Re: ACTION-152 - Write up logged-in-means-out-of-band-consent from Rigo Wenning on 2012-04-02 (public-tracking@w3.org from April 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 02 Apr 2012 17:25:11 +0200
To: public-tracking@w3.org
Cc: Alan Chapell <achapell@chapellassociates.com>, Jeffrey Chester <jeff@democraticmedia.org>, Shane Wiley <wileys@yahoo-inc.com>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, John Simpson <john@consumerwatchdog.org>
Message-ID: <2324610.XpI4R7etO0@hegel.sophia.w3.org>

On Monday 02 April 2012 09:54:26 Alan Chapell wrote:
> On 4/1/12 4:06 PM, "Rigo Wenning" <rigo@w3.org> wrote:
> >1/ we do not set standards at W3C, we issue Recommendations. Being
> 
> Thanks for the clarification, Rigo. You may want to direct this to
> Jonathan and Jeff - as they are the ones that seem to be pushing for this
> group to create consent standards. (Jonathan and Jeff - if there's a
> nuance I'm missing, please let me know.)

I think they understand that the consent requirement we would create are 
scoped solely to the compliance of the W3C Specification and not some 
general rule as only a legislator can issue it (and there are over 192 of 
those world wide)

[...]
> >3/ Whether our factual specifications are accepted as "consent",
> >"meaningful consent" or "informed consent" is not up to the Group as 
those
> >definitions are under a different sovereignty. But what we can discuss is
> >whether we want to align with requirements as defined elsewhere. We 
> >do that e.g. by trying to get some EU blessing with our tool so that it 
is
> >really really useful for industry there and by inviting those others to 
our
> >table.
> 
> I'm not sure how aligning with a single jurisdiction's definition of
> consent isn't tantamount to creating a pan-world consent standard based
> upon that single jurisdictions laws. What works in the EU may not work
> elsewhere. Again - I may be missing a nuance here.

I think you are. Please do not overlook the "e.g." I wrote. It is the other 
way around. We do some technical specification and it is on every region to 
accept that and give it a useful role in their system (or not). And we would 
be ill advised not to take into account feedback whether our stuff is useful 
in a regional system or not. But W3C is not the organization that can decide 
on whether our Specifications are useful in a certain region. So the EU will 
decide on EU things and the US will decide on US things. And we can use the 
W3C platform to provide a tool. Or fall back into the trenches. 

[...]
> >This
> >will open the path back to the deep legalese that allows for all those
> >nice
> >surprises*.
> 
> I like the coffee example - But the FTC and other regulators already have
> recourse if a business engages in these types of surprises. Do you agree?

We wouldn't be here if the regulators had a better idea on how to solve 
those issues. They let us try as they think the industry has the technical 
experts and maybe something useful comes out before they do some SOPA 
on the industry.  So this is an opportunity the regulator gives us, not an 
argument to fall back on letting the regulator do stuff. I encourage you to 
see our effort here as an opportunity. At least I see it like this. 

> >Accordingly, we are back into reading 22 pages of legalese
> >as they can tell whether the DNT signal will be ignored. And this would
> >even be compliant.
> 
> Again - regulators are free to take action to the extent they believe that
> 22 pages of legalese are unfair or deceptive based upon that jurisdictions
> legal framework.

You misunderstood IMHO. It is on W3C to decide what should be compliant to 
W3C DNT and it will use its process to come to a fair result. W3C decides on 
W3C Specifications. And if W3C, within the process, decides that some "out 
of band" event hidden in 22 pages of legalese is not sufficient to claim 
compliance with the W3C Specification, then W3C is just deciding on its 
Specification, not on the US or EU legal system. See my email to Shane to 
understand that you can't have the cake and eat it too. (But you can always 
try)
> 
> > This being compliant affects the value of the W3C Specification.

> 
> I think Shane has been pretty clear here. User consent trumps DNT.

In terms of a US legal perspective, you may be right. I haven't assessed any 
of that. But there is no consent in the Group that out of band agreements 
allow you to ignore the signal and still claim compliance with the W3C DNT 
Specifications. And unless we accept Shane's wording, which I'm against, I 
wouldn't agree that the requirements of the DNT Specifications are fulfilled 
by ignoring the DNT signal thus allowing someone to claim compliance. 

> 
> >2/ Re-consider JC's solution to give DNT a meaning in a logged-in
> >scenario
> >(David, I disagree that this would be too subtle)
> >
> >3/ require "direct interaction"
> >
> >4/ explore the browser-maker outrage if we start telling them they should
> >show
> >us when we are logged in to something
> >
> >5/ Define the meaning of "logged in" for the compliance with the W3C
> >Specification
> >
It is unfortunate that we do not look forward in a creative way and consider 
some of the solutions. So far, you haven't considered the solutions proposed 
above.

Best, 

Rigo

Received on Monday, 2 April 2012 15:25:45 UTC