RE: Mandatory Legal Process (ACTION-57, ISSUE-28) from Shane Wiley on 2012-01-31 (public-tracking@w3.org from January 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Tue, 31 Jan 2012 11:22:39 -0800
To: John Simpson <john@consumerwatchdog.org>, "Amy Colando (LCA)" <acolando@microsoft.com>
CC: Joanne Furtsch <jfurtsch@truste.com>, MeMe Rasmussen <meme@adobe.com>, Tom Lowenthal <tom@mozilla.com>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8023D0C42593B@SP2-EX07VS02.ds.corp.yahoo.com>
Agreed - NO text seems like the appropriate path (in agreement with Amy and John).

- Shane

From: John Simpson [mailto:john@consumerwatchdog.org]
Sent: Tuesday, January 31, 2012 12:11 PM
To: Amy Colando (LCA)
Cc: Joanne Furtsch; MeMe Rasmussen; Shane Wiley; Tom Lowenthal; Jonathan Mayer; David Singer; public-tracking@w3.org
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

Is text necessary?  How could a technical specification override applicable laws and regulations? I'd say NO text.


On Jan 30, 2012, at 3:47 PM, Amy Colando (LCA) wrote:


In order to make sure that W3C process is moving along, I am formally proposing alternative text for Issue 28 as follows:

either NO text at all on this point, or text that states the fact that "this specification is not intended to override applicable laws and regulations."

(Matthias, please pester me separately if this is not what you need.)

-----Original Message-----
From: Joanne Furtsch [mailto:jfurtsch@truste.com]
Sent: Wednesday, January 25, 2012 8:47 PM
To: MeMe Rasmussen; Amy Colando (LCA)
Cc: Shane Wiley; Tom Lowenthal; Jonathan Mayer; David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

Another +1 to Shane and Amy.  Shane's recommendation makes sense - adding some language to the preamble as to what the standard does not intend do.

On 1/25/12 11:26 AM, "MeMe Rasmussen" <meme@adobe.com<mailto:meme@adobe.com>> wrote:


+1 to Shane and Amy.  I actually don't even think we need Shane's
language.  It goes without saying that parties should comply with the
law and that a standard wouldn't override law.  I don't have a problem
saying it. I just think it is unnecessary. I tend to be a proponent if
less is more.

Sent with my thumbs. Please excuse typos.

On Jan 25, 2012, at 7:13 PM, "Amy Colando (LCA)"
<acolando@microsoft.com<mailto:acolando@microsoft.com>>
wrote:

I agree with Shane that the text should simply state that there may
be legal requirements that this standard is not intended to override.

As a very realistic example, not only are entities required to comply
with potentially differing breach notification laws, but in some cases
are subject to legal subpoenas (as for example in cases of child
pornography investigations) where disclosure to the subject is
expressly prohibited by the terms of the subpoena.

I recommend strongly that we stick to the technical standards
necessary for interpreting the DNT signal without attempting to
overwrite state and federal laws (and in a very timely manner, EU
directives) on data breach and required disclosures.  The more
additional legal requirements we hitch to this standard, the more
complex and daunting the implementation becomes for websites.

-----Original Message-----
From: Shane Wiley [mailto:wileys@yahoo-inc.com]
Sent: Wednesday, January 25, 2012 10:57 AM
To: Tom Lowenthal; Jonathan Mayer
Cc: David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: RE: Mandatory Legal Process (ACTION-57, ISSUE-28)

Tom,

I look forward to broader discussion on this issue.  In many
jurisdictions we already have both legal process disclosure and
security breach laws and I don't believe the DNT Specification is the
appropriate location for use to somehow alter a parties
responsibilities in those matters.  It honestly feels like an overreach (but a well intended one).

- Shane

-----Original Message-----
From: Tom Lowenthal [mailto:tom@mozilla.com]
Sent: Wednesday, January 25, 2012 7:50 PM
To: Jonathan Mayer
Cc: David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org>; Shane Wiley
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

I think that Jonathan's proposal makes much more sense when
considered form the perspective of the user, and their threat model
regarding their data.. When they switch on DNT, they're trying to
limit their data going to third parties. If we permit third parties to
collect some data anyway, this third-party data isn't meaningfully
accounted for in the user's mental model of where their data is. If it
wanders off, they should be alerted about it.

It's an additional safeguard on data collected by third parties. If
you're a third party then your data collection is significantly
limited by DNT: you can only collect it for certain enumerated
purposes, you have to engage in minimization and sometimes reasonable
technical or operational precautions. This is just another defense
that users' get for third-party data collection.

However, I do agree with you Shane that the addition of this
responsibility just for legal process is a little odd. It would
probably make more sense to apply this to involuntary data disclosure
of any form, whether through legal process or a data breach. I further
agree with Sean that this is a new provision, and should probably get
an issue, and some time on the call. On the plus side, we basically
already have draft text!

On Wed 25 Jan 2012 07:25:40 PM CET, Jonathan Mayer wrote:
Some relevant U.S. legal background: web tracking may soon fall
within the Fourth Amendment's compelled disclosure rules.

>From Justice Sotomayor's concurrence in United States v. Jones:

More fundamentally, it may be necessary to reconsider the premise
that an individual has no reasonable expectation of privacy in
information voluntarily disclosed to third parties. E.g., Smith, 442
U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976).
This approach is ill suited to the digital age, in which people
reveal a great deal of information about themselves to third parties
in the course of carrying out mundane tasks. People disclose the
phone numbers that they dial or text to their cellular providers;
the URLs that they visit and the e-mail addresses with which they
correspond to their Internet service providers; and the books,
groceries, and medications they purchase to online retailers.
Perhaps, as Justice Alito notes, some people may find the tradeoff
of privacy for convenience worthwhile, or come to accept this
diminution of privacy as inevitable, post, at 10, and perhaps not. I
for one doubt that people would accept without complaint the
warrantle
ss disclosure to the Government of a list of every Web site they had
visited in the last week, or month, or year.

On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote:

The text I've proposed addresses web information practices for DNT
users.  By all means argue why organizations shouldn't inform their
users of compelled disclosure, but I think this text is
unambiguously within the working group's scope.

On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote:

I believe attempts to "add on" to the party responsibilities
within legal process "outside of the DNT standard" is outside of
scope of the working group.  Instead I would suggest the preamble
of each document simply state "this standard is not intended to
override local, state, or country law."

- Shane

-----Original Message-----
From: Tom Lowenthal [mailto:tom@mozilla.com]
Sent: Wednesday, January 25, 2012 7:11 PM
To: David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28)

I don't think we need anything apart from Jonathan's text. I'd
argue that for process applied to data collected in a third party
capacity, notification is a must; for first party data, a should;
and for any breach where you must notify some users, you must notify all users.

On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote:

On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote:

Proposed text:

A party MAY take action contrary to the requirements of this
standard if compelled by mandatory legal process.  To the extent
allowed by law, the party MUST (SHOULD? MAY? non-normative?)
notify affected users.

which means we need a 'legal exception'?



David Singer
Multimedia and Software Standards, Apple Inc.








Confidentiality Notice: The contents of this e-mail (including any
attachments) may be confidential to the intended recipient, and may
contain information that is privileged and/or exempt from disclosure
under applicable law. If you are not the intended recipient, please
immediately notify the sender and destroy the original e-mail and any
attachments (and any copies that may have been made) from your system
or otherwise. Any unauthorized use, copying, disclosure or distribution
of this information is strictly prohibited. <ACL>






----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org>
john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>
Received on Tuesday, 31 January 2012 19:23:26 UTC