Re: Third-Party Web Tracking: Policy and Technology Paper outlining harms of tracking from Rigo Wenning on 2012-10-12 (public-tracking@w3.org from October 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Sat, 13 Oct 2012 01:21:57 +0200
To: Shane Wiley <wileys@yahoo-inc.com>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>, "rob@blaeu.com" <rob@blaeu.com>
Message-ID: <4252761.I3PJQU3BSh@hegel.sophia.w3.org>

Thanks Shane, for the constructive response. 

On Friday 12 October 2012 14:38:56 Shane Wiley wrote:
> If only...  We've been unable to develop a mechanism that works at
> scale and still allows Permitted Uses to operate as intended (aka
> - doesn't create significant business harm).  
> 
> I love this as an aspirational goal going forward but for DNT to
> be implemented in the near-term, unique identifiers will need to
> continue to exist and instead we should keep our initial focus on
> use-based restrictions.

Ok, here we have an open challenge. If we find a near term dirt easy 
thing to do to minimize data collection and maintain frequency 
capping (the only one I see where you want uniqueIDs apart from 
financial, which is obviously uncontroversial), we could progress. I 
think there were proposals on the table and we have to re-iterate 
whether they are suitable. The target is to avoid easy abuse of the 
promise made not to use that for profiles. Note that all the 
profiling is entirely in the sphere of the service, so I can 
understand the lack of total trust that data isn't creatively re-
used with an argumentation of non-identification that could be 
controversial. Not having uniqueID avoids that discussion. 

> 
> Avoiding valid legal requests (what you call 'Spooks') should NOT
> be a goal of DNT in my opinion.  If you don't like the law, then
> work to change the law - not develop technical standards to
> circumvent it.

First of all, whether such requests are legal is in the eye of the 
beholder. As I just learned, my data is not protected against the 
government in the US as I'm not a US citizen. And I can affirm you 
that yours is not protected in the EU against government either. So 
there is some merit in risk management by data minimization that 
also helps to reduce the costs of companies confronted with legal 
information requests. We can't just dismiss that interference 
because it makes too much of the psychological reaction out there to 
be ignored. 

Best, 

Rigo

Received on Friday, 12 October 2012 23:22:23 UTC