Chapell - Objection to Editor's draft

July 12, 2013
 
Peter Swire
Matthias Schunter
World Wide Web Consortium
32 Vassar Street, 32-G519
Cambridge, Massachusetts 02139
 
Re: Tracking Protection Working Group July Vote
 
Dear Peter & Matthias:
 
Iıd like to thank the W3C and the co-chairs for the opportunity to provide
feedback to the June W3C Draft (³Editorıs Draft²). I recognize all of the
hard work that has gone into the Editorıs Draft.
 
However, I respectfully object to the Editorıs Draft, and strongly encourage
the W3C to use the industry consensus proposal (the ³DAA Proposal²) as a
starting point for the TPWGıs continued work.


 
The Editorıs Draft is harmful to competition.
The potential anti-competitive implications of this working groupıs output
have been well documented. For example, during a recent hearing at the U.S.
Senate Commerce Committee, several of the committee members raised concerns
about the anti-competitive implications of DNT. Specifically, concerns were
raised about this working group picking winners and losers (Senator Heller),
and there were similar concerns that the W3C process may result in
bolstering a handful of giant Internet companies and ensuring everyone else
goes out of business (Senator McCaskill). Moreover, recent speeches by FTC
Commissioner Commission Olhousen raised anti-competitive concerns about this
process, and Iıve heard similar concerns coming from regulators within the
EU. It is worth noting that the FTC participation in this working group has
focused almost exclusively on privacy with very little mention of the
competitive impact of DNT.
 

For over two years, the approach of this working group has been to focus
almost exclusively on third-party data collection while imposing few limits
on larger entities. Under any implementation, data is going to be collected
when DNT=1 so it comes down to who gets to collect data and for what
purposes. Ceasing collection by third parties while barely curtailing first
party data collection does not provide consumers with meaningful privacy
protections under any objective analysis. And in light of recent events,
some analysts have noted that concentration of information in a small number
of large entities will have negative repercussions on personal freedoms.
(See 
http://www.newyorker.com/online/blogs/elements/2013/06/why-monopolies-make-s
pying-easier.html)
 

The Editorıs Draft continues this trend. I continue to be surprised that so
many working group members who hold themselves out as privacy advocates have
accepted this approach.  The Editorıs Draft will negatively impact
competition in the Internet economy, without a positive net benefit to
users' privacy. By favoring first party business models and severely
curtailing third party players (who for the most part use pseudonymous data,
rather than the PII that most first parties hold), it would shift
marketplace incentives toward more first party data collection. The end
result will be less competition and more data collected and associated with
the personally identifiable information of consumers: a poor outcome by any
objective privacy standard.
 

Conversely, the DAA Proposal offers privacy-enhancing features (e.g.,
removal of the URL string when DNT=1) that are geared to address a core
concern raised by advocates and regulators while minimizing the
anti-competitive impact of DNT.
 

Section 7 of the Editorıs Draft is unclear and conflates Opt-out with DNT
As noted by other WG members, section 7 of the Editorıs Draft is confusing,
as it is not clear to which opt-outs the text is referring (user settings
for a specific site? Email marketing opt-outs?). Moreover, most opt-outs
choices are recorded utilizing third-party cookies. Any attempt to include
opt-out in a DNT spec is inappropriate without a corresponding requirement
that browser stop blocking third-party cookies.
 
More importantly, industry self-regulatory opt-out mechanisms were always
intended to function separately from DNT. DNT is intended to be a global
standard, and the self-regulatory regimes focus on particular regions. I
(and other WG members) have concerns about including a reference to such
programs in a global specification where implementers may be in regions
where the self-regulatory program has not been deployed. Some members of the
working group have suggested that DNT should replace the industry
self-regulatory programs. However, this notion ignores the significant time
and resources invested in self-regulatory programs that were created in
consultation with regulators from multiple jurisdictions. The
self-regulatory programs are effective, while DNT is completely untested to
date. Throwing out the self-regulatory programs in favor of DNT at this
junction would be reckless and could harm consumer privacy interests.
 

