft.com> > Subject: Re: Identity providers as first parties > Resent-From: <public-tracking@w3.org> > Resent-Date: Mon, 18 Jun 2012 06:07:15 +0000 > > Shane and Mike, > > As the Bellevue meeting approaches, this group's sole focus must be > attaining consensus on a moderate compromise. I'm doing everything I can > to facilitate that goal. I have neither the time nor patience to swap > puerile barbs for cheap political points. There's far too much at stake. > > Jonathan > > On Sunday, June 17, 2012 at 6:58 PM, Mike Zaneis wrote: > > Jonathan, > > Can you please elaborate on these very serious claims you have made in > back to back posts? First, you attack two of the most engaged, productive > members of the working group (Shane and Roy who are both editors) and claim > they do not speak for the online advertising industry, yet you did not > point to any companies or public statements of support for your position. > As someone who DOES speak for the industry, I know that Shane and Roy > raise issues that THE industry shares. Please provide substantiation for > your claims. > > As for the unfair competition claims, that is laughable. The only legal > claim we should be discussing is one of liable for such ridiculous > statements. > > Mike Zaneis > SVP & General Counsel, IAB > (202) 253-1466 > > On Jun 17, 2012, at 5:52 PM, "Jonathan Mayer" <jmayer@stanford.edu> wrote: > > Shane, > > As I explained in my initial note: > > We have received valuable feedback from a number of participant > viewpoints, including browser vendors, advertising companies, analytics > services, social networks, policymakers, consumer groups, and researchers. > Out of respect for the candid nature of those ongoing conversations, we > leave it to stakeholders to volunteer their contributions to and views on > this proposal. > > I would add that more than one advertising company expressed concern about > possible retaliation if they broke away from the industry trade groups. > I'll leave it to regulators to decide if the industry's practices > constitute unfair competition. > > Jonathan > > On Sunday, June 17, 2012 at 1:51 PM, Shane Wiley wrote: > > Jonathan,**** > ** ** > Continue to disagree (on many levels). Could you please name those in the > online advertising industry that are supportive of the proposal you shared > with the WG?**** > ** ** > Thank you,**** > - Shane**** > ** ** > *From:* Jonathan Mayer [ <jmayer@stanford.edu>mailto:jmayer@stanford.edu<jmayer@stanford.edu>] > > *Sent:* Sunday, June 17, 2012 1:42 PM > *To:* Shane Wiley > *Cc:* Tamir Israel; Rigo Wenning; <public-tracking@w3.org> > public-tracking@w3.org; <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas; > <ifette@google.com>ifette@google.com; JC Cannon (Microsoft) > *Subject:* Re: Identity providers as first parties**** > ** ** > Shane, **** > ** ** > You and Roy have been vocal in your objections to the EFF/Mozilla/Stanford > compromise proposal. I'm disappointed, though given your inflexibility > throughout this process, entirely unsurprised.**** > ** ** > That said, you do not speak for the online advertising industry. Many > companies have been more willing to countenance constructive compromise. > Your conclusion that advertising industry participants have "mostly > rejected" the proposal is inaccurate.**** > ** ** > Jonathan **** > On Sunday, June 17, 2012 at 12:26 PM, Shane Wiley wrote:**** > > Tamir,**** > ** ** > Jonathan's proposal does attempt to address this point but many in the > room feel this should be left to local law. Justin Brookman and I took a > pass at this language but it shifted to becoming overly prescriptive > (legislating via tech standard) so many in the WG asked for local law to > determine.**** > ** ** > I would suggest this conversation be extracted from Jonathan's proposal to > be handled separately as the rest of proposal has been mostly rejected by > those in the WG that are intended to implement DNT in the real-world (on > the 1st party/3rd party side).**** > ** ** > More to come in Seattle...**** > ** ** > - Shane**** > ** ** > -----Original Message-----**** > From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca>] > **** > Sent: Sunday, June 17, 2012 12:19 PM**** > To: Shane Wiley**** > Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org; > <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas; <ifette@google.com> > ifette@google.com; JC Cannon (Microsoft)**** > Subject: Re: Identity providers as first parties**** > ** ** > Shane -- I am not remotely attempting doing so.**** > ** ** > As far back as I can see, the spec was going to put conditions on the **** > means by which out of band consent can be sought.