RE: questionnaire to gain more insight into industry stakeholder practices


I believe industry has provided an amazing amount of knowledge to the working group…repeatedly.  Peter has done an excellent job in bring experts to speak to the group.  You also brought an expert to speak to the group recently.  In each occasion industry has patently and in detail re-explained the driving needs for Permitted Uses as essential to not breaking the critical elements of their business (and therefore the Internet in relation).  We’ve done this many times over the past 20+ months.  I’m more than happy to continue to provide details on present information practices and why they are essential to minimum business operations.  I don’t see my position as not being able to provide information on confidential intellectual property in a public forum as a limiting factor to the working group’s progress.  Rather than sharing an exhaustive list of our internal cron job names as Dan’s requested, I’ve shared data flows, separation and segmentation techniques, and driving business necessities for limited data retention.

I suggest we already have what Dan and you are requesting.  Perhaps when can look at assembling the information in a new way to see if that somehow connects the dots in a different and more illuminating way.  It was in that hope that I had suggested to Dan we look at consumer disclosures as an example of how best to provide detailed transparency and defenses of proportionality.  I continue to believe this would be a fruitful exercise if you’re willing to participate.

- Shane

From: Jonathan Mayer []
Sent: Sunday, May 12, 2013 4:25 PM
To: Shane Wiley
Cc: Peter Swire; Dan Auerbach;
Subject: Re: questionnaire to gain more insight into industry stakeholder practices


The group has recognized on many occasions that knowledge sharing is essential to a path forward.  If we are to to have any basis for evaluating the permitted uses, stakeholders must be forthcoming about their present information practices and future information needs.

I sincerely hope you will reconsider your position.  Otherwise, I do not see how we could proceed.


On Saturday, May 11, 2013 at 2:07 PM, Shane Wiley wrote:
Thank you Peter - no harm, no foul.

As in my response to Dan, I agree that organizations will not be willing to share the level of detail Dan is requesting as many of those specifics are considered confidential intellectual property (meaning we don't share does details publically through any forum). The genesis of my discussion with Dan during the lunch breakout session was around retention transparency and related timeframes - and the detail for demonstrating proportionality within consumer disclosures. As industry is for the first time ever on a global scale signing up for unprecedented transparency in this area, I believe the greatest value to the Working Group is focus on the details of consumer disclosures here.

While I understand the continued desire from some advocates for industry to 'prove' our internal data needs to remove doubt, I believe we've gone as far as possible to straddle the line between providing concrete use cases and breaking corporate confidentiality requirements.

As I stated in the F2F and numerous times before, I'd love the W3C or another forum to develop a "Privacy Lab" so we can start diving deep on longer term technical solutions to bettering online consumer privacy. Many of the concepts brought up in the Working Group to date would require significant overhauls across the entire online ecosystem. My organization is not opposed to them, but we need to first understand the details, how these functional at global, complex system, multi-trillion transactions per day/month scale. Once we feel comfortable here, we need to then schedule the transition to the new approach (switching galloping horses in full stride). This will be amazingly expensive (read 100s of millions of dollars across the globe) - all in response to no demonstrated user harm in even today's approaches so please understand a staged approach will need to be taken to achieve the ultimate goal.

- Shane

-----Original Message-----
From: Peter Swire []
Sent: Saturday, May 11, 2013 7:55 AM
To: Peter Swire; Shane Wiley; Dan Auerbach;<>
Subject: Re: questionnaire to gain more insight into industry stakeholder practices

Hello to the list:

Well, I goofed, but I hope in a way that shows that I am trying to help.

I meant to send something privately to Shane, asking for thoughts of how to constructively move forward on getting responses to Dan's questionnaire.

For better or worse, you all can see how I wrote something that I thought was to one person. On re-reading this, I am entirely comfortable with the contents of the email -- how can we get the highest-quality responses from industry that will advance the process?

I welcome thoughts on that, both on list or just to me on background.



Professor Peter P. Swire
C. William O'Neill Professor of Law
Ohio State University

-----Original Message-----
From: Peter Swire <<>>
Date: Saturday, May 11, 2013 10:46 AM
To: Shane Wiley <<>>, Dan Auerbach <<>>, "<>" <<>>
Subject: Re: questionnaire to gain more insight into industry stakeholder practices
Resent-From: <<>>
Resent-Date: Saturday, May 11, 2013 10:46 AM

(just to Shane)

Hi Shane:

I appreciate very much your contributions to the F2F this week, on top
of all the other work you have done with the WG.

