Re: Next 2 calls canceled (Oct 09 and Oct 16) from Shane M Wiley on 2017-10-11 (public-tracking@w3.org from October 2017)

From: Shane M Wiley <wileys@oath.com>
Date: Wed, 11 Oct 2017 09:41:21 -0700
To: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>
Cc: "Mike O'Neill" <michael.oneill@baycloud.com>, public-tracking@w3.org, Shane Wiley <wileys@yahoo-inc.com>
Message-ID: <CAEwb2ykvaMgRGRY=h2CkFJqP38j9oMkeTRaOzYo_8Dt86sO2zw@mail.gmail.com>
Matthias,

On option #1 - legal minds are stating this will not be possible.  While
the concepts of "all-or-nothing" and "tracking-walls" are still heavily
debated, I believe we'll need to develop a solution that supports a data
subject's ability to selective consent to some of the requested purposes
(versus all or none of them).

On option #2 - if we are required to use cookies to facilitate the consent
process then there is little to no utility in DNT.  Industry can just use
cookies for the entire process.  The motivation for leveraging DNT over
cookies is that these are held out under separate controls from cookies -
and hopefully avoid proactive blocking activities such as 3rd party cookie
blocking and Apple's ITP.  We're trying to do the right thing here so let's
not punish good actors in the fear of bad actors.

The discussion on fingerprinting in this context is a bit of a red herring
IMHO.  The number of legitimate purposes should be small (6 or less).  In
all cases there is a full record of the UGE registration so those misusing
this feature for illegitimate means can be quickly tracked (back to the
specific domain) and dealt with -- versus other forms of fingerprinting
which are often invisible to the browser.

- Shane

On Wed, Oct 11, 2017 at 6:29 AM, Matthias Schunter (Intel Corporation) <
mts-std@schunter.org> wrote:

> Hi Shane,
>
> thanks a lot for documenting this important usage.
>
> If I understood correctly, your goal is to bind consent to a set of
> purposes. I.e. the goal is that a party can obtain information on "yes,
> I obtained consent for purpose2, 8, and 15 from the user browsing the page.
>
> While including purpose into UGE is a viable option, it may not be the
> best way to achieve your goal. If a site can learn (per user) what
> purposes have been enabled, then fingerprinting risks may be high. It
> may be hard for us to define the right set of purposes. Finally, I
> expect that we are not allowed to extend beyond year end unless new
> members join our WG - A delay may be deadly in this case.
>
> I see two potential ways to implement  what you need and would like to
> discuss different implementation options (not sure whether mine work
> indeed better):
>
> 1. STATIC PURPOSES PER SITE
> - A site documents a set of purposes SP in its privacy policy (and
> potentially (extension) in the TSR
> - A site explains the purposes to the user
> - A user grants consent
> - The site registers an UGE
> - Next time, the site obtains a DNT;0
> - The site knows that it now has consent for the purposes in SP
>
> 2. DYNAMIC PURPOSES PER SITE
> - A site documents a set of purposes SP in its privacy policy (and
> potentially (extension) in the TSR
> - A site explains the purposes to the user
> - Each user grants consent _TO A SUBSET OF THE PURPOSES_
> - One of these purpose must be setting a cookie for keeping preferences
> - The site registers an UGE (this at least allows setting a cookie)
> - The site stores a cookie that contains or links to the
>    consented purposes
> - Next time, the site obtains a DNT;0
> - The site retrieves the cookie
> - The site knows that it now has consent for the purposes referenced by
>   the cookie
>
> I suggest whether we find a viable way to implement your usage. If you
> have additional implementors, I would like to invite them to the group
> (as visitors) to explain their requirements in order to understand the
> constraints further.
>
> Regards,
> matthias
>
>
>
> On 10.10.2017 03:26, Shane M Wiley wrote:
> > Submitted:  https://github.com/w3c/dnt/issues/60
> >
> > - Shane
> >
> > On Mon, Oct 9, 2017 at 9:09 AM, Shane M Wiley <wileys@oath.com
> > <mailto:wileys@oath.com>> wrote:
> >
> >     Working on it now - will have it out by days end (apologies -
> >     attending a wedding across the coast last week so I'm a bit behind).
> >
> >     - Shane
> >
> >     On Sun, Oct 8, 2017 at 10:23 AM, Mike O'Neill
> >     <michael.oneill@baycloud.com <mailto:michael.oneill@baycloud.com>>
> >     wrote:
> >
> >         Is this an issue posted recently? I see nothing on the list.
> >
> >
> >
> >         -----Original Message-----
> >         From: Matthias Schunter (Intel Corporation)
> >         [mailto:mts-std@schunter.org <mailto:mts-std@schunter.org>]
> >         Sent: 08 October 2017 16:25
> >         To: public-tracking@w3.org <mailto:public-tracking@w3.org>
> >         (public-tracking@w3.org <mailto:public-tracking@w3.org>)
> >         <public-tracking@w3.org <mailto:public-tracking@w3.org>>
> >         Subject: Next 2 calls canceled (Oct 09 and Oct 16)
> >
> >         Hi Folks,
> >
> >         I will be travelling for 2 weeks. I suggest to cancel the call
> >         tomorrow
> >         (Oct 08) and the week afterwards (Oct 16).
> >         Sorry for the short notice.
> >
> >         In the subsequent call, I would like to discuss the issue Shane
> >         raised.
> >         Shane: Could you outline your usage/requirements/issue in the
> github
> >         issue tracker?
> >
> >
> >         Regards,
> >         matthias
> >
> >
> >
> >
> >
> >     --
> >     - Shane
> >
> >     Shane Wiley
> >     VP, Privacy
> >     Oath: A Verizon Company
> >
> >
> >
> >
> > --
> > - Shane
> >
> > Shane Wiley
> > VP, Privacy
> > Oath: A Verizon Company
>



-- 
- Shane

Shane Wiley
VP, Privacy
Oath: A Verizon Company
Received on Wednesday, 11 October 2017 16:41:48 UTC