Re: TPWG Public Comment on DNT Standard

On Mar 13, 2013, at 1:58 AM, Walter van Holst wrote:

> On 3/12/13 4:16 PM, Elizabeth Coker wrote:
>> Dear TPWG Members:
>> 
>> I want to direct everyone's attention to this WSJ article
>> <http://online.wsj.com/article_email/SB10001424127887324096404578354533010958940-lMyQjAxMTAzMDEwMTExNDEyWj.html>
>> that highlights the issues with "first" and "third" parties.

Actually, it doesn't.  The article is about publicly shared interests
and how they reveal something about the users.  If the article had
removed the mention of Facebook and the Internet, people reading it
would have responded "well, duh!" and that would be the end of it.

Jeff should know quite well that this is a publicity problem,
not a privacy red flag, but I assume he has that quote imprinted
on his business card. ;-)

We have no right nor responsibility to decide for the user what
they choose to publish about their own interests, nor what services
that they choose to publish them on.

>>  While a
>> technical standard must be implemented, it should be consistent with
>> consumer expectations, not warped into something that continues to
>> obfuscate data collection from consumer, publisher and advertiser
>> scrutiny.  Privacy preference management is typically assumed to be
>> between the consumer and the website (or brand) by most people.  Only
>> highly informed individuals realize that every time they "click" on
>> something they could be dealing with a "new" first party and that their
>> data may now be collected by some unknown entity – even though their
>> intent was not to share, or only to share with the trusted brand or site.
> 
> May I add to this that, although there are no published industry
> practices on this matter, data by (relatively) unknown entities is
> gathered as a result of merely rendering the website. The vast majority
> of individuals do not realise that.
> 
> This study about Facebook 'likes' also highlights the linkability issue.

I seem to have failed to make the connection.  If you mean that
data correlation works, then I think we already know that.

Regarding Elizabeth's complaint regarding the definitions,
clicking on a Facebook Like button (or a Google+ +1 button) has one
and only one meaning to the user: Tell the people permitted by my
social network configuration that I like this page, presumably so
that they can visit it too. That is the only consumer expectation
that matters here.

If the user doesn't have a G+ or FB account, they are going to get
a message that they need to login to their account.  If they do have
a G+ or FB account, the action corresponding to the click cannot
be accomplished according to the user's expressed wish without
the button's action resource collecting the account info and the
URL of the page the button was on.

While it is theoretically possible for a user to accidentally click
such a button, it is not possible for the service to distinguish that
from an intentional action, nor is it reasonable to assume that a
user with a social networking account has not been sufficiently
informed about the purpose and effect of clicking on such a button.
Whether they are informed or not is a concern for the FTC, not us.
Regardless, there are two obvious solutions: 1) delete the social
network account, or 2) stop clicking on the buttons.

Control over how data is used occurs within the user's account
profile on that first party service (G+ or FB).  We have no rational
means to presume how that data will be used, to what extent the
user is aware of that use, to what extent the service has provided
control over that use, or to what extent such an action may or may
not result in following the user across sites.  Those things are
the responsibility of the user and the service which they requested.

The service is not tracking the user when the user tells the service
where they are and to remember that fact -- it is just performing
the action requested.  If the user does not like how the data will
be used, they are free to choose a different service.

Having made that request of a first party to which they have an
established relationship, it might make sense to wonder what
control the user has over the data that has been submitted.
That is a general issue of user rights to information about them,
whether that data is private or published, and is addressed by
public policy and the specific privacy policy of the service
with which the user maintains an account.  It is not
within the scope of our work aside from the general prohibition
of a first party sharing the data from DNT:1 requests with third
parties.  It may be within the scope of the
Privacy Interest Group (i.e., not this mailing list).

Once again, this would all be obvious if our drafts started
with a reasonable definition of tracking.

Furthermore, if we ignore the article's subject and actually
talk about tracking across sites, then YES there is no doubt
whatsoever that tracking an identifiable individual, via their
user agent or device, across multiple unaffiliated websites can
eventually result in some form of segmentation (association made
between the individual and some set of interests) that the user
did not directly reveal to any of the individual first party
sites, and in some cases that segmentation won't be false.
That is one of the many reasons why this working group exists
and why we call collection of data about an individual across
multiple sites "tracking" instead of just data collection.

All of us would like a working solution that addresses the
specific privacy risk that we have been convened to address.
If we can just work on the problem we agreed to solve, maybe
we'll make some progress.

....Roy

Received on Thursday, 14 March 2013 00:15:24 UTC