Re: Mandatory Legal Process (ACTION-57, ISSUE-28) from Jonathan Mayer on 2012-01-25 (public-tracking@w3.org from January 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Wed, 25 Jan 2012 19:25:40 +0100
To: Shane Wiley <wileys@yahoo-inc.com>
Cc: Tom Lowenthal <tom@mozilla.com>, David Singer <singer@apple.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <14286C91-73C2-4E24-BD14-9F5D7A5EF255@stanford.edu>

Some relevant U.S. legal background: web tracking may soon fall within the Fourth Amendment's compelled disclosure rules.

From Justice Sotomayor's concurrence in United States v. Jones:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as Justice Alito notes, some people may find the tradeoff of privacy for convenience worthwhile, or come to accept this diminution of privacy as inevitable, post, at 10, and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year.

On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote:

> The text I've proposed addresses web information practices for DNT users.  By all means argue why organizations shouldn't inform their users of compelled disclosure, but I think this text is unambiguously within the working group's scope.
> 
> On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote:
> 
>> I believe attempts to "add on" to the party responsibilities within legal process "outside of the DNT standard" is outside of scope of the working group.  Instead I would suggest the preamble of each document simply state "this standard is not intended to override local, state, or country law."
>> 
>> - Shane
>> 
>> -----Original Message-----
>> From: Tom Lowenthal [mailto:tom@mozilla.com] 
>> Sent: Wednesday, January 25, 2012 7:11 PM
>> To: David Singer; public-tracking@w3.org
>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)
>> 
>> I don't think we need anything apart from Jonathan's text. I'd argue that for process applied to data collected in a third party capacity, notification is a must; for first party data, a should; and for any breach where you must notify some users, you must notify all users.
>> 
>> On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote:
>>> 
>>> On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote:
>>> 
>>>> Proposed text:
>>>> 
>>>> A party MAY take action contrary to the requirements of this standard if compelled by mandatory legal process.  To the extent allowed by law, the party MUST (SHOULD? MAY? non-normative?) notify affected users.
>>> 
>>> which means we need a 'legal exception'?
>>> 
>>> 
>>> 
>>> David Singer
>>> Multimedia and Software Standards, Apple Inc.
>>> 
>>> 
>> 
>

Received on Wednesday, 25 January 2012 18:26:23 UTC