- From: Justin Brookman <justin@cdt.org>
- Date: Wed, 09 May 2012 12:16:07 -0400
- To: "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <4FAA9847.1010002@cdt.org>
On 5/8/2012 3:08 AM, Roy T. Fielding wrote: > On May 7, 2012, at 8:32 PM, Justin Brookman wrote: > >> >> You say that this language is not necessary for interoperability. >> I'm saying that the language (or comparable language) is necessary to >> accomplish the stated mission of this working group, which is to >> improve user privacy and user control over tracking. > > We can completely remove it from the spec and it would not lower > the user's privacy nor remove control over tracking. If a site has > the user's consent to do something, then by definition the site > does not violate the user's control by doing that something. > It is the site's responsibility to ensure that it has consent > to override DNT before it does so. Perhaps this the crux of our disagreement. You believe that so long as a company has legally valid consent to track, then by definition there can be no privacy concerns. I would like to believe this is the case, but I think history has shown that dense contracts of adhesion can be used to obtain what is arguably legal consent to privacy violations that a user doesn't want or understand. The FTC's Sears settlement is a good example --- there, Sears included a contractual term within a long contract that reserved broad rights to track a user's web activity. Legally speaking, that may well have been consent, but the FTC said that Sears nevertheless violated deceptive practices by failing to clearly and conspicuously disclose the practice in a clear and conspicuous manner outside of the contract. However, the case was never litigated. Here, I do believe that if a company only asserted the ability within a EULA or privacy policy user consent to track despite a clear user instruction not to track, then that consent would be invalid or the practice would be otherwise illegal, but the law is far from settled. There is at least an argument that the practice would not be illegal in some jurisdictions, though I think most of us are agreed that it would constitute a clear violation of user's privacy and expectations. As we have all agreed several times now, we cannot change law, but we can set a standard that protects user privacy. I do not believe that requiring express, informed consent (or permission, whatever) to ignore the DNT signal and providing a couple of what are non-controversial examples of what that means adds any uncertainty for companies --- to the contrary, the existing legal regime(s) on consent and reasonably expectations of privacy are extraordinarily vague and confusing as is. If there are *any* use cases that you think this language limits, please explain them. Again, I fail to see how providing an example that notice only in a privacy policy is not express, informed consent (permission) for this spec is burdensome or undesirable. And it would have the clear benefit of giving guidance to potentially deceptive actors and some confidence to consumer advocates that this spec will actually achieve its goals.
Received on Wednesday, 9 May 2012 16:16:44 UTC