Re: TPE Handling Out-of-Band Consent (including ISSUE-152) from Matthias Schunter (Intel Corporation) on 2013-03-26 (public-tracking@w3.org from March 2013)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Tue, 26 Mar 2013 20:15:29 +0100
To: public-tracking@w3.org
Message-ID: <5151F3D1.1030706@schunter.org>

Hi Justin,

I do not know where the 53 weeks come from.

(a) If you have OOB consent, all bets are off (keeping data for 53 weeks 
is possible)

(b) If you do not have OOB consent, cleansing must be fast (ideally 
within the bounds of permitted temporary storage; I believe that more 
than 48h do not make sense).
      Storing for 53 weeks without consent clearly IMHO violates the 
spirit of a DNT;1 desire.

The point here is not that responding to DNT;1 is infeasible. The point 
(that I believe to be the point) is that companies want to continue to 
use their valuable consent that has been collected through other means 
(called OOB consent) while still being able to comply with DNT.

Matthias


On 22/03/2013 20:29, Justin Brookman wrote:
> The 48 hours doesn't really matter if a consumer doesn't have 
> visibility into the answer.  And anyway, in either case, you are 
> seeking to hold and use the data for up to 53 weeks pursuant to the 
> proposed market research exception.
>
> I still do not understand why you cannot operate in-band or otherwise 
> configure the user agent to send DNT:0 signals using your client-side 
> software.  I'm sure there are engineering costs and challenges to all 
> parties represented in the working group, but I had not heard before 
> that responding to DNT:1 and DNT:0 signals would be technologically 
> unfeasible (which would seemingly be more so for third parties without 
> client-side software).
>
> I also don't see how a conditional "C" signal helps.  Without 
> definitive, machine-readable signals, it's hard to see how this system 
> is accountable.  There is currently no general auditing requirement in 
> the standard, and I would be reluctant to put one in as an unnecessary 
> burden and expense.
> Justin Brookman
> Director, Consumer Privacy
> Center for Democracy & Technology
> tel 202.407.8812
> justin@cdt.org
> http://www.cdt.org
> @JustinBrookman
> @CenDemTech
> On 3/22/2013 3:06 PM, Ronan Heffernan wrote:
>> I sent a correction earlier, but I think our emails crossed.  In case 
>> you did not notice, I am talking about a very short time, perhaps on 
>> the order of 48 hours, not 53 weeks, to allow the system to determine 
>> whether an OOBC exists.  Another difference is that the 
>> OOBC-not-found condition might trigger a normal, DNT-compatible 
>> de-identification of the data from non-OOBC users, rather than a 
>> discard of all of that data.  That is a minor difference from a DNT 
>> perspective, but I want to be clear.
>>
>> --ronan
>>
>>
>> On Fri, Mar 22, 2013 at 1:53 PM, David Singer <singer@apple.com 
>> <mailto:singer@apple.com>> wrote:
>>
>>
>>     On Mar 22, 2013, at 10:45 , John Simpson
>>     <john@consumerwatchdog.org <mailto:john@consumerwatchdog.org>> wrote:
>>
>>     > If David's characterization  of what Ronan is seeking is
>>     correct, I'd suggest the practice would be incompatible with DNT:1
>>
>>     I kinda hope I am wrong…
>>
>>
>

Received on Tuesday, 26 March 2013 19:15:53 UTC