Re: procedure for posting comments today from Peter Swire on 2013-07-12 (public-tracking@w3.org from July 2013)

From: Peter Swire <peter@peterswire.net>
Date: Fri, 12 Jul 2013 14:18:48 -0700
To: Lou Mastria <lou@aboutads.info>, Alan Chapell <achapell@chapellassociates.com>, "public-tracking@w3.org" <public-tracking@w3.org>
CC: Nicholas Doty <npdoty@w3.org>
Message-ID: <CE05EAD5.914B4%peter@peterswire.net>
Hello Lou:

I am confirming receipt.

Thank you, and a good weekend to east coast US folks who have hit 5 p.m. on Friday night.

Peter


Prof. Peter P. Swire
C. William O'Neill Professor of Law
Ohio State University
240.994.4142
www.peterswire.net

Beginning August 2013:
Nancy J. and Lawrence P. Huang Professor
Law and Ethics Program
Scheller College of Business
Georgia Institute of Technology


From: Lou Mastria <lou@aboutads.info<mailto:lou@aboutads.info>>
Date: Friday, July 12, 2013 5:02 PM
To: Peter Swire <peter@peterswire.net<mailto:peter@peterswire.net>>, Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Cc: Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>>
Subject: RE: procedure for posting comments today

I seem to have run into the same issue…
Below, please find DAA’s submission in objection to the Editors’ Draft.
Please confirm receipt.

Thank you and have a good weekend.

Lou

The Digital Advertising Alliance (DAA) is gratified to be part of a consensus solution regarding what constitutes effective consumer privacy protection, in a transparent, forthright manner, as a participant in the Tracking Protection Working Group.  DAA believes that any next steps in the process must incorporate technological specifications in “do not track” signals in a manner that allows the Internet to remain innovative, open and competitive to all, and facilitates programmatic support for privacy where the consumer, himself or herself, is in control.

We thank the World Wide Web Consortium (W3C) for the opportunity to provide comment on the current draft – and we will direct our comments on where we believe real consensus can be achieved, and where it cannot.  We embrace W3C’s mission to facilitate the functionality of the Internet – and our bias is toward enabling responsible information use of the Internet for marketing purposes in a manner that affords to consumers both transparency and choice in how data regarding their own Internet experiences are collected and used.

The reality is that DNT has become conflated with a misperception that the Internet can function without data being shared. There is a reality, too, that we believe all of the Group agrees upon which says that this is not the case – that this is simply hype. That being the case, the more prudent approach is not to focus on data collection, but rather on responsible, transparent and enforceable data use. Transparency, user choice and use limitations are hallmarks of good privacy design. The industry consensus proposal appropriately focuses on these core elements. The Editors’ Draft does not.

DAA Representation Reflects a Broad Spectrum of Digital Display Advertising Ecosystem
DAA represents a broad coalition of companies and organizations that serve interest-based advertising (IBA) – also known as online behavioral advertising, a thriving component of the Internet economy that enables relevant advertising served to Internet users based, in part, on recent page visits. IBA delivers 2X cpm to publishers (big and small) of Internet content and services and consumers click on it 2X as much as more generic forms of online ads – a true win-win. Such advertising helps to finance a diverse Internet experience based on a device’s online activity, and in a largely de-identified manner. Consumers can opt out of such activity by visiting DAA’s Consumer Choice page – accessible in the United States through www.aboutads.info<http://www.aboutads.info> and www.youradchoices.com<http://www.youradchoices.com>, and replicated in similar DAA-partner sites in 30 nations worldwide. Consumers are presented this choice currently at a rate of 1 trillion times per month with just-in-time notice.

Further, the DAA Principles which guide this program specify restrictions on acceptable information use of online data, security, and, importantly, independent enforcement. The Principles also apply to the mobile Web, and will soon include guidance for mobile applications as well. Overall, the program has been commended by the US White House, and achieved acknowledged support from regulators in the US and the EU.

(One ministerial clarification…while Option A has come to be called the DAA Proposal, it is important to note that this consensus approach was developed and submitted by a an entire cross-section of responsible industry entities who all seek to provide a pragmatic way forward that achieves real privacy protections while continuing to support the ad-funded Internet we’ve all come to love.)

The Editors’ Draft Needs Further Refinement to Protect Internet Diversity in Content, Programmatic Support for Self-Regulation Worldwide, and Real Privacy Protection for Consumers

DAA directs its remarks to three specific areas of concern in the Editors’ Draft.

