- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Tue, 13 Mar 2012 19:29:15 -0700
- To: Jonathan Mayer <jmayer@stanford.edu>, Tracking Protection Working Group WG <public-tracking@w3.org>
- Message-ID: <63294A1959410048A33AEE161379C8023D10417DDA@SP2-EX07VS02.ds.corp.yahoo.com>
Jonathan, If "logged-in" equates to "out of band" consent from a user, then I believe this is moot discussion and would equate more likely to #3 - depends on the terms of registration with that party. I would suggest we treat "logged-in" on the merits of registration with each party and therefore the W3C makes no statement with regard to DNT and a logged-in state. - Shane From: Jonathan Mayer [mailto:jmayer@stanford.edu] Sent: Tuesday, March 13, 2012 7:07 PM To: Tracking Protection Working Group WG Subject: Logged-In Exception (ISSUE-65) I see three possible policy options here. 1) No logged-in exception: login state does not affect DNT obligations. 2) A logged-in exception: if the user is logged into a website, it is treated as a first party. 3) In between: if the user is logged into a website under certain conditions (e.g. a recent login, or a login in the same window), it is treated as a first party. The ISSUE is PENDING REVIEW, with two text proposals for #1. (One proposal would be explicit about it, the other would be implicit.) #1 seems to me the right outcome. A first party is under greater market pressure to get privacy and security right - a privacy plus relative to pure third parties. On the other hand, a first party can link browsing activity to account information - a privacy minus. Given the risks at issue, it seems to me users should still be provided control. I would note that #1 does *not* prevent social widgets and single sign-on from functioning. Rather, they will initially appear unpersonalized. After user interaction they can function as normal in a specific scenario, and after user consent they can always function as normal. Arvind Narayanan and I mocked up an example of Facebook's like button under DNT at: http://donottrack.us/cookbook I am concerned that #2 and #3 would privilege specific advertising business models. Those advertising companies that also operate a large first-party website would be greatly advantaged relative to pure third-party advertising companies. Finally, I think #2 and #3 impose an unrealistic burden on users by compelling them to learn about the logged-in exception and then choose between the convenience (and in some cases security) of a saved login and carefully monitoring their login status to exercise choice. For those participants who persist in viewing DNT as a limit on content personalization, I think all of the same arguments apply (save the first paragraph about collection). In group discussions I *think* there has been a consensus or near-consensus for #1. If anyone disagrees, I'd very much like to hear about it. Otherwise, this issue seems ripe for closing in next week's call. Best, Jonathan
Received on Wednesday, 14 March 2012 02:30:29 UTC