W3C home > Mailing lists > Public > public-tracking@w3.org > July 2013

Re: procedure for posting comments today

From: Lauren Gelman <gelman@blurryedge.com>
Date: Fri, 12 Jul 2013 10:41:05 -0700
Cc: Alan Chapell <achapell@chapellassociates.com>, "public-tracking@w3.org" <public-tracking@w3.org>, Nicholas Doty <npdoty@w3.org>
Message-Id: <7A20EEDD-6D92-414C-AA8E-DB731D10020B@blurryedge.com>
To: Peter Swire <peter@peterswire.net>

Hi Peter.  I can't post objections by logging in since I am not a W3 member-- but that is fair and I will read them all as I remain interested in the process.  Also, on last week's call, I think you said would take an "affirmative decision" of the group to proceed past the July deadline.  Can you explain what that means?  Will there be a vote on the extension after the chairs announce their choice of base text? 

thanks!

Lauren Gelman
@laurengelman
BlurryEdge Strategies
415-627-8512



On Jul 12, 2013, at 9:42 AM, Peter Swire wrote:

> Hello Alan and the group:
> 
> To make it as easy as possible to collect objections in one, viewable place, we are asking that you post your comments/objections to the URL below.  It does require logging in as a working group member:
> 
> https://www.w3.org/2002/09/wbs/49311/datahygiene/
> 
> To view all comments/objections, click here:
> 
> https://www.w3.org/2002/09/wbs/49311/datahygiene/results
> 
> If you experience any technical problems in posting, you can send email to the chairs and to Nick Doty, at npdoty@w3.org.  This will assure that your comments are considered as submitted in time.  We can then assure that your comments get posted.
> 
> This approach avoids duplicative emails to the list.
> 
> Thank you all,
> 
> Peter
> 
> 
> 
> Prof. Peter P. Swire
> C. William O'Neill Professor of Law
> 	Ohio State University
> 240.994.4142
> www.peterswire.net
> 
> Beginning August 2013:
> Nancy J. and Lawrence P. Huang Professor
> Law and Ethics Program
> Scheller College of Business
> Georgia Institute of Technology
> 
> 
> From: Alan Chapell <achapell@chapellassociates.com>
> Date: Friday, July 12, 2013 12:30 PM
> To: "public-tracking@w3.org" <public-tracking@w3.org>
> Subject: Chapell - Objection to Editor's draft
> Resent-From: <public-tracking@w3.org>
> Resent-Date: Friday, July 12, 2013 12:31 PM
> 
> July 12, 2013
>  
> Peter Swire
> Matthias Schunter
> World Wide Web Consortium
> 32 Vassar Street, 32-G519
> Cambridge, Massachusetts 02139
>  
> Re: Tracking Protection Working Group July Vote
>  
> Dear Peter & Matthias:
>  
> Iíd like to thank the W3C and the co-chairs for the opportunity to provide feedback to the June W3C Draft (ďEditorís DraftĒ). I recognize all of the hard work that has gone into the Editorís Draft.
>  
> However, I respectfully object to the Editorís Draft, and strongly encourage the W3C to use the industry consensus proposal (the ďDAA ProposalĒ) as a starting point for the TPWGís continued work.
> 
>  
> The Editorís Draft is harmful to competition.
> The potential anti-competitive implications of this working groupís output have been well documented. For example, during a recent hearing at the U.S. Senate Commerce Committee, several of the committee members raised concerns about the anti-competitive implications of DNT. Specifically, concerns were raised about this working group picking winners and losers (Senator Heller), and there were similar concerns that the W3C process may result in bolstering a handful of giant Internet companies and ensuring everyone else goes out of business (Senator McCaskill). Moreover, recent speeches by FTC Commissioner Commission Olhousen raised anti-competitive concerns about this process, and Iíve heard similar concerns coming from regulators within the EU. It is worth noting that the FTC participation in this working group has focused almost exclusively on privacy with very little mention of the competitive impact of DNT.
>  
> For over two years, the approach of this working group has been to focus almost exclusively on third-party data collection while imposing few limits on larger entities. Under any implementation, data is going to be collected when DNT=1 so it comes down to who gets to collect data and for what purposes. Ceasing collection by third parties while barely curtailing first party data collection does not provide consumers with meaningful privacy protections under any objective analysis. And in light of recent events, some analysts have noted that concentration of information in a small number of large entities will have negative repercussions on personal freedoms. (See http://www.newyorker.com/online/blogs/elements/2013/06/why-monopolies-make-spying-easier.html)
>  
> The Editorís Draft continues this trend. I continue to be surprised that so many working group members who hold themselves out as privacy advocates have accepted this approach.  The Editorís Draft will negatively impact competition in the Internet economy, without a positive net benefit to users' privacy. By favoring first party business models and severely curtailing third party players (who for the most part use pseudonymous data, rather than the PII that most first parties hold), it would shift marketplace incentives toward more first party data collection. The end result will be less competition and more data collected and associated with the personally identifiable information of consumers: a poor outcome by any objective privacy standard.
>  
> Conversely, the DAA Proposal offers privacy-enhancing features (e.g., removal of the URL string when DNT=1) that are geared to address a core concern raised by advocates and regulators while minimizing the anti-competitive impact of DNT.
>  
> Section 7 of the Editorís Draft is unclear and conflates Opt-out with DNT
