W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

RE: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 11 Oct 2012 22:04:25 +0100
To: "'Dobbs, Brooks'" <Brooks.Dobbs@kbmg.com>
Cc: <public-tracking@w3.org>
Message-ID: <029f01cda7f3$fff80bf0$ffe823d0$@baycloud.com>


Techniques, some already documented http://donottrack.us/cookbook/, are
bound to be developed to meet the requirements of online commerce. When user
consent for tracking becomes the norm - either through the DNT indication or
its replacement if this process fails - thousands of developers will be
innovating to solve these problems. When consumers see their rights are
being properly recognised they will be more prepared to trust online
commerce which will result in a larger total market.





From: Dobbs, Brooks [mailto:Brooks.Dobbs@kbmg.com] 
Sent: 11 October 2012 20:59
To: Joseph Lorenzo Hall; Alan Chapell
Cc: <public-tracking@w3.org>; Jonathan Mayer
Subject: Re: Third-Party Web Tracking: Policy and Technology Paper outlining
harms of tracking


Apologies for jumping in here, but I have to completely disagree - "what are
the harms" is exactly the right question.


I am not unsympathetic to the notion that intangible harm may be more
difficult to quantify than say job loss or revenue reduction, but that
doesn't mean we don't have some responsibility to make our best comparisons.


>From the industry side the "harm" of DNT:1 is not all that difficult of a
calculus.  In 2011, according to the PwC Advertising Revenue Report, ad
revenue (largely used to fund "free" content and services) was $31.7 billion
dollars.  There has been great debate over what percentage of this is
attributable to "behavioral advertising", but really this may be a straw
man.  The impact of DNT goes far, far beyond behavioral advertising (as
evidenced by our ongoing discussion of the financial reporting exception).
By way of concrete example, of 2011's 31.7 billion in sales, 65% (or 20.3
billion) was priced on a "performance" based metric.  This means that
pricing was based on what would potentially be considered "tracking" how the
ad performed.  In other words, looking at only this consideration, DNT has
the potential, based on the default behavior of a relatively few number of
actors, to be in direct conflict with the single largest way ads are sold
and measured online today.  


This is why you'll find industry so persistent about harm.  In the above
example alone $20.3 billion - largely used to fund free consumer content and
services - is at risk.  Pick your favorite free online site or utility and
ask yourself how it might change what it provides you for free if it lost
2/3rds of its revenue.  It would be nice if we could attempt to quantify the
potential for intangible harms as they have an 11 digit number to get to
before they balance the scales.





Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
Wunderman Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com 

This email - including attachments - may contain confidential information.
If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender
immediately and delete the message. 


From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Thursday, October 11, 2012 2:46 PM
To: Alan Chapell <achapell@chapellassociates.com>
Cc: "<public-tracking@w3.org>" <public-tracking@w3.org>, Jonathan Mayer
Subject: Re: Third-Party Web Tracking: Policy and Technology Paper outlining
harms of tracking
Resent-From: <public-tracking@w3.org>
Resent-Date: Thursday, October 11, 2012 2:46 PM


Hi Alan, I don't mean to pile on or seem confrontational...


But for those of us who have a background in privacy theory and scholarship,
"show us the harms" comes up often, and I don't think it's exactly the right


Privacy implications/intrusions are often emotional, intangible and subject
to considerable variation amongst individuals. I think the Berkeley survey
write-up makes a number of key points: at least in the US, the FTC has had
to police privacy issues on a piecemeal basis, and the increasing collection
of data about the web-surfing public coupled with problems in protecting and
in some cases exploiting that information (cite to settlements/actions)
means we really need an effective way to allow users to signal that they
don't want this collection and subsequent implications (with some narrow
common-sense exceptions). It certainly is complicated in the bigger, global
picture ... and I'd like to think we we can design something that
effectively does that. And despite defaults or not, many of us will be
educating users about these tools (and how to grant exceptions and what that
means) when the spec gets adopted.


best, Joe



Joseph Lorenzo Hall

Senior Staff Technologist

Center for Democracy & Technology


On Oct 10, 2012, at 16:55, Alan Chapell <achapell@chapellassociates.com>

Hi Jonathan - 


In addition to my questions below, I'm curious whether your research has
documented specific examples of these harms occurring in the real world? 


Thanks again,




From: Alan Chapell <achapell@chapellassociates.com>
Date: Saturday, October 6, 2012 5:14 AM
To: <public-tracking@w3.org>, Jonathan Mayer <jmayer@stanford.edu>
Subject: Third-Party Web Tracking: Policy and Technology Paper outlining
harms of tracking


Hi Jonathan - 


A few days ago, you invited me (via IRC) to review your recent paper which -
among other items - outlines some of the potential harms of tracking. (See


Thanks - As you may have noticed, I've been asking a number of folks in the
WG for examples of harms and haven't received very much information in
response. So I want to applaud your effort to help provide additional
information and to facilitate a dialog. That said, I want to make sure I
understand your thinking here - or at least help clarify some of the
distinctions you may be drawing. 


I'm curious whether your position is that those harms are equally apparent
in a first party setting - where a first party utilizes their own data for
ad targeting across the internet? For example, in your scenario where "an
actor that causes harm to a consumer." Is that not also possible in a first
party context? Does the first party not have both "the means", "the access"
and at least potentially, the ability to take the  "action" that causes the
harms you lay out? (e.g., "Publication, a less favorable offer, denial of a
benefit, or termination of employment. Last, a particular harm that is
inflicted. The harm might be physical, psychological, or economic.")

Do you believe that a direct relationship between consumers and first party
websites completely mitigates that risk of harm - even where the first
parties have significant stores of personally identifiable data?


Has your position evolved over the past few months? Correct me if I'm
mistaken, but I believe that one of the proposals offered by Mozilla /
Stanford and EFF sought to address forms of first party tracking. Do I have
that correct?


Thanks - I look forward to hearing your thoughts. 






Excerpt from your paper for the convenience of others.



"When considering harmful web tracking scenarios, we find it helpful to
focus on four variables. First, an actor that causes harm to a consumer. The
actor might, for example, be an authorized employee, malicious employee,
competitor, acquirer, hacker, or government agency. Second, a means of
access that enables the actor to use tracking data. The data might be
voluntarily transferred, sold, stolen, misplaced, or accidentally
distributed. Third, an action that harms the consumer. The action could be,
for example, publication, a less favorable offer, denial of a benefit, or
termination of employment. Last, a particular harm that is inflicted. The
harm might be physical, psychological, or economic.

The countless combinations of these variables result in countless possible
bad outcomes for consumers. To ex- emplify ourthinking, here is one commonly
considered scenario: A hacker (actor) breaksinto a tracking company (means
of access) and publishes its tracking information (action), causing some
embarrassing fact about the consumer to become known and inflicting
emotional distress (harm).9

Risks associated with third-party tracking are heightened by the lack of
market pressure to exercise good security and privacy practices. If a
first-party website is untrustworthy, users may decline to visit it. But,
since users are unaware of the very existence of many third-party websites,
they cannot reward responsible sites and penalize irresponsible sites.10"



(image/png attachment: image001.png)

Received on Thursday, 11 October 2012 21:05:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:58 UTC