DNT Compliance and Audit Services (ACTION-56, ISSUE-21)

• From: Kevin Trilli <ktrilli@truste.com>
• Date: Tue, 31 Jan 2012 16:17:30 -0800
• To: Tracking Protection Working Group WG <public-tracking@w3.org>
• Message-ID: <ED1335D8-1D6B-44C3-A032-45C12EFA8E48@truste.com>

A lot of text here, much of it non-normative, but the intent was to provide a foundation for defining compliance and audit services that later can be distilled and captured into the Compliance document. It does have a linkage to the response header thread in the TPE doc. A natural offspring of this discussion was the tracking policy, so there is strawman list of components provided at the end for a starting point.



<Description>
To ensure the integrity of the DNT system, a compliance regime is necessary for the various stakeholders.  Ultimately, data collection and usage involves systems that exhibit certain externally observable behavior, but primarily involves proprietary data systems that are not observable. 
 
As such, two possible mechanisms for compliance can exist: 1) external monitoring capabilities and 2) audit and oversight.   A complement of both systems is recommended for DNT and each will be discussed below.
 
 
<External Compliance Mechanisms>
Note: Compliance systems can be provided in various manners, and for completeness, each will be discussed, though some of these are ultimately user agent or potential third party add-ons implementation specifications or recommendations.
 
It should be emphasized that a Compliance agents may provide more advanced technological monitoring and analysis than the typical user agent and user.  As such, the “user” for the DNT system should be considered a separate entity from the Compliance agent.  Requirements for certain specifications for DNT can be assumed to be present for both, but potentially only used by a Compliance agent.

A firm requirement for any compliance monitoring is a response header from the server universally across the system.
 
1.              User.  At this level, compliance is defined as a set of interfaces to allow the user to be aware of any conflicts in their preferences and an audit file of all exhibited behavior so the user can self-audit.  Examples include:
	a.     The user agent should provide a user clean simple methods to ensure her DNT preferences are honored with appropriate first and third parties. 
	b.     The user agent should alert the user of any conflicts that exceed the user’s expectations, for example, when a user preference of DNT:1 is responded to with an 	exception,  especially if that exception is not registered in the user agent or if it was agreed to outside the DNT user agent system.
		i.	The user agent should record all DNT interactions much like a current cookie history.
        	ii.     The user agent should easily provide info to the user where they can interact directly with the tracking party for more details.
	c.      Browser Add-ons should have access to this data to provide more granular features for interested users.
 
2.             First Party (e.g., Publisher)
	a.     A first party may wish to monitor the behavior of third parties on their property to ensure their privacy policy covers all behavior on its web property and that only compliant third parties are present. 
	b.     This type monitoring would involve the ability to monitor all http requests and responses from third parties on the publisher’s site.
	c.     This also includes third parties working in a data processor construct, and both authorized and unauthorized third parties.
 
3.             Compliance Authority
	a.     All tracking responses MUST include a DNT response header to enable external auditing by a compliance authority.
	b.     A compliance authority via a user agent add-on or independent external monitoring service can monitor header responses based on certain user agent personas, e.g, where DNT:1 and DNT:0 are used to view the header responses and compare the response behaviors.
	c.      If exceptions are stated, the compliance authority will want to view and understand the machine-readable tracking statement and available privacy policies in a scalable automated fashion.
        	  i.     Suggested elements for this policy included below as sample.
	d.     Additionally, in certain jurisdictions it may be relevant to monitor the base state response from servers for all users, regardless of DNT user agent settings, to ensure compliance to prior explicit consent mechanisms are in place.
 
It should be noted that in all instances these DNT response headers and tracking policies are assumed to be self-asserted technical mechanisms of compliance that are supported by any publicly facing tracking or privacy statements.
 
<Certification, Audit and Industry Oversight>
To provide an additional level of assurance to all stakeholders within the ecosystem, the privacy policy and associated tracking processes should be certified and monitored by an appropriate third party organization designed to provide such services.   Audit is defined as a process by which an organization is interrogated through any combination of technical, remote and in-person mechanisms to evaluate compliance of systems against an agreed-to standard.
 
A set of clearly stated program principles or program requirements should be available to develop an appropriate certification and monitoring program. Included in these documents are specifics around requirements for gaining certification and maintaining compliance and any enforcement mechanisms that are in place.
 
A recommended strawman set of activities involved in such a process may include:
 
1.     Simulation of users under a set of personas that will cover typical requirements across various personas and legal jurisdictions
2.     Technical verification of header responses
3.     Technical verification of data systems clearly illustrating integrity of opt-out process as specified by the compliance document, including:
	a.     Verification of data system processes to clearly identify silo-ing for business practice
	b.     Verification of data system processes to clearly identify silo-ing for removal from core operations (including any deletion requirements if present)
4.     Verification of stated exception policy for accuracy (see below for some suggestions of policy elements)
5.     Verification of privacy policy for accuracy
6.     On-going, in the field monitoring, for ensuring ongoing compliance

Note: there may be a certification to allow those data companies to prove they are NOT tracking under the current DNT definition of "tracking."
 
 
<Suggestions for Machine Readable Tracking Policy>
1.     Name of company
2.     URL of company (corporate)
3.     Tracking domains used by company
4.     Statement of compliance to DNT
	a.     Jurisdictional statements if necessary (US vs. EU, e.g.)
5.     Statement of exceptions to DNT
6.     URL of full privacy policy
7.     Date of privacy policy
8.     URL of out of band choice mechanism
9.	Certification authority or oversight organization (0 if none, URL if present)

Received on Wednesday, 1 February 2012 00:18:00 UTC