> As noted by other WG members, section 7 of the Editorís Draft is confusing, as it is not clear to which opt-outs the text is referring (user settings for a specific site? Email marketing opt-outs?). Moreover, most opt-outs choices are recorded utilizing third-party cookies. Any attempt to include opt-out in a DNT spec is inappropriate without a corresponding requirement that browser stop blocking third-party cookies.
>  
> More importantly, industry self-regulatory opt-out mechanisms were always intended to function separately from DNT. DNT is intended to be a global standard, and the self-regulatory regimes focus on particular regions. I (and other WG members) have concerns about including a reference to such programs in a global specification where implementers may be in regions where the self-regulatory program has not been deployed. Some members of the working group have suggested that DNT should replace the industry self-regulatory programs. However, this notion ignores the significant time and resources invested in self-regulatory programs that were created in consultation with regulators from multiple jurisdictions. The self-regulatory programs are effective, while DNT is completely untested to date. Throwing out the self-regulatory programs in favor of DNT at this junction would be reckless and could harm consumer privacy interests.
>  
> Finally, and as described below, the volume of non-browser, non-user activated DNT signals is growing at an alarming rate.  Until DNT:1 signals can be technically structured such that Servers have confidence they were actually turned on by users, then equating DNT:1 to the industry opt-out program is impractical.
>  
> The Editorís Draft does not offer any mechanism to address the proliferation of invalid DNT signals
> By definition, many of the DNT signals being sent today are out of compliance with the Editorís Draft. This is not meant to be a criticism of work done by the browsers to date. Rather, its meant as a simple observation: that a significant number of DNT signals were enacted in a manner that is out of compliance with the User Agent requirements contained the Editorís Draft (e.g., the disclosure guidelines in Section 3). In order to mitigate this issue, the Editorís Draft would need to essentially require that all enactments of DNT be turned off (set to DNT:unset) so that Users may reset them in a manner that meets the basic disclosure requirements of the current spec.
>  
> Perhaps more concerning, the volume of non-browser, non-user activated DNT signals is growing at an alarming rate.  The cost of adding DNT:1 to the header is very inexpensive from a technical perspective and weíve seen routers, anti-virus software, plug-ins and other tools set DNT=1 in ways that violate basic standards of privacy.  To use W3C co-chair Matthias Schunter's phrase, we're seeing a proliferation of DNT signals "spraying" into the ecosystem.  While many of us are still hopeful solutions can be found to contain the issue, the reality for the foreseeable future is that weíll continue to see DNT invalid implementations of DNT and are unlikely to consistently be able to distinguish between valid and invalid DNT implementations.
>  
> Some working group members have asserted that we should simply err on the side of caution and treat all DNT signals as valid. However, I strongly believe that this approach would violate long-standing privacy concepts such as notice, choice, and transparency.
>  
> The Editorís Draft exempts browsers and other user agents from prohibitions against tracking
> The Editorís Draft does not prohibit user agents from either: a) taking URL string to create segments to sell to advertisers (or others) for ad targeting across the web, or b) enabling other entities to do so. To my eyes, that type of behavior would be considered tracking and should be prohibited by the spec. Unfortunately, it is not covered by the Editorís Draft. If others in the ecosystem are prohibited from tracking, it seems fair and appropriate that we ensure that similar prohibitions are placed on user agents.
>  
> The Editorís Draft will result in a low level of adoption
> The larger goal of all W3C initiatives is voluntary adoption by implementers of the standard. Unfortunately, the Editorís Draft suffers from too many significant flaws that it is unlikely to be adopted by the marketplace. The entities primarily covered by the proposed DNT standard -- third party online businesses Ė are unlikely to adopt and comply with the approach in the Editorís Draft, because it is over-broad and anti-competitive, and would severely curtail their businesses without a commensurate privacy benefit to consumers. A balanced and narrowly tailored approach that solves specific privacy concerns while maintaining competition and a diverse internet economy is much more likely to gain widespread adoption, and ultimately benefit consumers.
>  
> Conversely, the DAA Proposal has a significantly greater chance of receiving widespread adoption (admittedly, with some polishing). The Editorís Draft has so many flaws and non-starters for the intended implementers it's not a useful baseline for continuing discussion, especially in light of the DAA's proposal which is ostensibly much, much closer to a form that would actually be accepted by intended implementers. Hence, the DAA Proposal has a significantly greater chance of receiving widespread adoption.
>  
> For the above reasons, I object to the Editorís Draft and encourage the chairs to move forward with the DAA Proposal.
>  
> Respectfully,
>  
> Alan Chapell 
> Chapell & Associates
> 
Received on Friday, 12 July 2013 17:41:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:39:53 UTC