Finally, and as described below, the volume of non-browser, non-user
activated DNT signals is growing at an alarming rate.  Until DNT:1 signals
can be technically structured such that Servers have confidence they were
actually turned on by users, then equating DNT:1 to the industry opt-out
program is impractical.
 
The Editorıs Draft does not offer any mechanism to address the proliferation
of invalid DNT signals
By definition, many of the DNT signals being sent today are out of
compliance with the Editorıs Draft. This is not meant to be a criticism of
work done by the browsers to date. Rather, its meant as a simple
observation: that a significant number of DNT signals were enacted in a
manner that is out of compliance with the User Agent requirements contained
the Editorıs Draft (e.g., the disclosure guidelines in Section 3). In order
to mitigate this issue, the Editorıs Draft would need to essentially require
that all enactments of DNT be turned off (set to DNT:unset) so that Users
may reset them in a manner that meets the basic disclosure requirements of
the current spec. 
 

Perhaps more concerning, the volume of non-browser, non-user activated DNT
signals is growing at an alarming rate.  The cost of adding DNT:1 to the
header is very inexpensive from a technical perspective and weıve seen
routers, anti-virus software, plug-ins and other tools set DNT=1 in ways
that violate basic standards of privacy.  To use W3C co-chair Matthias
Schunter's phrase, we're seeing a proliferation of DNT signals "spraying"
into the ecosystem.  While many of us are still hopeful solutions can be
found to contain the issue, the reality for the foreseeable future is that
weıll continue to see DNT invalid implementations of DNT and are unlikely to
consistently be able to distinguish between valid and invalid DNT
implementations. 
 

Some working group members have asserted that we should simply err on the
side of caution and treat all DNT signals as valid. However, I strongly
believe that this approach would violate long-standing privacy concepts such
as notice, choice, and transparency.
 

The Editorıs Draft exempts browsers and other user agents from prohibitions
against tracking
The Editorıs Draft does not prohibit user agents from either: a) taking URL
string to create segments to sell to advertisers (or others) for ad
targeting across the web, or b) enabling other entities to do so. To my
eyes, that type of behavior would be considered tracking and should be
prohibited by the spec. Unfortunately, it is not covered by the Editorıs
Draft. If others in the ecosystem are prohibited from tracking, it seems
fair and appropriate that we ensure that similar prohibitions are placed on
user agents. 
 

The Editorıs Draft will result in a low level of adoption
The larger goal of all W3C initiatives is voluntary adoption by implementers
of the standard. Unfortunately, the Editorıs Draft suffers from too many
significant flaws that it is unlikely to be adopted by the marketplace. The
entities primarily covered by the proposed DNT standard -- third party
online businesses ­ are unlikely to adopt and comply with the approach in
the Editorıs Draft, because it is over-broad and anti-competitive, and would
severely curtail their businesses without a commensurate privacy benefit to
consumers. A balanced and narrowly tailored approach that solves specific
privacy concerns while maintaining competition and a diverse internet
economy is much more likely to gain widespread adoption, and ultimately
benefit consumers.
 
Conversely, the DAA Proposal has a significantly greater chance of receiving
widespread adoption (admittedly, with some polishing). The Editorıs Draft
has so many flaws and non-starters for the intended implementers it's not a
useful baseline for continuing discussion, especially in light of the DAA's
proposal which is ostensibly much, much closer to a form that would actually
be accepted by intended implementers. Hence, the DAA Proposal has a
significantly greater chance of receiving widespread adoption.
 
For the above reasons, I object to the Editorıs Draft and encourage the
chairs to move forward with the DAA Proposal.
 
Respectfully,
 
Alan Chapell  
Chapell & Associates

Received on Friday, 12 July 2013 16:31:32 UTC