Re: meaning of DNT 1 and DNT 0 when sent by user agents [ISSUE-78] from John Simpson on 2012-01-18 (public-tracking@w3.org from January 2012)

From: John Simpson <john@consumerwatchdog.org>
Date: Tue, 17 Jan 2012 17:58:08 -0800
To: Sean Harvey <sharvey@google.com>
Cc: Rigo Wenning <rigo@w3.org>, Kevin Smith <kevsmith@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <4119FFAA-8588-4596-A77B-676F705FEC51@consumerwatchdog.org>
Sean,

I am extremely hard-pressed to see any "sort of bad faith" expressed in Rigo's thoughtful analysis.  I think we all want consensus and are working toward trying to achieve that.  At this point it's understandable-- indeed necessary -- that people are focusing on issues and trying to understand each other's various positions as we prepare for Brussels.

Seems to me that's exactly what Kevin and Rigo are doing.

Your statement that you think a cross-site paradigm is better that the 1st vs. 3rd party, but that you're open to sticking with it, is exactly the sort of comment that helps.

For me, I have trouble seeing how "cross-site" contributes anything to the discussion.  You still have to define how to differentiate one site from another.  That is essentially the 1st/3rd party question. It seems to me that the 1st party/ 3rd party paradigm is already well established usage in privacy discussions and proposed regulations and legislation. For that reason alone, it makes little sense to abandon it. 

To me it would make more sense to call the user the 1st party, the site visited the 2nd party, and others the 3rd party.  I've given that up years ago, though, and have been working with the 1st/3rd party paradigm that seems to be the lingua franca.

73s,
John


On Jan 17, 2012, at 5:18 PM, Sean Harvey wrote:

