- From: Peter Swire <peter@peterswire.net>
- Date: Fri, 12 Jul 2013 09:48:08 -0700
- To: Alan Chapell <achapell@chapellassociates.com>, "public-tracking@w3.org" <public-tracking@w3.org>
- CC: Nicholas Doty <npdoty@w3.org>
- Message-ID: <CE05AB3E.913D7%peter@peterswire.net>
Alan: Ok. The link is now posted, so that worked. For the group, this shows a back-up procedure if for some reason you have trouble posting directly. Thank you, Peter Prof. Peter P. Swire C. William O'Neill Professor of Law Ohio State University 240.994.4142 www.peterswire.net Beginning August 2013: Nancy J. and Lawrence P. Huang Professor Law and Ethics Program Scheller College of Business Georgia Institute of Technology From: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>> Date: Friday, July 12, 2013 12:45 PM To: Peter Swire <peter@peterswire.net<mailto:peter@peterswire.net>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>> Cc: Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>> Subject: Re: procedure for posting comments today Hi Peter - Thanks. I tried to submit my vote earlier, but it was rejected by the system. It may have to do with the length. Nick kindly suggested that I post it to the list, and then offer a link to my email in my response (which I did). Please let me know if it wasn't received. Thanks! From: Peter Swire <peter@peterswire.net<mailto:peter@peterswire.net>> Date: Friday, July 12, 2013 12:42 PM To: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>> Cc: Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>> Subject: procedure for posting comments today Hello Alan and the group: To make it as easy as possible to collect objections in one, viewable place, we are asking that you post your comments/objections to the URL below. It does require logging in as a working group member: https://www.w3.org/2002/09/wbs/49311/datahygiene/ To view all comments/objections, click here: https://www.w3.org/2002/09/wbs/49311/datahygiene/results If you experience any technical problems in posting, you can send email to the chairs and to Nick Doty, at npdoty@w3.org<mailto:npdoty@w3.org>. This will assure that your comments are considered as submitted in time. We can then assure that your comments get posted. This approach avoids duplicative emails to the list. Thank you all, Peter Prof. Peter P. Swire C. William O'Neill Professor of Law Ohio State University 240.994.4142 www.peterswire.net Beginning August 2013: Nancy J. and Lawrence P. Huang Professor Law and Ethics Program Scheller College of Business Georgia Institute of Technology From: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>> Date: Friday, July 12, 2013 12:30 PM To: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>> Subject: Chapell - Objection to Editor's draft Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>> Resent-Date: Friday, July 12, 2013 12:31 PM July 12, 2013 Peter Swire Matthias Schunter World Wide Web Consortium 32 Vassar Street, 32-G519 Cambridge, Massachusetts 02139 Re: Tracking Protection Working Group July Vote Dear Peter & Matthias: I’d like to thank the W3C and the co-chairs for the opportunity to provide feedback to the June W3C Draft (“Editor’s Draft”). I recognize all of the hard work that has gone into the Editor’s Draft. However, I respectfully object to the Editor’s Draft, and strongly encourage the W3C to use the industry consensus proposal (the “DAA Proposal”) as a starting point for the TPWG’s continued work. The Editor’s Draft is harmful to competition. The potential anti-competitive implications of this working group’s output have been well documented. For example, during a recent hearing at the U.S. Senate Commerce Committee, several of the committee members raised concerns about the anti-competitive implications of DNT. Specifically, concerns were raised about this working group picking winners and losers (Senator Heller), and there were similar concerns that the W3C process may result in bolstering a handful of giant Internet companies and ensuring everyone else goes out of business (Senator McCaskill). Moreover, recent speeches by FTC Commissioner Commission Olhousen raised anti-competitive concerns about this process, and I’ve heard similar concerns coming from regulators within the EU. It is worth noting that the FTC participation in this working group has focused almost exclusively on privacy with very little mention of the competitive impact of DNT. For over two years, the approach of this working group has been to focus almost exclusively on third-party data collection while imposing few limits on larger entities. Under any implementation, data is going to be collected when DNT=1 so it comes down to who gets to collect data and for what purposes. Ceasing collection by third parties while barely curtailing first party data collection does not provide consumers with meaningful privacy protections under any objective analysis. And in light of recent events, some analysts have noted that concentration of information in a small number of large entities will have negative repercussions on personal freedoms. (See http://www.newyorker.com/online/blogs/elements/2013/06/why-monopolies-make-spying-easier.html) The Editor’s Draft continues this trend. I continue to be surprised that so many working group members who hold themselves out as privacy advocates have accepted this approach. The Editor’s Draft will negatively impact competition in the Internet economy, without a positive net benefit to users' privacy. By favoring first party business models and severely curtailing third party players (who for the most part use pseudonymous data, rather than the PII that most first parties hold), it would shift marketplace incentives toward more first party data collection. The end result will be less competition and more data collected and associated with the personally identifiable information of consumers: a poor outcome by any objective