Re: Action-157: Update logged-in consent proposal

On May 9, 2012, at 9:16 AM, Justin Brookman wrote:
> On 5/8/2012 3:08 AM, Roy T. Fielding wrote:
>> 
>> On May 7, 2012, at 8:32 PM, Justin Brookman wrote:
>> 
>>> 
>>> You say that this language is not necessary for interoperability.  I'm saying that the language (or comparable language) is necessary to accomplish the stated mission of this working group, which is to improve user privacy and user control over tracking.
>> 
>> We can completely remove it from the spec and it would not lower
>> the user's privacy nor remove control over tracking. If a site has
>> the user's consent to do something, then by definition the site
>> does not violate the user's control by doing that something.
>> It is the site's responsibility to ensure that it has consent
>> to override DNT before it does so.
> 
> Perhaps this the crux of our disagreement.  You believe that so long as a company has legally valid consent to track, then by definition there can be no privacy concerns.

No, one has nothing to do with the other.  They have permission
to track.  That doesn't mean they have permission to expose
personal data, share it with others, or use the data in a way
that they do not have permission from the user to do.

> I would like to believe this is the case, but I think history has shown that dense contracts of adhesion can be used to obtain what is arguably legal consent to privacy violations that a user doesn't want or understand.  The FTC's Sears settlement is a good example --- there, Sears included a contractual term within a long contract that reserved broad rights to track a user's web activity.  Legally speaking, that may well have been consent, but the FTC said that Sears nevertheless violated deceptive practices by failing to clearly and conspicuously disclose the practice in a clear and conspicuous manner outside of the contract.  However, the case was never litigated.

I'd expect the same from the FTC if a company overreached on
tracking data.

> Here, I do believe that if a company only asserted the ability within a EULA or privacy policy user consent to track despite a clear user instruction not to track, then that consent would be invalid or the practice would be otherwise illegal, but the law is far from settled.  There is at least an argument that the practice would not be illegal in some jurisdictions, though I think most of us are agreed that it would constitute a clear violation of user's privacy and expectations.

I think that is a question of regional law/regulation, not standards.

> As we have all agreed several times now, we cannot change law, but we can set a standard that protects user privacy.  I do not believe that requiring express, informed consent (or permission, whatever) to ignore the DNT signal and providing a couple of what are non-controversial examples of what that means adds any uncertainty     for companies --- to the contrary, the existing legal regime(s) on consent and reasonably expectations of privacy are extraordinarily vague and confusing as is.  If there are *any* use cases that you think this language limits, please explain them.

I have no problem with examples that show how to legitimately
obtain consent, so long as they don't rule out other means.

> Again, I fail to see how providing an example that notice only in a privacy policy is not express, informed consent (permission) for this spec is burdensome or undesirable.  And it would have the clear benefit of giving guidance to potentially deceptive actors and some confidence to consumer advocates that this spec will actually achieve its goals.

You haven't defined "privacy policy", nor do I believe you can
do so in a way that covers all privacy policies (including those
that are very short, repeatedly displayed to the user, or provided
in account preference dialogs).

And it simply doesn't matter --- what is insufficient consent will
depend on context and we don't have room in the spec to cover
every possible case.

....Roy