Re: Action-157: Update logged-in consent proposal

On 5/8/2012 3:08 AM, Roy T. Fielding wrote:
> On May 7, 2012, at 8:32 PM, Justin Brookman wrote:
>> You say that this language is not necessary for interoperability.  
>> I'm saying that the language (or comparable language) is necessary to 
>> accomplish the stated mission of this working group, which is to 
>> improve user privacy and user control over tracking.
> We can completely remove it from the spec and it would not lower
> the user's privacy nor remove control over tracking. If a site has
> the user's consent to do something, then by definition the site
> does not violate the user's control by doing that something.
> It is the site's responsibility to ensure that it has consent
> to override DNT before it does so.

Perhaps this the crux of our disagreement.  You believe that so long as 
a company has legally valid consent to track, then by definition there 
can be no privacy concerns.  I would like to believe this is the case, 
but I think history has shown that dense contracts of adhesion can be 
used to obtain what is arguably legal consent to privacy violations that 
a user doesn't want or understand.  The FTC's Sears settlement is a good 
example --- there, Sears included a contractual term within a long 
contract that reserved broad rights to track a user's web activity.  
Legally speaking, that may well have been consent, but the FTC said that 
Sears nevertheless violated deceptive practices by failing to clearly 
and conspicuously disclose the practice in a clear and conspicuous 
manner outside of the contract.  However, the case was never litigated.

Here, I do believe that if a company only asserted the ability within a 
EULA or privacy policy user consent to track despite a clear user 
instruction not to track, then that consent would be invalid or the 
practice would be otherwise illegal, but the law is far from settled.  
There is at least an argument that the practice would not be illegal in 
some jurisdictions, though I think most of us are agreed that it would 
constitute a clear violation of user's privacy and expectations.

As we have all agreed several times now, we cannot change law, but we 
can set a standard that protects user privacy.  I do not believe that 
requiring express, informed consent (or permission, whatever) to ignore 
the DNT signal and providing a couple of what are non-controversial 
examples of what that means adds any uncertainty for companies --- to 
the contrary, the existing legal regime(s) on consent and reasonably 
expectations of privacy are extraordinarily vague and confusing as is.  
If there are *any* use cases that you think this language limits, please 
explain them.

Again, I fail to see how providing an example that notice only in a 
privacy policy is not express, informed consent (permission) for this 
spec is burdensome or undesirable.  And it would have the clear benefit 
of giving guidance to potentially deceptive actors and some confidence 
to consumer advocates that this spec will actually achieve its goals.

Received on Wednesday, 9 May 2012 16:16:44 UTC