privacy standard. Conversely, the DAA Proposal offers privacy-enhancing features (e.g., removal of the URL string when DNT=1) that are geared to address a core concern raised by advocates and regulators while minimizing the anti-competitive impact of DNT. Section 7 of the Editor’s Draft is unclear and conflates Opt-out with DNT As noted by other WG members, section 7 of the Editor’s Draft is confusing, as it is not clear to which opt-outs the text is referring (user settings for a specific site? Email marketing opt-outs?). Moreover, most opt-outs choices are recorded utilizing third-party cookies. Any attempt to include opt-out in a DNT spec is inappropriate without a corresponding requirement that browser stop blocking third-party cookies. More importantly, industry self-regulatory opt-out mechanisms were always intended to function separately from DNT. DNT is intended to be a global standard, and the self-regulatory regimes focus on particular regions. I (and other WG members) have concerns about including a reference to such programs in a global specification where implementers may be in regions where the self-regulatory program has not been deployed. Some members of the working group have suggested that DNT should replace the industry self-regulatory programs. However, this notion ignores the significant time and resources invested in self-regulatory programs that were created in consultation with regulators from multiple jurisdictions. The self-regulatory programs are effective, while DNT is completely untested to date. Throwing out the self-regulatory programs in favor of DNT at this junction would be reckless and could harm consumer privacy interests. Finally, and as described below, the volume of non-browser, non-user activated DNT signals is growing at an alarming rate. Until DNT:1 signals can be technically structured such that Servers have confidence they were actually turned on by users, then equating DNT:1 to the industry opt-out program is impractical. The Editor’s Draft does not offer any mechanism to address the proliferation of invalid DNT signals By definition, many of the DNT signals being sent today are out of compliance with the Editor’s Draft. This is not meant to be a criticism of work done by the browsers to date. Rather, its meant as a simple observation: that a significant number of DNT signals were enacted in a manner that is out of compliance with the User Agent requirements contained the Editor’s Draft (e.g., the disclosure guidelines in Section 3). In order to mitigate this issue, the Editor’s Draft would need to essentially require that all enactments of DNT be turned off (set to DNT:unset) so that Users may reset them in a manner that meets the basic disclosure requirements of the current spec. Perhaps more concerning, the volume of non-browser, non-user activated DNT signals is growing at an alarming rate. The cost of adding DNT:1 to the header is very inexpensive from a technical perspective and we’ve seen routers, anti-virus software, plug-ins and other tools set DNT=1 in ways that violate basic standards of privacy. To use W3C co-chair Matthias Schunter's phrase, we're seeing a proliferation of DNT signals "spraying" into the ecosystem. While many of us are still hopeful solutions can be found to contain the issue, the reality for the foreseeable future is that we’ll continue to see DNT invalid implementations of DNT and are unlikely to consistently be able to distinguish between valid and invalid DNT implementations. Some working group members have asserted that we should simply err on the side of caution and treat all DNT signals as valid. However, I strongly believe that this approach would violate long-standing privacy concepts such as notice, choice, and transparency. The Editor’s Draft exempts browsers and other user agents from prohibitions against tracking The Editor’s Draft does not prohibit user agents from either: a) taking URL string to create segments to sell to advertisers (or others) for ad targeting across the web, or b) enabling other entities to do so. To my eyes, that type of behavior would be considered tracking and should be prohibited by the spec. Unfortunately, it is not covered by the Editor’s Draft. If others in the ecosystem are prohibited from tracking, it seems fair and appropriate that we ensure that similar prohibitions are placed on user agents. The Editor’s Draft will result in a low level of adoption The larger goal of all W3C initiatives is voluntary adoption by implementers of the standard. Unfortunately, the Editor’s Draft suffers from too many significant flaws that it is unlikely to be adopted by the marketplace. The entities primarily covered by the proposed DNT standard -- third party online businesses – are unlikely to adopt and comply with the approach in the Editor’s Draft, because it is over-broad and anti-competitive, and would severely curtail their businesses without a commensurate privacy benefit to consumers. A balanced and narrowly tailored approach that solves specific privacy concerns while maintaining competition and a diverse internet economy is much more likely to gain widespread adoption, and ultimately benefit consumers. Conversely, the DAA Proposal has a significantly greater chance of receiving widespread adoption (admittedly, with some polishing). The Editor’s Draft has so many flaws and non-starters for the intended implementers it's not a useful baseline for continuing discussion, especially in light of the DAA's proposal which is ostensibly much, much closer to a form that would actually be accepted by intended implementers. Hence, the DAA Proposal has a significantly greater chance of receiving widespread adoption. For the above reasons, I object to the Editor’s Draft and encourage the chairs to move forward with the DAA Proposal. Respectfully, Alan Chapell Chapell & Associates
Received on Friday, 12 July 2013 16:48:40 UTC