We understand that other organizations represented among DAA’s leadership – 4A’s, American Advertising Federation, Association of National Advertisers, Direct Marketing Association, Interactive Advertising Bureau, Network Advertising Initiative – that are also TPWG participants may have additional comments of their own, to which DAA also subscribes.

1.            The Editors’ Draft appears to overreach by attempting to eliminate a business model (interest-based ads) as a way to achieve a privacy goal. The reality is that these two things are NOT mutually exclusive…and, with the implementation of the DAA Principles, they represent a quantum leap in privacy protection for consumers from the old days of notice exclusively living in privacy policies. Furthermore, we believe that proposals, such as browsing history aggregation scoring and de-identification, demonstrate that ad customization can be achieved in a privacy-friendly way, and that it may be possible to have a well-balanced and tailored approach that advances privacy while preserving competition, continuing to help ad-funded content and gaining a high rate of adoption.
Consumers are pragmatic toward relevant advertising – and understand the value exchange that comes from having diverse content on the Internet that is ad-funded.  A recent (April 2013) Zogby poll, commissioned by DAA, shows that:
•             92 percent of Americans think free content like news, weather and blogs is
important to the overall value of the Internet
•             75 percent prefer ad supported content to paying for ad-free content
•             68 percent prefer to get at least some ads Internet directed at their interests
•             75 percent prefer to make their decisions about relevant advertisements – not rely on decisions of governments of browser makers
•             40 percent prefer to get all their ads directed to their interests

Such expectations of consumers need to be reflected and respected in the TPWG process. Notice, choice and default do-not-track settings and mechanisms need to remain in consumers’ hands, while enabling the Internet to function with ad-supported content, with a bias toward the widest diversity of content, the widest of diversity of sites and the widest diversity of advertisers to enable such experiences for the consumer.

2.            A balanced and narrowly tailored approach that solves specific privacy concerns while maintaining competition and a diverse Internet economy is much more likely to gain widespread adoption, and ultimately benefit consumers with a net privacy gain through better hygiene, de-linking and de-identification of data. The Editors’ Draft, even though conceived after the May face to face meetings, did not include this type of balanced provision. That is unfortunate and yet another reason why the industry consensus proposal remains the best approach moving forward. Furthermore, we already have a successful model in place for enforcing data use compliance through the DAA. DAA would call on its program participants to comply with a specification that met the twin goals of advancing privacy and advancing the ad-funded internet. To date, 100-percent of enforcement actions by DAA, among them 19 by the Council of Better Business Bureaus, have been resolved successfully. That is effective enforcement with teeth.

3.            The Editors’ Draft recommendation does not consider the “tri-state approach” regarding data collection and permissible uses reflected in the May 6-8, 2013, “consensus action summary.”  This proposal can provide heightened privacy protections while still allowing an IBA-funded internet.  A study by Professor Catherine Tucker of MIT Sloan School of Management, regarding the EU e-Privacy Directive, shows that ad performance suffers when interest-based ads are disallowed: ad performance drops off by 65 percent. Barring interest-based ads would institutionalize such advertising underperformance while affording no real consumer privacy protection interest.  Balance must be achieved between consumer privacy and a thriving, diverse and free Internet – and the “tri-state approach” enables this mutually-beneficial outcome.

Again, we thank W3C and TPWG for its efforts to balance all interests – but to do so in a manner that protects overall Internet functionality, productivity and diversity in a manner that supports consumer privacy protection in its specifications while providing the ability for legitimate, responsible and transparent business models that continue to support ad-funded content.


From: Peter Swire [mailto:peter@peterswire.net<mailto:peter@peterswire.net>]
Sent: Friday, July 12, 2013 12:48 PM
To: Alan Chapell; public-tracking@w3.org<mailto:public-tracking@w3.org>
Cc: Nicholas Doty
Subject: Re: procedure for posting comments today

Alan:

Ok.  The link is now posted, so that worked.

For the group, this shows a back-up procedure if for some reason you have trouble posting directly.

Thank you,

Peter



Prof. Peter P. Swire
C. William O'Neill Professor of Law
                Ohio State University
240.994.4142
www.peterswire.net<http://www.peterswire.net>

Beginning August 2013:
Nancy J. and Lawrence P. Huang Professor
Law and Ethics Program
Scheller College of Business
Georgia Institute of Technology


From: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>
Date: Friday, July 12, 2013 12:45 PM
To: Peter Swire <peter@peterswire.net<mailto:peter@peterswire.net>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Cc: Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>>
Subject: Re: procedure for posting comments today

Hi Peter -

Thanks. I tried to submit my vote earlier, but it was rejected by the system. It may have to do with the length. Nick kindly suggested that I post it to the list, and then offer a link to my email in my response (which I did).

