Re: Proportionate Response for Fraud Prevention and Security (ISSUE-24)

On Mar 13, 2012, at 11:42 PM, Jonathan Mayer wrote:

> Industry participants have expressed concern that DNT could curtail their ability to detect fraud and thwart attacks.

I think you misunderstand.  Industry will not reduce fraud detection or
attack prevention just because the potential attacker has DNT on, for
obvious reasons.  It would not be beneficial for legitimate DNT users.
This is not even open to debate.

>  Civil society participants have expressed concern that blanket exceptions for fraud and security would undermine DNT's privacy protections.
> 
> I'd like to propose proportionate response as a direction for compromise.  The notion is straightforward: once there is reason to suspect a user or user agent of foul play, DNT's limits dissipate.  Proportionate response is nothing new in online advertising; many businesses, including some in the group, have already deployed it.  (To some measure proportionate response is already necessary since an attacker could trivially clear cookies.)

In a word, no.  I will not compromise here.

Some sites use cookies as a means to differentiate legitimate traffic from
other traffic -- clearing cookies doesn't impact that at all because the
user just gets directed back to the setting part.  Generally speaking,
cookie setting for fraud is only relevant to first-party sites.

Third-party fraud control is a lot more aggressive, and none of those folks
will ever implement DNT.  It is their function not to.  Laws and regulations
are the only things that will ever impact their function (and for some cases,
not even then).

There are existing regulatory vehicles for limiting fraud protection and
associated data retention to what is necessary to perform that function.
The "necessary" will be different for every site. It should be evaluated
by folks who are competent in the specific market for which the fraud is
being prevented.  In some cases, a proportionate response will be the
recommended course of action; in others, it won't.  In any case, the same
limitations will apply with or without DNT.

We should ignore collection by fraud prevention companies and focus instead
on ways to limit the damage.  For example, forbid data sharing of collected
data -- only allow aggregate/probabilistic answers regarding a specific
user so that there is no dual-use of the data and no sharing of user
activity trails across sites.  Limit retention to what is necessary.

We could also suggest specific examples of performing fraud prevention
in specific markets (like online advertising) in ways that are more
DNT-friendly than storing user activity.  In other words, reduce the scope
of "necessary" for folks who read the spec.

....Roy

Received on Wednesday, 14 March 2012 07:55:25 UTC