**** > ** ** > Jonathan et al's proposal is:**** > ** ** > 1. Actual presentation: The choice mechanism MUST be actually presented ** > ** > to the user. It MUST NOT be on a linked page, such as a terms of service * > *** > or privacy policy.**** > 2. Clear terms: The choice mechanism MUST use clear, non-confusing **** > terminology.**** > 3. Independent choice: The choice mechanism MUST be presented **** > independent of other choices. It MUST NOT be bundled with other user **** > preferences.**** > 4. No default permission: The choice mechanism MUST NOT have the user **** > permission preference selected by default.**** > ** ** > On 6/17/2012 3:16 PM, Shane Wiley wrote:**** > > Tamir,**** > ** ** > That's up to local laws to determine. Please do not attempt to legislate > via W3C tech standard.**** > ** ** > - Shane**** > ** ** > -----Original Message-----**** > From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca> > ]**** > Sent: Sunday, June 17, 2012 12:14 PM**** > To: Shane Wiley**** > Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org; > <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas; <ifette@google.com> > ifette@google.com; JC Cannon (Microsoft)**** > Subject: Re: Identity providers as first parties**** > ** ** > Shane -- Out of band consent *does* trump DNT-1. We are now trying to**** > define the parameters by which out of band consent can be sought.**** > ** ** > Best,**** > Tamir**** > ** ** > On 6/17/2012 3:11 PM, Shane Wiley wrote:**** > > Tamir,**** > ** ** > Out-of-band consent trumps DNT. We've been repeating this mantra for over > a year now - becoming repetitive.**** > ** ** > - Shane**** > ** ** > -----Original Message-----**** > From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca> > ]**** > Sent: Saturday, June 16, 2012 5:23 PM**** > To: Shane Wiley**** > Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org; > <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas; <ifette@google.com> > ifette@google.com; JC Cannon (Microsoft)**** > Subject: Re: Identity providers as first parties**** > ** ** > Shane --**** > ** ** > Just so we're really clear: if a user authenticates with Yahoo! on site*** > * > A and controls preferences on that site, does the out of band consent**** > dialogue Jonathan showed invalidate DNT-1: on site A? in general?**** > ** ** > Best,**** > Tamir**** > ** ** > On 6/15/2012 11:29 PM, Tamir Israel wrote:**** > > Ok.**** > ** ** > On 6/15/2012 2:07 PM, Shane Wiley wrote:**** > > DAA Opt-out and single-sign on are not related. There are some**** > implementations where the ID is needed beyond the authentication**** > event and therefore data collection occurs outside of the initial**** > authentication event. Users do NOT need to choose Yahoo! as their ID**** > provider if they feel uncomfortable with that outcome.**** > ** ** > - Shane**** > ** ** > -----Original Message-----**** > From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca> > ]**** > Sent: Friday, June 15, 2012 10:56 AM**** > To: Shane Wiley**** > Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org; > <rob@blaeu.com>rob@blaeu.com; Kimon**** > Zorbas; <ifette@google.com>ifette@google.com; JC Cannon (Microsoft)**** > Subject: Re: Identity providers as first parties**** > ** ** > Shane,**** > ** ** > Maybe we are getting sidetracked.**** > ** ** > Can you please explain the scope of tracking that results from using**** > Yahoo!'s IdM mechanism? Does it mean you can track all my activities on*** > * > the specific authenticated site? If so does this carry across multiple**** > explicitly authenticated sites? Does it operate in a manner analogous to** > ** > single sign-on? How does it interact with the existing DAA opt-out?**** > ** ** > Thanks and best regards,**** > Tamir**** > ** ** > On 6/15/2012 11:28 AM, Shane Wiley wrote:**** > > Tamir,**** > ** ** > Any service gets to determine its own primary purpose - so if OBA is**** > the payment for the service and this is disclosed as a primary**** > purpose, then that's the bargain the users can choose to consent to**** > or not.**** > ** ** > - Shane**** > ** ** > -----Original Message-----**** > From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca> > ]**** > Sent: Friday, June 15, 2012 8:21 AM**** > To: Shane Wiley**** > Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org; > <rob@blaeu.com>rob@blaeu.com; Kimon**** > Zorbas; <ifette@google.com>ifette@google.com; JC Cannon (Microsoft)**** > Subject: Re: Identity providers as first parties**** > ** ** > Shane --**** > ** ** > There are 2 questions here. One is whether you can bundle in the**** > obligation to consent to secondary purposes as a condition of**** > authentication in an IdM context. The primary service in an IdM context*** > * > is authentication, not OBA.