Please let me know if it wasn't received.

Thanks!


From: Peter Swire <peter@peterswire.net<mailto:peter@peterswire.net>>
Date: Friday, July 12, 2013 12:42 PM
To: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Cc: Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>>
Subject: procedure for posting comments today

Hello Alan and the group:

To make it as easy as possible to collect objections in one, viewable place, we are asking that you post your comments/objections to the URL below.  It does require logging in as a working group member:

https://www.w3.org/2002/09/wbs/49311/datahygiene/

To view all comments/objections, click here:

https://www.w3.org/2002/09/wbs/49311/datahygiene/results

If you experience any technical problems in posting, you can send email to the chairs and to Nick Doty, at npdoty@w3.org<mailto:npdoty@w3.org>.  This will assure that your comments are considered as submitted in time.  We can then assure that your comments get posted.

This approach avoids duplicative emails to the list.

Thank you all,

Peter



Prof. Peter P. Swire
C. William O'Neill Professor of Law
Ohio State University
240.994.4142
www.peterswire.net<http://www.peterswire.net>

Beginning August 2013:
Nancy J. and Lawrence P. Huang Professor
Law and Ethics Program
Scheller College of Business
Georgia Institute of Technology


From: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>
Date: Friday, July 12, 2013 12:30 PM
To: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Chapell - Objection to Editor's draft
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Friday, July 12, 2013 12:31 PM

July 12, 2013

Peter Swire
Matthias Schunter
World Wide Web Consortium
32 Vassar Street, 32-G519
Cambridge, Massachusetts 02139

Re: Tracking Protection Working Group July Vote

Dear Peter & Matthias:

I’d like to thank the W3C and the co-chairs for the opportunity to provide feedback to the June W3C Draft (“Editor’s Draft”). I recognize all of the hard work that has gone into the Editor’s Draft.

However, I respectfully object to the Editor’s Draft, and strongly encourage the W3C to use the industry consensus proposal (the “DAA Proposal”) as a starting point for the TPWG’s continued work.


The Editor’s Draft is harmful to competition.
The potential anti-competitive implications of this working group’s output have been well documented. For example, during a recent hearing at the U.S. Senate Commerce Committee, several of the committee members raised concerns about the anti-competitive implications of DNT. Specifically, concerns were raised about this working group picking winners and losers (Senator Heller), and there were similar concerns that the W3C process may result in bolstering a handful of giant Internet companies and ensuring everyone else goes out of business (Senator McCaskill). Moreover, recent speeches by FTC Commissioner Commission Olhousen raised anti-competitive concerns about this process, and I’ve heard similar concerns coming from regulators within the EU. It is worth noting that the FTC participation in this working group has focused almost exclusively on privacy with very little mention of the competitive impact of DNT.


For over two years, the approach of this working group has been to focus almost exclusively on third-party data collection while imposing few limits on larger entities. Under any implementation, data is going to be collected when DNT=1 so it comes down to who gets to collect data and for what purposes. Ceasing collection by third parties while barely curtailing first party data collection does not provide consumers with meaningful privacy protections under any objective analysis. And in light of recent events, some analysts have noted that concentration of information in a small number of large entities will have negative repercussions on personal freedoms. (See http://www.newyorker.com/online/blogs/elements/2013/06/why-monopolies-make-spying-easier.html)


The Editor’s Draft continues this trend. I continue to be surprised that so many working group members who hold themselves out as privacy advocates have accepted this approach.  The Editor’s Draft will negatively impact competition in the Internet economy, without a positive net benefit to users' privacy. By favoring first party business models and severely curtailing third party players (who for the most part use pseudonymous data, rather than the PII that most first parties hold), it would shift marketplace incentives toward more first party data collection. The end result will be less competition and more data collected and associated with the personally identifiable information of consumers: a poor outcome by any objective privacy standard.


Conversely, the DAA Proposal offers privacy-enhancing features (e.g., removal of the URL string when DNT=1) that are geared to address a core concern raised by advocates and regulators while minimizing the anti-competitive impact of DNT.


