Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking

Hi Jonathan - 

A few days ago, you invited me (via IRC) to review your recent paper which ­
among other items ­ outlines some of the potential harms of tracking. (See
https://www.stanford.edu/~jmayer/papers/trackingsurvey12.pdf)

Thanks ­ As you may have noticed, I've been asking a number of folks in the
WG for examples of harms and haven't received very much information in
response. So I want to applaud your effort to help provide additional
information and to facilitate a dialog. That said, I want to make sure I
understand your thinking here ­ or at least help clarify some of the
distinctions you may be drawing.

I'm curious whether your position is that those harms are equally apparent
in a first party setting ­ where a first party utilizes their own data for
ad targeting across the internet? For example, in your scenario where "an
actor that causes harm to a consumer." Is that not also possible in a first
party context? Does the first party not have both "the means", "the access"
and at least potentially, the ability to take the  "action" that causes the
harms you lay out? (e.g., "Publication, a less favorable offer, denial of a
benefit, or termination of employment. Last, a particular harm that is
inflicted. The harm might be physical, psychological, or economic.")
Do you believe that a direct relationship between consumers and first party
websites completely mitigates that risk of harm ­ even where the first
parties have significant stores of personally identifiable data?


Has your position evolved over the past few months? Correct me if I'm
mistaken, but I believe that one of the proposals offered by Mozilla /
Stanford and EFF sought to address forms of first party tracking. Do I have
that correct?

Thanks ­ I look forward to hearing your thoughts.





Excerpt from your paper for the convenience of others.


"When considering harmful web tracking scenarios, we find it helpful to
focus on four variables. First, an actor that causes harm to a consumer. The
actor might, for example, be an authorized employee, malicious employee,
competitor, acquirer, hacker, or government agency. Second, a means of
access that enables the actor to use tracking data. The data might be
voluntarily transferred, sold, stolen, misplaced, or accidentally
distributed. Third, an action that harms the consumer. The action could be,
for example, publication, a less favorable offer, denial of a benefit, or
termination of employment. Last, a particular harm that is inflicted. The
harm might be physical, psychological, or economic.
The countless combinations of these variables result in countless possible
bad outcomes for consumers. To ex- emplify our thinking, here is one
commonly considered scenario: A hacker (actor) breaks into a tracking
company (means of access) and publishes its tracking information (action),
causing some embarrassing fact about the consumer to become known and
inflicting emotional distress (harm).9
Risks associated with third-party tracking are heightened by the lack of
market pressure to exercise good security and privacy practices. If a
first-party website is untrustworthy, users may decline to visit it. But,
since users are unaware of the very existence of many third-party websites,
they cannot reward responsible sites and penalize irresponsible sites.10"

Received on Saturday, 6 October 2012 09:15:09 UTC