**** > ** ** > The second is to what extent the DNT spec should address this. I took**** > the 'independent choice' out of band consent criteria as an attempt to**** > prevent bundling of choices.**** > ** ** > Best,**** > Tamir**** > ** ** > On 6/15/2012 11:06 AM, Shane Wiley wrote:**** > > Tamir,**** > ** ** > But in the use case we're discussing the service being provided is**** > the primary purpose - a user's online identity. A service**** > determines its primary purpose, discloses this to the user, user**** > consents. Case closed.**** > ** ** > - Shane**** > ** ** > -----Original Message-----**** > From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca> > ]**** > Sent: Friday, June 15, 2012 8:02 AM**** > To: Shane Wiley**** > Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org; > <rob@blaeu.com>rob@blaeu.com; Kimon**** > Zorbas; <ifette@google.com>ifette@google.com; JC Cannon (Microsoft)**** > Subject: Re: Identity providers as first parties**** > ** ** > Shane, I disagree. Under PIPEDA you should offer users the possibility**** > of opting out of collection, use or disclosure for purposes**** > secondary to**** > the primary service being offered.**** > ** ** > This is the basis of the opt-out consent scheme being applied to**** > online**** > tracking.**** > ** ** > Best,**** > Tamir**** > ** ** > On 6/15/2012 10:58 AM, Shane Wiley wrote:**** > > Tamir,**** > ** ** > I disagree and PIPEDA does as well. As long as you're clear to a**** > user what a service provides and a user expressly consents to**** > those practices, the discussion is over.**** > ** ** > Please don't try to raise CA regulatory schemes into conversations**** > on one hand then completely reverse your stance at whim - this**** > seriously undermines your credibility.**** > ** ** > - Shane**** > ** ** > -----Original Message-----**** > From: Tamir Israel [ <tisrael@cippic.ca>mailto:tisrael@cippic.ca<tisrael@cippic.ca> > ]**** > Sent: Friday, June 15, 2012 7:54 AM**** > To: Shane Wiley**** > Cc: Rigo Wenning; <public-tracking@w3.org>public-tracking@w3.org; > <rob@blaeu.com>rob@blaeu.com; Kimon**** > Zorbas; <ifette@google.com>ifette@google.com; JC Cannon (Microsoft)**** > Subject: Re: Identity providers as first parties**** > ** ** > Shane --**** > ** ** > The need for independent choice is critical, I think, to the out**** > of band**** > consent scheme. You shouldn't be able to force users out of their DNT**** > choices as a condition of authentication.**** > ** ** > Best,**** > Tamir**** > ** ** > On 6/15/2012 10:48 AM, Shane Wiley wrote:**** > > Rigo,**** > ** ** > DNT will NEVER trump an out-of-band consent. The user would**** > simply withdraw from using the service they had provided prior**** > consent to. If the product would like to offer two levels of**** > service, it can of course do that, but that would be completely**** > outside the scope of DNT.**** > ** ** > DNT is not the privacy silver bullet and answer to all privacy**** > issues on the Internet - let's stop trying to push it in that**** > direction.**** > ** ** > Thank you,**** > - Shane**** > ** ** > -----Original Message-----**** > From: Rigo Wenning [ <rigo@w3.org>mailto:rigo@w3.org <rigo@w3.org>]**** > Sent: Friday, June 15, 2012 1:28 AM**** > To: <public-tracking@w3.org>public-tracking@w3.org**** > Cc: Shane Wiley; <rob@blaeu.com>rob@blaeu.com; Kimon Zorbas; > <ifette@google.com>ifette@google.com;**** > Tamir Israel; JC Cannon (Microsoft)**** > Subject: Re: Identity providers as first parties**** > ** ** > Shane, Kimon,**** > ** ** > On Thursday 14 June 2012 16:47:03 Shane Wiley wrote:**** > > I’ve used a few others and they appears to do the same so I’m**** > confused as to what real-world identity provider scenario someone**** > is considering where consent wasn’t already obtained?**** > > I confirm that we agreed that the out-of-band agreement will trump**** > the DNT:1 signal. We also agreed that the service has to signal this**** > to the client.**** > ** ** > I guess, what Rob is trying to achieve is to say, even in this**** > context, a service could offer the choice of stopping to track and**** > only use information for the login/authentication purpose. This**** > could be the meaning of DNT:1 if the Service sends ACK in a**** > login/authentication context. If you're looking for medical**** > information in a login context, you don't want your login provider**** > to spawn that to your insurance. I think this is a very legitimate**** > use case. The service could say: "yes, I see your point" and send**** > ACK instead of "out-of-band".**** > ** ** > We are just defining switches. People will decide whether they**** > switch stuff on or off or provide a switch at all.**** > ** ** > Rigo**** > > ** ** > > > > > > > > > > >
Received on Monday, 18 June 2012 17:50:57 UTC