> Hi Rigo, 
> 
> It is disappointing to hear this sort of bad faith expressed at this point in the process. it doesn't bode especially well for the success of our Brussels meeting if we cannot collectively acknowledge that, while differing opinions may be expressed on these email chains, everyone on this committee is trying in good faith, through their diverse perspectives, to come up with a standard that is both good for users and implementable by the businesses they encounter on the web. 
> 
> A review of the email chains and notes from previous in-person meetings over the past months will show that I among others have explicitly called out the need to disallow first parties from sharing data "on the backend" with third parties. I have been calling this out consistently throughout this process, and I'm glad that you're now joining me to speak up on the same topic. 
> 
> In fact, that is the very reason why I think cross-site tracking is a better paradigm than the imperfect proxy of first vs third partyness. While I'm open to sticking with 1st vs 3rd if that's how the consensus emerges, cross-site tracking and/or data sharing is a more elegant, less potentially loophole-intensive way to ensure that even the first parties that you interact with are not allowed to share data with third parties after the event has taken place. 
> 
> For the record, and speaking for myself, where I raise objections to language proposed by others in the group, it is not out of a desire to find loopholes or somehow defile the spirit of the committee's work;  it's typically because of a concern that a given set of proposed language is either non-implementable, or a vague, moving target that provides no clear guidance to either companies attempting compliance or regulators seeking to measure that compliance. 
> 
> I've interpreted my role as a co-editor as being someone who is enabling of group consensus, not controlling of the process. In that spirit I commit to listening to my counterparts in Brussels with an open mind and working to come up with a standard that is good for users and implementable by companies. I trust that you, and the rest of the committee as well, will do the same. 
> 
> sean
> 
> 
> 
> 
> 
> 
> 
> 
> On Tue, Jan 17, 2012 at 4:55 PM, Rigo Wenning <rigo@w3.org> wrote:
> Kevin,
> 
> On Tuesday 17 January 2012 09:02:16 Kevin Smith wrote:
> > I was not actually commenting on W3C procedure as much as I was mentioning
> > that it seems trivial and inefficient to argue over specific wording when
> > the underlying decisions have yet to be made, especially when making those
> > decisions will also resolve the argument as well, which I believe to be the
> > case here.
> 
> First of all, I think the "cross-site" or 1st vs 3rd party were all very
> clever diversions to save the analytics business. In fact, as long as the web
> site owner collects data (and any kind of data and whatever data) this is just
> fine. <irony>Only those evil ad networks have brought us into trouble. They are
> evil third parties doing cross-site tracking and analysis</irony>
> 
> But in the US context (that triggers all the debate about first/third cross-
> site/original) it doesn't matter at all, who collects the data as they can
> exchange it freely in the back end. There is no general privacy law, let alone
> one on data protection. And because data serves innovation, the US government
> is very reluctant to just mow data collection down.
> 
> I am personally (and not as W3C) reluctant to make those distinctions. Because
> I think the Web and its direct connection between all actors will be much
> smarter than any kind of distinction we can come up with.
> 
> But it would be on the other hand a bit derailing for the discussion, if I
> would now ask to focus on a risk analysis. What do we want to protect? Is it
> mere compliance to a feared regulator action while privacy is also a defense
> against the regulating government? If this risk analysis has a result that
> certain collection practices done by first parties within the same side are
> endangering democracy, we shouldn't glue to false principals and address that.
> 
> If on the other hand, some third party collections are just Ok, I don't see
> why we should demonize that collection only because it is "cross-site"  or
> "third party".
> 
> And everybody waits that we deliver quickly. So can we really afford changing
> that discussion? Frankly, I don't know. On the other hand, remaining in the
> technology trenches doesn't buy us much either. Delaying doesn't further
> privacy protection on the web and increases the eagerness for harsh
> countermeasures of technologic and social nature by those waiting for us to
> deliver something.
> 
> >
> > The question of our ultimate objective needs to be answered.
> 
> I agree with you. But you have to start thinking about what you can give up.
> And clearly state what you can't give up and why. (without revealing business
> secrets.. ) What is the risk we try to tackle and what is the benefit we'll
> lose?
> >
> > One proposed objective is:
> >
> > **To provide a mechanism whereby a user can indicate preference to disallow
> > cross-site tracking**
> 
> See and others say, DNT is to provide a mechanism to indicate a preference
> full stop. By introducing the "cross-site" you draw the discussion about the
> "ultimate objective" into the TPE Spec where it does NOT belong IMHO. Because
> the use of that tool will perhaps change by region and over time.
> >
> > I do not believe I am alone in thinking that we at one time had consensus
> > that this was our objective.  However, I am no longer sure this is the
> > case.  It sounds like some parties would prefer an objective closer to:
> >
> > Prevent cross-tracking + X
> 
> I never had the impression of such a consensus. But coming back to process. It
> is on the chairs to state whether they see (and suggest a wording for) a
> consensus.
> >
> > However, I have not seen any clear proposals as to what X should be.
> 
> See above. There were many concerns expressed, many times, in the Workshops
> predating the WG and in WG discussions. See my remarks above about a risk-
> based discussion..
> 
> > I have
> > seen a few suggestions focusing on different privacy related issues, but
> > nothing comprehensive nor anything that has gained any real traction within
> > the group as a whole.
> 
> Which is fragmentation. And fragmentation is the opposite of consensus as far
> as I understand it. We should intelligently seek for common grounds between
> the parties instead of defending the trenches.
> 
> > However, if the group decides to expand upon or
> > completely go away from the objective of preventing cross-site tracking,
> > then I am confident that the documents will be changed
> > accordingly.
> 
> I think it will be impossible to only address the "cross-site" aspects of the
> massive profiling that is happening without risking to be accused to try to
> escape from the real issues.
> 
> How do you prevent abuse of such profiles? What aspects of consumer protection
> are we willing to honor if a user indicates by setting DNT that he wants to be
> left alone for a moment.
> But how can we manage to make the "opt-back-in" really easy and a tool for
> businesses with good practices? So that they gain advantages in the market and
> acquire more users than the evil guys who just rip off every bit they can get?
> If convincing users to allow data collection is hard, DNT has missed an
> opportunity.
> 
> > Likewise, if the objective is once again (or perhaps for the
> > first time) solidified as mentioned above, then most objections to the
> > current language will likely dissipate leaving only organizational
> > discussions remaining on this topic.
> 
> I think the conflict around the terminology here is just a proxy war around
> certain collection practices. But I confess that we are doing our
> argumentation in public and it is probably necessary to have indirect
> argumentation.
> >
> > I therefore recommend again that this topic be tabled until at least the
> > above decision has been made.
> 
> I agree it is not good for our discussion to make a show-down on "cross-site"
> vs not "cross-site". Because "cross-site" is as difficult a distinction as 1st
> vs 3rd party. Additionally, "cross-site", by logic, requires two parties. A
> first and a second/third party.
> 
> Whether data is collected via 10 first parties using the same analytics
> provider or by 1 third party being embedded into 10 sites doesn't really
> matter. Does it? Can they afford to let some of the traffic drop out? How much
> can drop out until the analysis is not accurate enough anymore to make sense?
> 
> Best,
> 
> Rigo
> 
> 
> 
> 
> 
> -- 
> Sean Harvey
> Business Product Manager
> Google, Inc. 
> 212-381-5330
> sharvey@google.com

----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org
Received on Wednesday, 18 January 2012 01:58:25 UTC