- From: Joanne Furtsch <jfurtsch@truste.com>
- Date: Wed, 25 Jan 2012 20:46:36 -0800
- To: MeMe Rasmussen <meme@adobe.com>, "Amy Colando (LCA)" <acolando@microsoft.com>
- CC: Shane Wiley <wileys@yahoo-inc.com>, Tom Lowenthal <tom@mozilla.com>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Another +1 to Shane and Amy. Shane's recommendation makes sense - adding some language to the preamble as to what the standard does not intend do. On 1/25/12 11:26 AM, "MeMe Rasmussen" <meme@adobe.com> wrote: >+1 to Shane and Amy. I actually don't even think we need Shane's >language. It goes without saying that parties should comply with the law >and that a standard wouldn't override law. I don't have a problem saying >it. I just think it is unnecessary. I tend to be a proponent if less is >more. > >Sent with my thumbs. Please excuse typos. > >On Jan 25, 2012, at 7:13 PM, "Amy Colando (LCA)" <acolando@microsoft.com> >wrote: > >> I agree with Shane that the text should simply state that there may be >>legal requirements that this standard is not intended to override. >> >> As a very realistic example, not only are entities required to comply >>with potentially differing breach notification laws, but in some cases >>are subject to legal subpoenas (as for example in cases of child >>pornography investigations) where disclosure to the subject is expressly >>prohibited by the terms of the subpoena. >> >> I recommend strongly that we stick to the technical standards necessary >>for interpreting the DNT signal without attempting to overwrite state >>and federal laws (and in a very timely manner, EU directives) on data >>breach and required disclosures. The more additional legal requirements >>we hitch to this standard, the more complex and daunting the >>implementation becomes for websites. >> >> -----Original Message----- >> From: Shane Wiley [mailto:wileys@yahoo-inc.com] >> Sent: Wednesday, January 25, 2012 10:57 AM >> To: Tom Lowenthal; Jonathan Mayer >> Cc: David Singer; public-tracking@w3.org >> Subject: RE: Mandatory Legal Process (ACTION-57, ISSUE-28) >> >> Tom, >> >> I look forward to broader discussion on this issue. In many >>jurisdictions we already have both legal process disclosure and security >>breach laws and I don't believe the DNT Specification is the appropriate >>location for use to somehow alter a parties responsibilities in those >>matters. It honestly feels like an overreach (but a well intended one). >> >> - Shane >> >> -----Original Message----- >> From: Tom Lowenthal [mailto:tom@mozilla.com] >> Sent: Wednesday, January 25, 2012 7:50 PM >> To: Jonathan Mayer >> Cc: David Singer; public-tracking@w3.org; Shane Wiley >> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28) >> >> I think that Jonathan's proposal makes much more sense when considered >>form the perspective of the user, and their threat model regarding their >>data.. When they switch on DNT, they're trying to limit their data going >>to third parties. If we permit third parties to collect some data >>anyway, this third-party data isn't meaningfully accounted for in the >>user's mental model of where their data is. If it wanders off, they >>should be alerted about it. >> >> It's an additional safeguard on data collected by third parties. If >>you're a third party then your data collection is significantly limited >>by DNT: you can only collect it for certain enumerated purposes, you >>have to engage in minimization and sometimes reasonable technical or >>operational precautions. This is just another defense that users' get >>for third-party data collection. >> >> However, I do agree with you Shane that the addition of this >>responsibility just for legal process is a little odd. It would probably >>make more sense to apply this to involuntary data disclosure of any >>form, whether through legal process or a data breach. I further agree >>with Sean that this is a new provision, and should probably get an >>issue, and some time on the call. On the plus side, we basically already >>have draft text! >> >> On Wed 25 Jan 2012 07:25:40 PM CET, Jonathan Mayer wrote: >>> Some relevant U.S. legal background: web tracking may soon fall within >>>the Fourth Amendment's compelled disclosure rules. >>> >>> From Justice Sotomayor's concurrence in United States v. Jones: >>> >>> More fundamentally, it may be necessary to reconsider the premise that >>> an individual has no reasonable expectation of privacy in information >>> voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at >>> 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach >>> is ill suited to the digital age, in which people reveal a great deal >>> of information about themselves to third parties in the course of >>> carrying out mundane tasks. People disclose the phone numbers that >>> they dial or text to their cellular providers; the URLs that they >>> visit and the e-mail addresses with which they correspond to their >>> Internet service providers; and the books, groceries, and medications >>> they purchase to online retailers. Perhaps, as Justice Alito notes, >>> some people may find the tradeoff of privacy for convenience >>> worthwhile, or come to accept this diminution of privacy as >>> inevitable, post, at 10, and perhaps not. I for one doubt that people >>> would accept without complaint the warrantle >> ss disclosure to the Government of a list of every Web site they had >>visited in the last week, or month, or year. >>> >>> On Jan 25, 2012, at 7:22 PM, Jonathan Mayer wrote: >>> >>>> The text I've proposed addresses web information practices for DNT >>>>users. By all means argue why organizations shouldn't inform their >>>>users of compelled disclosure, but I think this text is unambiguously >>>>within the working group's scope. >>>> >>>> On Jan 25, 2012, at 7:15 PM, Shane Wiley wrote: >>>> >>>>> I believe attempts to "add on" to the party responsibilities within >>>>>legal process "outside of the DNT standard" is outside of scope of >>>>>the working group. Instead I would suggest the preamble of each >>>>>document simply state "this standard is not intended to override >>>>>local, state, or country law." >>>>> >>>>> - Shane >>>>> >>>>> -----Original Message----- >>>>> From: Tom Lowenthal [mailto:tom@mozilla.com] >>>>> Sent: Wednesday, January 25, 2012 7:11 PM >>>>> To: David Singer; public-tracking@w3.org >>>>> Subject: Re: Mandatory Legal Process (ACTION-57, ISSUE-28) >>>>> >>>>> I don't think we need anything apart from Jonathan's text. I'd argue >>>>>that for process applied to data collected in a third party capacity, >>>>>notification is a must; for first party data, a should; and for any >>>>>breach where you must notify some users, you must notify all users. >>>>> >>>>> On Wed 25 Jan 2012 06:43:06 PM CET, David Singer wrote: >>>>>> >>>>>> On Jan 25, 2012, at 16:12 , Jonathan Mayer wrote: >>>>>> >>>>>>> Proposed text: >>>>>>> >>>>>>> A party MAY take action contrary to the requirements of this >>>>>>>standard if compelled by mandatory legal process. To the extent >>>>>>>allowed by law, the party MUST (SHOULD? MAY? non-normative?) notify >>>>>>>affected users. >>>>>> >>>>>> which means we need a 'legal exception'? >>>>>> >>>>>> >>>>>> >>>>>> David Singer >>>>>> Multimedia and Software Standards, Apple Inc. >>>>>> >>>>>> >>>>> >>>> >>> >>> >> > >Confidentiality Notice: The contents of this e-mail (including any >attachments) may be confidential to the intended recipient, and may >contain information that is privileged and/or exempt from disclosure >under applicable law. If you are not the intended recipient, please >immediately notify the sender and destroy the original e-mail and any >attachments (and any copies that may have been made) from your system or >otherwise. Any unauthorized use, copying, disclosure or distribution of >this information is strictly prohibited. <ACL> > >
Received on Thursday, 26 January 2012 04:47:15 UTC