- From: Peter Eckersley <peter.eckersley@gmail.com>
- Date: Wed, 7 Oct 2015 13:10:19 -0700
- To: Tracking Protection Working Group WG <public-tracking@w3.org>
- Cc: Alan Toner <at@eff.org>
- Message-ID: <CAOYJvnKvKdV=651Mj2ZDn3o8bBQDjuAPHYxWgDkc2mYYE2G8Jg@mail.gmail.com>
EFF is in an unusual situation in commenting on the W3C TCS draft, in that we have an alternative DNT compliance policy deployed and in the field ( https://eff.org/dnt-policy ; https://www.eff.org/press/releases/coalition-announces-new-do-not-track-standard-web-browsing ; https://www.eff.org/press/releases/online-ad-company-adopts-new-do-not-track-standard-web-browsing ). Our DNT Policy document was first published as a draft with our Privacy Badger extension in May last year; version 1.0 was released in August. That policy was largely based on the EFF-Stanford-Mozilla compromise proposal previously discussed in this Working Group, with a few important changes. Given the difficulty building consensus in this WG, and the urgent practical need for a a way for Privacy Badger and other tracker blocking software to let third party domains signal that they had implemented a strong privacy opt-out, we have been focused on something that actually allows DNT to work in deployment as a privacy mechanism. For the TPWG audience, it's probably worth looking at the places where our policy wound up being different from the current TCS Last Call draft, which we don't think is workable from a privacy perspective in its current form. 1. PERMITTED ACTIVITIES AND USES: There is an important set of activities that are permitted by the TCS LC draft but prohibited or tightly circumscribed under the EFF 1.0 Policy. Some of these are of particular acute concern to us: - allowing third parties to use tracking cookies, supercookies, fingerprints and other types of unique identifiers to record people's reading habits and browsing histories without meaningful consent. - allowing the continuation of specific advertising industry practices (especially frequency capping and ad display auditing) using algorithms and data flows that were not originally designed to preserve the privacy of users' reading habits. These become a straightforward path by which a very large number of companies wind up getting copies of the user's browsing history without appropriate consent. - potentially allowing extremely long retention periods for the above types of data Each of the above categories of activities is subjected to a "reasonableness" requirement in the TCS draft. The problem that we and I believe many other organizations have with that test is that "reasonableness" is decided unilaterally by the companies involved, and not by users or any impartial authority. It would understandable for legal counsel for various types of tracking companies to conclude that continuation of preexisting industry practices was "reasonable" and required by business constraints, while users being tracked by those companies might hold a wildly diverging view of those business practices and their reasonableness. For the above reasons, we believe that any plausible Do Not Track policy *must* offer users more concrete guarantees about the circumstances under which their reading habits will be collected, retained, or shared by various parties. In the absence of such guarantees, users who wish to not be tracked will need to block interactions with most or all advertising, analytics and widget-serving domains. 2. FIRST AND THIRD PARTIES The disagreements I mention above have existed in this working group since its inception. There was another giant topic of debate in the WG around the scope of the definition of a "first party". We came to conclude that the attempt to define first parties, and define them as inherently excluded, was a mistake. As a result, our DNT Policy is either implemented or not implemented on a per-subdomain basis, at the website's discretion. Some of the companies that are implementing it our policy have chosen to do so for all of their domains and services; others have chosen to do it only on specific domains that serve scripts or widgets for embedding on other domains. As a matter of enforcement, our Privacy Badger software currently on creates strong incentives for implementation by third parties, but that may change in the future. For instance, a first party news website that implemented the policy is likely to have all of its third parties unblocked in the future, because it has made representations about tightly limiting the data flows to those parties. Other first-party features of privacy software, such as attempting to prevent link-click-tracking, could similarly be contingent on the absence of a first-party commitment to the DNT Policy. We think this approach of making DNT first/third party neutral is much cleaner. It eliminates any advantage / disadvantage that accrues to companies based on the size of their corporate family trees, removes the perceived advantages of third parties that are also major first parties, simplifies the document, and allows companies to implement or not implement for whatever services they believe DNT compliance is appropriate for. 3. OVERALL SIMPLICITY Wordcount: we tried hard to draft for concision; the EFF Do Not Track Policy is a bit less than half the length of the TCS last call draft. -- Peter
Received on Wednesday, 7 October 2015 20:10:52 UTC