- From: Walter van Holst <walter.van.holst@xs4all.nl>
- Date: Mon, 06 May 2013 17:25:58 +0200
- To: <public-tracking@w3.org>
Dear fellow workgroup members, Over the past few days I have tried to parse and understand the TPE spec and the compliance spec. The working drafts of April 30th, to be more precise. Given the great care and the diligence with which both Roy Fielding and David Singer have been involved in this process one cannot doubt that these documents are the most accurate reflection of the level of consensus in this group. This message tries to convey an inventory of what I think are fundamental issues that prevent us from having a workable and meaning ful TPE spec. It is not an exhaustive list in the sense that it covers every little detail, it is about the fundamentals. And to my understanding of the TPE, the fundamentals of it just aren't sound. And that is not a failure of the editor, it is a failure of us as a working group. What it should do is: Siloisation as a core principle. While I believe there are limits to data collection as a first party (to use the TPE vernacular), the primary problem we are supposed to tackle is data collection across different contexts. This should include the use of data collected in a first-party quality while acting as a third-party. The compliance document allows for that. That is a fundamental no-go for me, both from a privacy perspective and from a competition perspective (Vrijschrift has a rather strong free-market streak to it). There should be zero 'data append' and this should go both ways within that first-party's organisation. Data minisation as a core principle. As it stands now, there is some lip-service being paid to this principle, but on substance both the TPE and the compliance spec seem to be mostly geared to justify as much data collection as possible. Especially the bits about User Agent compliance appear to gear towards the idea that it should be possible to ignore as much DNT:1 as possible. Moreover, data minimisation is only applied for the accepted uses whereas under EU law it should still be applied in case of DNT:0 and DNT:unset. Knowing who the user deals with. Which means a better delineation of first- and third-parties. Another concept that touches an essential part of the issue of various contexts is that of 'affiliate' and the sharing of collected data with other parties, both under DNT:0 and DNT:1. Again, under EU law there is consent needed for sharing data with other parties (meaning real third-parties, the vernacular of this WG is again problematic here). I think the goals of this standards have to be to provide a) a meaningful opt-out mechanism as well as b) a meaningful opt-in mechanism against data collection across different contexts. So far I see little that satisfies either of these two goals. So I hope we either get a drastic change of the course of this workgroup or that we may come to a mutual agreement to disagree and not have to let this drag on and not to have it soil the good name of W3C any further than it perhaps already has. Regards, Walter
Received on Monday, 6 May 2013 15:26:26 UTC