Proportionate Response for Fraud Prevention and Security (ISSUE-24)

Industry participants have expressed concern that DNT could curtail their ability to detect fraud and thwart attacks.  Civil society participants have expressed concern that blanket exceptions for fraud and security would undermine DNT's privacy protections.

I'd like to propose proportionate response as a direction for compromise.  The notion is straightforward: once there is reason to suspect a user or user agent of foul play, DNT's limits dissipate.  Proportionate response is nothing new in online advertising; many businesses, including some in the group, have already deployed it.  (To some measure proportionate response is already necessary since an attacker could trivially clear cookies.)

I've pasted draft text below.

--------------------------------------------------

[Note: This text does not include a retention limit; there may be some interest in adding one (e.g. "Data may only be retained as long as necessary to mitigate the present threat.").]

I. Fraud Prevention

A. Operative Text

A third party may collect, retain, and use data about a particular user or user agent for the purpose of preventing fraud, provided that there are reasonable grounds to believe the user or user agent is presently attempting to commit fraud.

B. Non-Normative Discussion

When a user meaningfully interacts with third-party content (e.g. clicking an ad), the third party can collect, retain, and use information for fraud prevention.  Third parties can also use protocol logs for fraud prevention.  This exception provides an additional capability to, in certain circumstances, track impressions for fraud prevention.

II. Security

A. Operative Text

A third party may collect, retain, and use data about a particular user or user agent for the purpose of ensuring its security, provided that there are reasonable grounds to believe the user or user agent is presently attempting to breach the party's security.

B. Non-Normative Discussion

This exception grants third parties (e.g. advertising networks) some latitude to mitigate security risks.  Websites that users store sensitive personal information on (e.g. financial services and webmail) are all first-party; they are able to collect, retain, and use information about all users for security purposes.

Received on Wednesday, 14 March 2012 06:44:00 UTC