Re: Doodle poll for meeting, please respond ASAP & DNT:0 action-346 issue-189

Kimon,

IMO the standard is complete from a technical perspective. Before I get laughed out the room let me explain.


  *   Every MAJOR browser OEM now supports a shipping browser with the ability to set a Privacy signal value of DNT=1
  *   The ONLY signal value that the Advertising Industry really cares about is DNT=1 as it can affect their financial bottom line
  *   As there (financially) cannot be a default DNT=1 value across the board, the standard MUST support a 'Exception' capability - which it does (JavaScript API)

Therefore from a technical perspective you have the ability for the user to transmit a privacy intention, and for the server to ask for an exception to that intention. The JavaScript API makes Roy's Apache patch irrelevant because the exception can now be used to verify intent. This is ALL covered in sections 3 through 6 of the current spec. While those sections have been refined over the last year they have NOT fundamentally changed from a 'technical perspective'.

Summary…

  *   User can set a privacy preference and transmit that to a server - done and shipping
  *   Server can ask user for an exception to that privacy preference - done and being respected (CNN's advertisers via a HTML UI)

Now people can keep arguing the technical semantics for another year, but i'm willing to bet right now that nothing major will change simply because the financial aspect from the advertisers viewpoint is covered with the exception capability.

Now lets switch gears from technical/W3C standard to Privacy Policy

IMO Policy will never be finished - it will be argued to the end of time simply because there is NO binary answer to the problem of privacy, unless the Internet becomes an 'Internet of You' with the ability to add significantly more context around the collection, flow and use of my private data.

The W3C is never going to solve the policy problems - all they can is decide HOW things that are 'legal or illegal' can (perhaps) be accomplished on the wire (part of the reason we still don't have a definition of tracking)

Professor Swire gave a great speech at the CU Boulder last Friday - at some point fairly soon everybody is going to have to agree on a 'solution' because as he eloquently put it, the 'alternatives are NOT worth considering' (regulation).

The browser OEM's do NOT want to deal with one of Professors Swire's 'alternatives', hence every browser now supports DNT=1. In 22 years i've never seen a standard that has shipped in a commercial browser before Last Call - that's HOW seriously the browser OEM's are taking this. They do not want the alternative, and intend to be out ahead of the storm.

They're not waiting anymore for the W3C or the policy advocates - they're already shipping a 'technical' solution.



Peter
_________________________
Peter J. Cranstone
CEO.  3PMobile
Boulder, CO  USA


[cid:05F076E5-C316-4120-A289-F8BC07F95735@hsd1.co.comcast.net.]
Improving the Mobile Web Experience

Cell: 720.663.1752
www.3pmobile.com<http://www.3pmobile.com>



On Jan 12, 2013, at 4:03 PM, Kimon Zorbas <vp@iabeurope.eu<mailto:vp@iabeurope.eu>> wrote:

Mike,
we support the pseudonymous data concept. Yet, the key rapporteur does not include it in a workable manner in his report. It's not even voted on.

On standards, we all here in W3C - or most- support voluntary industry standards. Having regulation mandating certain standards is a different approach. Many technology and policy experts do not support the mandating of standards by governments. And there are good reasons: technology (and new standards) move sometimes faster than regulation.

Personally, I am very concerned about such mandates - and an example unrelated to our work: animal tagging had to fulfill a certain standard. That was totally outdated, when I came across it and locked in an entire sector and its control to an outdated technology with serious limitations.

Privacy is too fast moving to empower governments to mandate specific standards.

While we support W3C standards setting, we caution to empower regulators to mandate such standards.

Kind regards,
Kimon


----- Reply message -----
From: "Shane Wiley" <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>>
To: "Mike O&apos;Neill" <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>>, "&apos;Rigo Wenning&apos;" <rigo@w3.org<mailto:rigo@w3.org>>
Cc: "public-tracking-international@w3.org<mailto:public-tracking-international@w3.org>" <public-tracking-international@w3.org<mailto:public-tracking-international@w3.org>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Doodle poll for meeting, please respond ASAP & DNT:0 action-346 issue-189
Date: Sat, Jan 12, 2013 9:17 pm



Mike,

Don’t you believe it’s a bit premature to integrate elements of an unofficial version of the Data Protection Regulation into the de-identification discussion?  There is still considerable time (in parliamentary terms) for the draft regulation to undergo significant changes prior to voting.

As for the compliance and scope document not aligning with yet to be official EU regulation, this is purposeful and is what the Global Considerations document is meant to address.

- Shane

From: Mike O'Neill [mailto:michael.oneill@baycloud.com<http://baycloud.com>]
Sent: Saturday, January 12, 2013 8:52 AM
To: 'Rigo Wenning'
Cc: public-tracking-international@w3.org<mailto:public-tracking-international@w3.org>; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: RE: Doodle poll for meeting, please respond ASAP & DNT:0 action-346 issue-189




The European Parliament's Civil Liberties, Justice & Home Affairs committee has published a report on the draft General Data Protection Regulation (DGDPR) which introduces alleviations on data controllers for the use of pseudonymous identifiers. This is similar in concept to the "de-identification" of data for which the meetings in Washington DC and Brussels have been called to discuss. The report also explicitly refers to our W3C Tracking Protection standards.



This report is therefore extremely germane to one of the topics for this group, namely the definition of DNT:0



The new Regulation is expected to come into force this year (although Member States have a further 2 years to enact it) and the views of this crucial committee of democratically elected representatives will inevitably be strongly represented in the final draft. This is important as it refers explicitly to our work and points to the legal context our standard  will ultimately operate under in Europe.



