Some fundamental issues

Dear fellow workgroup members,

Over the past few days I have tried to parse and understand the TPE 
spec and the compliance spec. The working drafts of April 30th, to be 
more precise. Given the great care and the diligence with which both Roy 
Fielding and David Singer have been involved in this process one cannot 
doubt that these documents are the most accurate reflection of the level 
of consensus in this group. This message tries to convey an inventory of 
what I think are fundamental issues that prevent us from having a 
workable and meaning ful TPE spec.

It is not an exhaustive list in the sense that it covers every little 
detail, it is about the fundamentals. And to my understanding of the 
TPE, the fundamentals of it just aren't sound. And that is not a failure 
of the editor, it is a failure of us as a working group.

What it should do is:

Siloisation as a core principle. While I believe there are limits to 
data collection as a first party (to use the TPE vernacular), the 
primary problem we are supposed to tackle is data collection across 
different contexts. This should include the use of data collected in a 
first-party quality while acting as a third-party. The compliance 
document allows for that. That is a fundamental no-go for me, both from 
a privacy perspective and from a competition perspective (Vrijschrift 
has a rather strong free-market streak to it). There should be zero 
'data append' and this should go both ways within that first-party's 

Data minisation as a core principle. As it stands now, there is some 
lip-service being paid to this principle, but on substance both the TPE 
and the compliance spec seem to be mostly geared to justify as much data 
collection as possible. Especially the bits about User Agent compliance 
appear to gear towards the idea that it should be possible to ignore as 
much DNT:1 as possible. Moreover, data minimisation is only applied for 
the accepted uses whereas under EU law it should still be applied in 
case of DNT:0 and DNT:unset.

Knowing who the user deals with. Which means a better delineation of 
first- and third-parties. Another concept that touches an essential part 
of the issue of various contexts is that of 'affiliate' and the sharing 
of collected data with other parties, both under DNT:0 and DNT:1. Again, 
under EU law there is consent needed for sharing data with other parties 
(meaning real third-parties, the vernacular of this WG is again 
problematic here).

I think the goals of this standards have to be to provide a) a 
meaningful opt-out mechanism as well as b) a meaningful opt-in mechanism 
against data collection across different contexts. So far I see little 
that satisfies either of these two goals.

So I hope we either get a drastic change of the course of this 
workgroup or that we may come to a mutual agreement to disagree and not 
have to let this drag on and not to have it soil the good name of W3C 
any further than it perhaps already has.



Received on Monday, 6 May 2013 15:26:26 UTC