Re: Initial Work Plan on Change Proposals, including for next Wednesday

Peter,

We have gotten to the point that the only logical and responsible way forward IMHO is to task industry to chop up the DAA proposal into change proposals and include these in the wiki that Nick painstakingly kept up to date.

Next week, I hope that the group will want to dive deeper into the discussion on de-identification, when Shane and Dan are back. Dan put out a reasonable request on the mailing list, after having put in a lot of work on the topic of de-identification.

Rob


Dan Auerbach <dan@eff.org> wrote:

>Hi Peter and everyone,
>
>I'm unfortunately on vacation next week and won't be available for this
>call. I have given a lot of thought and energy to the de-identification
>and unique id issues, so would like the opportunity to further discuss
>the following week once I'm back before any decisions are made. I will
>catch up with the minutes. I'd love to get to agreement on these
>issues,
>but they are tough and important, so we need to proceed carefully.
>
>Below are some quick comments addressing some of your questions:
>
>On 06/28/2013 02:56 PM, Peter Swire wrote:
>>
>> To the Working Group:
>>
>>  
>>
>>             W3C staff and I express appreciation for the hard and
>> high-quality work that so many of you have put into submitting change
>> proposals to the June Draft.  This email alerts you to the initial
>> work plan, for the coming week.  We wanted to give you this
>> information as soon as possible, and plan to circulate as soon as we
>> can a more complete work plan through the end of July.
>>
>>  
>>
>>             For the call on Wednesday, July 3, we once again may go
>> for up to 120 minutes if ittakes that long to complete the agenda. 
>We
>> will attempt to keep the call to the usual 90 minutes if we can. 
>This
>> email sets forth the current plan for the Wednesday call.
>>
>>  
>>
>>             _De-identification._      
>>
>>  
>>
>>             Perhaps not surprisingly in light of all the work done on
>> the issue, the first topic will be to examine and discuss the
>multiple
>> proposals on de-identification, as well as other provisions relating
>> to identification.
>>
>>  
>>
>>             For this discussion, and comments on the list before
>> Wednesday, we will address the change proposals, alphabetically from:
>> Dan Auerbach, Rob van Eijk, Roy Fielding, and Thomas Schauf, as well
>> as the DAA group.
>>
>>  
>>
>>             For the discussion, and comments prior to Wednesday, it
>> would be helpful to comment on issues including: (1) how to choose
>> between two- and three-stage proposals;
>>
>
>I think the 2 stage proposal is simpler. If we move to a 3 stage
>proposal, the onus is on those advocating for this to (1) properly
>define the yellow stage, and (2) prove that it is useful to the group
>to
>have 3 stages.
>
>Regarding (1), I do not think it has been sufficiently defined. For
>example, what is a "suspect query string" in a URL? What are
>operational
>controls? What granularity is the geo information that supplants IP
>address? What rigorously defined properties does a yellow stage possess
>with respect to risk towards privacy that a red stage lacks? These are
>hard questions, and I'm not sure we will be able to answer them
>rigorously enough.
>
>Regarding (2), I don't think adding a stage has reduced our
>disagreement, but rather just shifted it. Whereas in the two stage
>process, we disagreed about the definition of de-identification and how
>it would apply to non-normative examples, with a three stage process,
>we
>now disagree with how much value the yellow stage has. Modulo
>definitional issues, I'm comfortable with a yellow stage as stated,
>provided it is used in an incredibly limited way and things move very
>quickly to green. I suspect that Shane disagrees with this, and thinks
>there is a lot of value in yellow. Given that we've just shifted
>disagreement, I'm not sure it's really a step forward.
>
>Also as a matter of politeness, since we agreed in Sunnyvale that we
>would come up with a new name for "yellow" given that both
>"de-identified" and "pseudonymous" were too contentious, I'd appreciate
>it if we could avoid using the latter two terms when talking about the
>3
>state proposal. Let's just use the placeholder "yellow" until we agree
