- From: Alan Chapell <achapell@chapellassociates.com>
- Date: Fri, 12 Jul 2013 12:30:57 -0400
- To: <public-tracking@w3.org>
- Message-ID: <CE05A781.355B5%achapell@chapellassociates.com>
July 12, 2013 Peter Swire Matthias Schunter World Wide Web Consortium 32 Vassar Street, 32-G519 Cambridge, Massachusetts 02139 Re: Tracking Protection Working Group July Vote Dear Peter & Matthias: Iıd like to thank the W3C and the co-chairs for the opportunity to provide feedback to the June W3C Draft (³Editorıs Draft²). I recognize all of the hard work that has gone into the Editorıs Draft. However, I respectfully object to the Editorıs Draft, and strongly encourage the W3C to use the industry consensus proposal (the ³DAA Proposal²) as a starting point for the TPWGıs continued work. The Editorıs Draft is harmful to competition. The potential anti-competitive implications of this working groupıs output have been well documented. For example, during a recent hearing at the U.S. Senate Commerce Committee, several of the committee members raised concerns about the anti-competitive implications of DNT. Specifically, concerns were raised about this working group picking winners and losers (Senator Heller), and there were similar concerns that the W3C process may result in bolstering a handful of giant Internet companies and ensuring everyone else goes out of business (Senator McCaskill). Moreover, recent speeches by FTC Commissioner Commission Olhousen raised anti-competitive concerns about this process, and Iıve heard similar concerns coming from regulators within the EU. It is worth noting that the FTC participation in this working group has focused almost exclusively on privacy with very little mention of the competitive impact of DNT. For over two years, the approach of this working group has been to focus almost exclusively on third-party data collection while imposing few limits on larger entities. Under any implementation, data is going to be collected when DNT=1 so it comes down to who gets to collect data and for what purposes. Ceasing collection by third parties while barely curtailing first party data collection does not provide consumers with meaningful privacy protections under any objective analysis. And in light of recent events, some analysts have noted that concentration of information in a small number of large entities will have negative repercussions on personal freedoms. (See http://www.newyorker.com/online/blogs/elements/2013/06/why-monopolies-make-s pying-easier.html) The Editorıs Draft continues this trend. I continue to be surprised that so many working group members who hold themselves out as privacy advocates have accepted this approach. The Editorıs Draft will negatively impact competition in the Internet economy, without a positive net benefit to users' privacy. By favoring first party business models and severely curtailing third party players (who for the most part use pseudonymous data, rather than the PII that most first parties hold), it would shift marketplace incentives toward more first party data collection. The end result will be less competition and more data collected and associated with the personally identifiable information of consumers: a poor outcome by any objective privacy standard. Conversely, the DAA Proposal offers privacy-enhancing features (e.g., removal of the URL string when DNT=1) that are geared to address a core concern raised by advocates and regulators while minimizing the anti-competitive impact of DNT. Section 7 of the Editorıs Draft is unclear and conflates Opt-out with DNT As noted by other WG members, section 7 of the Editorıs Draft is confusing, as it is not clear to which opt-outs the text is referring (user settings for a specific site? Email marketing opt-outs?). Moreover, most opt-outs choices are recorded utilizing third-party cookies. Any attempt to include opt-out in a DNT spec is inappropriate without a corresponding requirement that browser stop blocking third-party cookies. More importantly, industry self-regulatory opt-out mechanisms were always intended to function separately from DNT. DNT is intended to be a global standard, and the self-regulatory regimes focus on particular regions. I (and other WG members) have concerns about including a reference to such programs in a global specification where implementers may be in regions where the self-regulatory program has not been deployed. Some members of the working group have suggested that DNT should replace the industry self-regulatory programs. However, this notion ignores the significant time and resources invested in self-regulatory programs that were created in consultation with regulators from multiple jurisdictions. The self-regulatory programs are effective, while DNT is completely untested to date. Throwing out the self-regulatory programs in favor of DNT at this junction would be reckless and could harm consumer privacy interests. Finally, and as described below, the volume of non-browser, non-user activated DNT signals is growing at an alarming rate. Until DNT:1 signals can be technically structured such that Servers have confidence they were actually turned on by users, then equating DNT:1 to the industry opt-out program is impractical. The Editorıs Draft does not offer any mechanism to address the proliferation of invalid DNT signals By definition, many of the DNT signals being sent today are out of compliance with the Editorıs Draft. This is not meant to be a criticism of work done by the browsers to date. Rather, its meant as a simple observation: that a significant number of DNT signals were enacted in a manner that is out of compliance with the User Agent requirements contained the Editorıs Draft (e.g., the disclosure guidelines in Section 3). In order to mitigate this issue, the Editorıs Draft would need to essentially require that all enactments of DNT be turned off (set to DNT:unset) so that Users may reset them in a manner that meets the basic disclosure requirements of the current spec. Perhaps more concerning, the volume of non-browser, non-user activated DNT signals is growing at an alarming rate. The cost of adding DNT:1 to the header is very inexpensive from a technical perspective and weıve seen routers, anti-virus software, plug-ins and other tools set DNT=1 in ways that violate basic standards of privacy. To use W3C co-chair Matthias Schunter's phrase, we're seeing a proliferation of DNT signals "spraying" into the ecosystem. While many of us are still hopeful solutions can be found to contain the issue, the reality for the foreseeable future is that weıll continue to see DNT invalid implementations of DNT and are unlikely to consistently be able to distinguish between valid and invalid DNT implementations. Some working group members have asserted that we should simply err on the side of caution and treat all DNT signals as valid. However, I strongly believe that this approach would violate long-standing privacy concepts such as notice, choice, and transparency. The Editorıs Draft exempts browsers and other user agents from prohibitions against tracking The Editorıs Draft does not prohibit user agents from either: a) taking URL string to create segments to sell to advertisers (or others) for ad targeting across the web, or b) enabling other entities to do so. To my eyes, that type of behavior would be considered tracking and should be prohibited by the spec. Unfortunately, it is not covered by the Editorıs Draft. If others in the ecosystem are prohibited from tracking, it seems fair and appropriate that we ensure that similar prohibitions are placed on user agents. The Editorıs Draft will result in a low level of adoption The larger goal of all W3C initiatives is voluntary adoption by implementers of the standard. Unfortunately, the Editorıs Draft suffers from too many significant flaws that it is unlikely to be adopted by the marketplace. The entities primarily covered by the proposed DNT standard -- third party online businesses are unlikely to adopt and comply with the approach in the Editorıs Draft, because it is over-broad and anti-competitive, and would severely curtail their businesses without a commensurate privacy benefit to consumers. A balanced and narrowly tailored approach that solves specific privacy concerns while maintaining competition and a diverse internet economy is much more likely to gain widespread adoption, and ultimately benefit consumers. Conversely, the DAA Proposal has a significantly greater chance of receiving widespread adoption (admittedly, with some polishing). The Editorıs Draft has so many flaws and non-starters for the intended implementers it's not a useful baseline for continuing discussion, especially in light of the DAA's proposal which is ostensibly much, much closer to a form that would actually be accepted by intended implementers. Hence, the DAA Proposal has a significantly greater chance of receiving widespread adoption. For the above reasons, I object to the Editorıs Draft and encourage the chairs to move forward with the DAA Proposal. Respectfully, Alan Chapell Chapell & Associates
Received on Friday, 12 July 2013 16:31:32 UTC