Referring to this report, in the Explanatory Statement paragraph headed Strengthening individuals' rights our standard is referenced:



As the Regulation implements a fundamental right, a limitation of the material scope, particularly as regards the definition of “personal data”, by for instance introducing subjective elements relating to the efforts the data controller should make to identify personal data is rejected. The concept of personal data is further clarified with objective criteria (Article 4(1); Recitals 23 24) . Legitimate concerns regarding specific business models can be addressed without denying individuals their fundamental rights. In this context the rapporteur encourages the pseudonymous and anonymous use of services. For the use of pseudonymous data, there could be alleviations with regard to obligations for the data controller (Articles 4(2)(a), 10), Recital 23).



Consent should remain a cornerstone of the EU approach to data protection, since this is the best way for individuals to control data processing activities. Information to data subjects should be presented in easily comprehensible form, such as by standardised logos or icons (Article 11(2a),(2b)). Technical standards that express a subject’s clear wishesmay be seen as a valid form of providing explicit consent (Articles 7(2a), 23).



This is made more explicit in Amendment 105 to Article 7 of the DGDPR which introduces a new paragraph (2 a):



If the data subject's consent is to be given in the context of the use of information society services where personal data are processed only in the form of pseudonyms, consent may be given by automated means using a technical standard with general validity in the Union in accordance with paragraph 4c, which allows the data subject to clearly express his or her wishes without collecting identification data.



Justification
This allows for the use of standards such as "Do Not Track", combined with an incentive to use only pseudonymous data based as found e.g. in §15 of the German Tele-Media Law. In order to ensure such a standard is in line with this Regulation, it needs to be approved by the Commission. See related amendments to Articles 4(2a), 7(4c) and Recital 23.

Pseudonymous identifiers are defined in Amendment 85 to Article 4 – introducing new text:



'pseudonym' means a unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject;



Note the qualification that pseudonyms are specific “to one given context”. This requirement is repeated in Amendment 117 to Article 10



If the data processed by a controller do not permit the controller to identify or single out a natural person, or consist only of data relating to pseudonyms, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.



Justification
Data controllers may use a unique identifier for the same person across different services and contexts, while still not being able to identify a natural person on their basis. Pseudonyms as defined in the amendment to Article 4 are limited to a specific context. The amendment makes clear that the article applies to both cases…



Two points arise from this that we should discuss:
•         The DNT signal is referred to as a Consent signal (for pseudonymous identifiers). This must mean the DNT:0 User Granted Exception. In this context the absence of a DNT signal or if it is set (DNT:1) would mean that consent had not been given and so no unique identifiers should be used, pseudonymous or otherwise.
•         If DNT:0 is indicated, taken as the signaling of explicit user consent by automated means, then pseudonymous identifiers may be used but only in a single context. This must mean that an advertiser, say using their domain origin clickads.com<http://clickads.com>, can only use identifiers within that domain i.e. they must not be shared with other entities, and they must not be associated with other data that could identify the user as a natural person, such as their name, address, email address etc.



The current compliance document is incompatible with both these points because
a.       It assumes that an unset DNT signal is equivalent to DNT:0.
b.      The DNT:0 signal would signify that identifying data can be shared between entities without a need for further explicit informed consent



Cheers,



Mike



-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org]
Sent: 08 January 2013 18:54
To: David Wainberg
Cc: public-tracking-international@w3.org<mailto:public-tracking-international@w3.org>
Subject: Re: Doodle poll for meeting, please respond ASAP



David, Chris,



the topics in this task force are very limited. I enumerated them in the kick-off email:



http://lists.w3.org/Archives/Public/public-tracking-international/2012Nov/0000.html



1/ Definition of DNT:0 (which will more or less define what one can do) 2/ TPE additions 3/ Which form should the EU How-to take (Note, best practice, document for webplatform.org<http://webplatform.org>)



Those are my main topics. But I'm open to a debate about more urgent things.



I think this is not interesting for people who only want to make sure the things created do not interfere with their solutions. Because the entire work will be brought back to the entire group anyway for decision. But then, it will be bundled and the ability to influence in detail will be less. After all nobody wants to negotiate all the stuff twice..



But if you're really interested in the solutions found for a regulated market, I think you should closely monitor. We also hope to be able to provide an audio link. But the times will be inconvenient.



Does that answer your questions?



-- Rigo



On Tuesday 08 January 2013 10:21:44 David Wainberg wrote:
> Hi Rigo,
>
> Can you state the agenda for the meeting? I know there have been
> conversations, and I think some thoughts have been tossed around, but
> as we get to making concrete plans it would be helpful to know the
> goals and agenda for the meeting. Thanks much.
>
> Best,
>
> David
>
> On 1/8/13 10:16 AM, Rigo Wenning wrote:
> > Hi all,
> >
> > this is to select the meeting days. We can not go earlier than 21
> > Feb, because people have to prepare for traveling. From that I
> > created the doodle poll for a meeting in Berlin/Germany:
> >
> > http://www.doodle.com/4nxv7trzb34xdvqk
> >
> > Known conferences so far:
> > 6-8 March IAPP Washington DC
> >
> > Please fill out the poll ASAP so we can prepare the invitation and
> > the logistics in time.
> >
> > Best,
> >
> > Rigo

Received on Sunday, 13 January 2013 16:55:17 UTC