Re: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking

Hi Jonathan - 

In addition to my questions below, I'm curious whether your research has
documented specific examples of these harms occurring in the real world?

Thanks again,

Alan

From:  Alan Chapell <achapell@chapellassociates.com>
Date:  Saturday, October 6, 2012 5:14 AM
To:  <public-tracking@w3.org>, Jonathan Mayer <jmayer@stanford.edu>
Subject:  Third-Party Web Tracking: Policy and Technology Paper outlining
harms of tracking

> Hi Jonathan - 
> 
> A few days ago, you invited me (via IRC) to review your recent paper which ­
> among other items ­ outlines some of the potential harms of tracking. (See
> https://www.stanford.edu/~jmayer/papers/trackingsurvey12.pdf)
> 
> Thanks ­ As you may have noticed, I've been asking a number of folks in the WG
> for examples of harms and haven't received very much information in response.
> So I want to applaud your effort to help provide additional information and to
> facilitate a dialog. That said, I want to make sure I understand your thinking
> here ­ or at least help clarify some of the distinctions you may be drawing.
> 
> I'm curious whether your position is that those harms are equally apparent in
> a first party setting ­ where a first party utilizes their own data for ad
> targeting across the internet? For example, in your scenario where "an actor
> that causes harm to a consumer." Is that not also possible in a first party
> context? Does the first party not have both "the means", "the access" and at
> least potentially, the ability to take the  "action" that causes the harms you
> lay out? (e.g., "Publication, a less favorable offer, denial of a benefit, or
> termination of employment. Last, a particular harm that is inflicted. The harm
> might be physical, psychological, or economic.")
> Do you believe that a direct relationship between consumers and first party
> websites completely mitigates that risk of harm ­ even where the first parties
> have significant stores of personally identifiable data?
> 
> 
> Has your position evolved over the past few months? Correct me if I'm
> mistaken, but I believe that one of the proposals offered by Mozilla /
> Stanford and EFF sought to address forms of first party tracking. Do I have
> that correct?
> 
> Thanks ­ I look forward to hearing your thoughts.
> 
> 
> 
> 
> 
> Excerpt from your paper for the convenience of others.
> 
> 
> "When considering harmful web tracking scenarios, we find it helpful to focus
> on four variables. First, an actor that causes harm to a consumer. The actor
> might, for example, be an authorized employee, malicious employee, competitor,
> acquirer, hacker, or government agency. Second, a means of access that enables
> the actor to use tracking data. The data might be voluntarily transferred,
> sold, stolen, misplaced, or accidentally distributed. Third, an action that
> harms the consumer. The action could be, for example, publication, a less
> favorable offer, denial of a benefit, or termination of employment. Last, a
> particular harm that is inflicted. The harm might be physical, psychological,
> or economic.
> The countless combinations of these variables result in countless possible bad
> outcomes for consumers. To ex- emplify our thinking, here is one commonly
> considered scenario: A hacker (actor) breaks into a tracking company (means of
> access) and publishes its tracking information (action), causing some
> embarrassing fact about the consumer to become known and inflicting emotional
> distress (harm).9
> Risks associated with third-party tracking are heightened by the lack of
> market pressure to exercise good security and privacy practices. If a
> first-party website is untrustworthy, users may decline to visit it. But,
> since users are unaware of the very existence of many third-party websites,
> they cannot reward responsible sites and penalize irresponsible sites.10"
> 
>