Section 7 of the Editor’s Draft is unclear and conflates Opt-out with DNT
As noted by other WG members, section 7 of the Editor’s Draft is confusing, as it is not clear to which opt-outs the text is referring (user settings for a specific site? Email marketing opt-outs?). Moreover, most opt-outs choices are recorded utilizing third-party cookies. Any attempt to include opt-out in a DNT spec is inappropriate without a corresponding requirement that browser stop blocking third-party cookies.

More importantly, industry self-regulatory opt-out mechanisms were always intended to function separately from DNT. DNT is intended to be a global standard, and the self-regulatory regimes focus on particular regions. I (and other WG members) have concerns about including a reference to such programs in a global specification where implementers may be in regions where the self-regulatory program has not been deployed. Some members of the working group have suggested that DNT should replace the industry self-regulatory programs. However, this notion ignores the significant time and resources invested in self-regulatory programs that were created in consultation with regulators from multiple jurisdictions. The self-regulatory programs are effective, while DNT is completely untested to date. Throwing out the self-regulatory programs in favor of DNT at this junction would be reckless and could harm consumer privacy interests.


Finally, and as described below, the volume of non-browser, non-user activated DNT signals is growing at an alarming rate.  Until DNT:1 signals can be technically structured such that Servers have confidence they were actually turned on by users, then equating DNT:1 to the industry opt-out program is impractical.

The Editor’s Draft does not offer any mechanism to address the proliferation of invalid DNT signals
By definition, many of the DNT signals being sent today are out of compliance with the Editor’s Draft. This is not meant to be a criticism of work done by the browsers to date. Rather, its meant as a simple observation: that a significant number of DNT signals were enacted in a manner that is out of compliance with the User Agent requirements contained the Editor’s Draft (e.g., the disclosure guidelines in Section 3). In order to mitigate this issue, the Editor’s Draft would need to essentially require that all enactments of DNT be turned off (set to DNT:unset) so that Users may reset them in a manner that meets the basic disclosure requirements of the current spec.


Perhaps more concerning, the volume of non-browser, non-user activated DNT signals is growing at an alarming rate.  The cost of adding DNT:1 to the header is very inexpensive from a technical perspective and we’ve seen routers, anti-virus software, plug-ins and other tools set DNT=1 in ways that violate basic standards of privacy.  To use W3C co-chair Matthias Schunter's phrase, we're seeing a proliferation of DNT signals "spraying" into the ecosystem.  While many of us are still hopeful solutions can be found to contain the issue, the reality for the foreseeable future is that we’ll continue to see DNT invalid implementations of DNT and are unlikely to consistently be able to distinguish between valid and invalid DNT implementations.


Some working group members have asserted that we should simply err on the side of caution and treat all DNT signals as valid. However, I strongly believe that this approach would violate long-standing privacy concepts such as notice, choice, and transparency.


The Editor’s Draft exempts browsers and other user agents from prohibitions against tracking
The Editor’s Draft does not prohibit user agents from either: a) taking URL string to create segments to sell to advertisers (or others) for ad targeting across the web, or b) enabling other entities to do so. To my eyes, that type of behavior would be considered tracking and should be prohibited by the spec. Unfortunately, it is not covered by the Editor’s Draft. If others in the ecosystem are prohibited from tracking, it seems fair and appropriate that we ensure that similar prohibitions are placed on user agents.


The Editor’s Draft will result in a low level of adoption
The larger goal of all W3C initiatives is voluntary adoption by implementers of the standard. Unfortunately, the Editor’s Draft suffers from too many significant flaws that it is unlikely to be adopted by the marketplace. The entities primarily covered by the proposed DNT standard -- third party online businesses – are unlikely to adopt and comply with the approach in the Editor’s Draft, because it is over-broad and anti-competitive, and would severely curtail their businesses without a commensurate privacy benefit to consumers. A balanced and narrowly tailored approach that solves specific privacy concerns while maintaining competition and a diverse internet economy is much more likely to gain widespread adoption, and ultimately benefit consumers.

Conversely, the DAA Proposal has a significantly greater chance of receiving widespread adoption (admittedly, with some polishing). The Editor’s Draft has so many flaws and non-starters for the intended implementers it's not a useful baseline for continuing discussion, especially in light of the DAA's proposal which is ostensibly much, much closer to a form that would actually be accepted by intended implementers. Hence, the DAA Proposal has a significantly greater chance of receiving widespread adoption.

For the above reasons, I object to the Editor’s Draft and encourage the chairs to move forward with the DAA Proposal.

Respectfully,

Alan Chapell
Chapell & Associates
Received on Friday, 12 July 2013 21:19:22 UTC