- From: Rob van Eijk <rob@blaeu.com>
- Date: Fri, 20 Oct 2017 07:56:52 +0000
- To: Shane M Wiley <wileys@oath.com>, Aleecia M. McDonald <aleecia@aleecia.com>
- Cc: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org) <public-tracking@w3.org>
- Message-ID: <0102015f38c8eba5-a613bb03-0bc7-4b97-b1bf-36ab139785bd-000000@eu-west-1.amazonse>
We should take the EU use case for a web wide opt-out for the purpose of audience measurement (aka web analytics) into account. I added it to the issue #60 on github.
We discussed the opt-out on many occasions, e.g. the global considerations taskforce in Berlin (2013). The current development is that the approach for web analytics is a carefully balanced one. The text of the LIBE compromise amendments for the ePR is as follows:
Article 8
Protection of information transmitted to, stored in, related to, processed by and collected from users’ terminal equipment
1. The use of processing and storage capabilities of terminal equipment and the collection of information from users’ terminal equipment, including about its software and hardware, other
than by the user concerned shall be prohibited, except on the following grounds:
(...)
(d) if it is technically necessary for measuring the reach of an information society service requested by the user, provided that such measurement is carried out by the
provider or on behalf of the provider, or by a web analytics agency acting in the public interest including for scientific purpose; that the data is aggregated and the user is given a possibility to
object; and further provided that no personal data is made accessible to any third party and that such measurement does not adversely affect the fundamental rights of the user; Where audience measuring takes place on behalf of an information society service provider, the data collected shall be processed only for that provider and shall be kept separate from the data collected in the course of audience measuring on behalf of other providers; or
(...)
Rob
-----Original message-----
From: Shane M Wiley
Sent: Thursday, October 19 2017, 11:26 pm
To: Aleecia M. McDonald
Cc: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)
Subject: Re: Next 2 calls canceled (Oct 09 and Oct 16)
+1
I agree with Aleecia. While I wouldn't be surprised, I couldn't imagine a company willfully leveraging a documented registry to implement a digital fingerprint. That said, the FTC and EU DPAs would love the low hanging fruit this would create for their enforcement arms.
- Shane
On Thu, Oct 19, 2017 at 2:08 PM, Aleecia M. McDonald <aleecia@aleecia.com> wrote:
> On Oct 19, 2017, at 12:48 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote:
>
> I don't think a pass-thru will fly, because it is too easy to use the DNT header as a secret tracking cookie. We have to constrain the entropy.
I think the best path is to add “thou shalt not fingerprint” in appropriate standards language. The irony of DNT possibly being used to track people is a concern, including a concern for users. We can at least be clear that we knew the possible risk and did not design the spec to be abused in that way. It’s a fig leaf, I know. But really, if someone’s going to be anti-social there is not a whole lot to be done by us. DNT has always had to assume good actors; it’s a request, not a PET.
Other actors like IAB could impose requirements on their members, as they did with baring the use of LSOs for behavioral advertising. EFF’s DNT could include an FTC-actionable promise not to fingerprint based on DNT. I believe the stock phrase is there is a role for regulators here. Plus the class action lawsuits for “I used a setting for privacy and you used it to track me” nearly write themselves, especially in California and Europe, even without anyone else stepping up. So I think there *are* solutions to this threat, but they come from parties external to the WG.
Aleecia
--
- Shane
Shane Wiley
VP, Privacy
Oath: A Verizon Company
Received on Friday, 20 October 2017 07:57:23 UTC