I'd be curious if you have any suggestions for how I can facilitate
this part of the process concerning Dan's questionnaire. I can imagine
reluctance of companies to provide any sort of representation or
warranty that they are disclosing fully on all of the dimensions of
Dan's questions.

On the other hand, getting something useful about these topics will
help us, I think, make progress on permitted uses and transparency
procedures going forward.

Your thoughts on what is workable for industry while also being
responsive to Dan's line of inquiry?



Professor Peter P. Swire
C. William O'Neill Professor of Law
Ohio State University

-----Original Message-----
From: Shane Wiley <<>>
Date: Friday, May 10, 2013 7:45 PM
To: Dan Auerbach <<>>, "<>"
Subject: RE: questionnaire to gain more insight into industry
stakeholder practices
Resent-From: <<>>
Resent-Date: Friday, May 10, 2013 7:47 PM


Thank you for following through on this action item. Since the
Working Group has yet to agree on all of the details of what a DNT
standard entails, it will be difficult for members to fill this out
with concrete DNT disclosures. I'd suggest rather a few of us take
stabs at creating examples of what we could imagine an outcome looking
like using placeholders ("Company XYZ").

Recommended changes to the structure:

- Describe your company's role as a 3rd party: ad network, exchange,
analytics provider
- List the Permitted Uses your company will retain data for
- For each Permitted Use, explain the how long you'll be retaining
data for this purpose and why (include an explanation of how unique
IDs are used in these situations)
- Explain how information is processed for Permitted Uses - including
the additional protections a tri-state de-identification system
provides for user privacy (and which Permitted Uses are used in each
- Optional/Recommended - provide diagrams or videos explaining how
data is processed by your company for Permitted Uses (how is data
separated from other types of data, how often is data processed, what
information is stripped or retained for processing)

The purpose for the condensing is to better shape these disclosures
for normal consumers that will be reading them. One of the regular
criticism of privacy policies is that they are too legalistic. I
believe your approach will result in something too technical.
Hopefully we can find the sweet spot as we explore disclosure structure options.

Thank you,

-----Original Message-----
From: Dan Auerbach []
Sent: Friday, May 10, 2013 4:12 PM
Subject: questionnaire to gain more insight into industry stakeholder

As discussed during the data retention breakout at the F2F, here the
requested guide for information from industry participants that would
help inform the group's thought process as to what type of data
reasonably must be retained and how long for permitted uses under the
standard. This short questionnaire is important for the group's work.
It is not a suggested transparency guide for users. I think being
maximally transparent to users would be good too and we should have
that conversation, but that is not the intention of this
questionnaire. I plan to respond to this email with hypothetical
examples of helpful and non-helpful responses, so please consider
those before finalizing your response. (The examples may not come
right away as I must finish other work first). One final comment:
there may be some small areas where the questions below touch on other
information companies would like to protect. For these, we should be
able to have an unscribed conversation off-list. I don't think a
schematic of a data flow is a trade secret, but making public the names of clients would obviously be sensitive.

1. Outline your company's role in the Internet data collection
ecosystem, and your business model.
2. What permitted uses are you proposing retaining data for?
3. For each permitted use, how long are you proposing retaining data?
4. Draw a diagram of your logging and data pipeline, including
peripheral databases that store customer information, and databases
used for aggregated reports.
5. In the diagram above, indicate all repeating data processing jobs
(e.g. cron jobs or other processes that occur at regular intervals)
that relate to how data is manipulated within your system.
6. Within the framework of the diagram above, for each proposed
permitted use, describe the life cycle of protocol (HTTP) events and
other data events that come into the system that you would like to retain.
7. In the diagram above, indicate any external clients of the data
(auditors, customers of various sorts), and for each client, the
frequency, format and granularity of the data that is received.
8. For each permitted use, indicate in detail how unique ids are used.


Dan Auerbach
Staff Technologist
Electronic Frontier Foundation<>
415 436 9333 x134

Received on Monday, 13 May 2013 07:38:22 UTC