>on what the state should be called.
>
>> (2) the pros and cons of the DAA proposed changed language, compared
>> to the longstanding focus on language similar to the FTC’s three-part
>> test; (3) clarifying any similarities and differences between Rob’s
>> approach and the other two; and (4) how to think about the use of
>> non-normative text here inaddition to normative text.
>>
>On (4), I very much agree with Adrian's comment on a call that if we
>can't begin to see close to eye to eye with respect to non-normative
>examples, it would be unwise to fool ourselves into thinking we have
>agreement. We have a concrete use case that is in contention that
>doesn't strike me as an edge case: a browsing history tied together by
>unique identifiers that stretches over a long time span, and has some
>fields altered, for example IP->Geo. Is this de-identified or not? If
>we
>can't answer that question, we don't have a good idea of what we are
>trying to define by the term.
>
>>  
>>
>>              _Identification and Unique Identifiers._
>>
>>  
>>
>>             Another issue on identification and de-identification
>> concerns the June Draft text  that “Third parties MUST NOT rely on
>> unique identifiers for users or devices if alternative solutions are
>> reasonably available.”
>>
>>  
>>
>>             Amy Colando proposed a change to add “technically
>> feasible” after “reasonably available.”
>>
>>  
>>
>>             The DAA group proposed deleting this provision entirely.
>>
>>  
>>
>>             For this discussion, it would be helpful to have comments
>> and discussion on issues including: (1) the clarity (or lack thereof)
>> of “reasonably available” and “technically feasible”; (2) evidence
>> that such alternatives are available today or may soon be available;
>> and (3) reasons for or against shifting to alternatives if they
>become
>> “reasonably available” and/or “technically feasible.”
>>
>My biggest problem with this language is the lack of clarity regarding
>"technically feasible" and "reasonably available", and it's puzzling
>since no-unique-id solutions exist today. After discussion with various
>people, I don't think that it's too high a bar to forego the use of
>unique ids for DNT:1 users, except in one-off situations. For example,
>large successful ad companies have existed which do not use unique ids.
>I have yet to hear a compelling need, but for web companies that may
>have one that hasn't been raised in this working group, they are free
>to
>not implement this voluntary tracking standard.
>
>>  
>>
>>              _The DAA Group proposal._
>>
>>  
>>
>>             After these discussions, the DAA group is invited to
>> explain to the group its overall proposal for a path forward to Last
>> Call.  As I understand it, the DAA group has presented an integrated,
>> overall proposal, where it would support what essentially is a
>package
>> of proposed changes to the June Draft. 
>>
>>  
>>
>>             With a presentation of this integrated package, the group
>> can ask questions to clarify the multiple proposed changes, and begin
>> a process of identifying areas where others in the group may agree to
>> the proposal, or an amended version of theproposal, or else
>articulate
>> reasons why they would not join a consensus on the proposal.
>>
>>  
>>
>>             In terms of work leading up to Wednesday’s call, please
>> make proposed language changes directly to the wikis, while
>explaining
>> the rationale for changes to the full list.
>>
>>  
>>
>>             Thank you, and information on other next steps will
>> follow.  (I note, however, that I likely will have limited
>> connectivity this weekend.)
>>
>>  
>>
>>             Peter
>>
>>
>> P.S. Please feel free to be working on the other change issues as
>> well, as a way to move forward as effectively as possible.  The point
>> of this email is to highlight the group work in the coming days.
>>
>>  
>>
>>  
>>
>>  
>>
>>
>>
>> Prof. Peter P. Swire
>> C. William O'Neill Professor of Law
>> Ohio State University
>> 240.994.4142
>> www.peterswire.net
>>
>> Beginning August 2013:
>> Nancy J. and Lawrence P. Huang Professor
>> Law and Ethics Program
>> Scheller College of Business
>> Georgia Institute of Technology
>>

Received on Wednesday, 3 July 2013 19:14:41 UTC