Re: ACTION-152 - Write up logged-in-means-out-of-band-consent from Alan Chapell on 2012-04-02 (public-tracking@w3.org from April 2012)

From: Alan Chapell <achapell@chapellassociates.com>
Date: Mon, 02 Apr 2012 09:54:26 -0400
To: Rigo Wenning <rigo@w3.org>, <public-tracking@w3.org>
CC: Jeffrey Chester <jeff@democraticmedia.org>, Shane Wiley <wileys@yahoo-inc.com>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, John Simpson <john@consumerwatchdog.org>
Message-ID: <CB9F24C9.182E3%achapell@chapellassociates.com>

HI Rigo - comments below.



On 4/1/12 4:06 PM, "Rigo Wenning" <rigo@w3.org> wrote:

>Alan, 
>
>1/ we do not set standards at W3C, we issue Recommendations. Being
>involved in 
>more traditional standardization, I know the difference between both and
>I'm 
>happy to explain, but I assume you know this at least as much as I do.

Thanks for the clarification, Rigo. You may want to direct this to
Jonathan and Jeff - as they are the ones that seem to be pushing for this
group to create consent standards. (Jonathan and Jeff - if there's a
nuance I'm missing, please let me know.)

> 
>
>2/ We do technical specification here. And this means we define a certain
>header that comes with a HTTP GET request. Now we define what the server
>should do in case the server receives that header and wants to be
>compliant to 
>the Recommendation. "Out-of-band" is creating the trouble, because it
>imports 
>troubles from outside in our definition space and we have to decide in
>how far 
>we accept that (see below)
>
>3/ Whether our factual specifications are accepted as "consent",
>"meaningful 
>consent" or "informed consent" is not up to the Group as those
>definitions are 
>under a different sovereignty. But what we can discuss is whether we want
>to 
>align with requirements as defined elsewhere. We do that e.g. by trying
>to get 
>some EU blessing with our tool so that it is really really useful for
>industry 
>there and by inviting those others to our table.

I'm not sure how aligning with a single jurisdiction's definition of
consent isn't tantamount to creating a pan-world consent standard based
upon that single jurisdictions laws. What works in the EU may not work
elsewhere. Again - I may be missing a nuance here.

>
>So, to me, the consent discussion is a wrong discussion here, but has
>some 
>merit. The problem of ISSUE-115 is that a user may not be consciously
>logged 
>in. (see my other email).  By allowing any "out-of-band" agreement to
>trump 
>DNT, ALL other sovereign definitions will trump DNT, whatever they are.
>This 
>will open the path back to the deep legalese that allows for all those
>nice 
>surprises*.

I like the coffee example - But the FTC and other regulators already have
recourse if a business engages in these types of surprises. Do you agree?

> And this is just giving in to any outside authority to invent
>something that may serve as an argument to ignore the DNT signal and
>STILL 
>claim compliance. Accordingly, we are back into reading 22 pages of
>legalese 
>as they can tell whether the DNT signal will be ignored. And this would
>even 
>be compliant.

Again - regulators are free to take action to the extent they believe that
22 pages of legalese are unfair or deceptive based upon that jurisdictions
legal framework.

> This being compliant affects the value of the W3C Specification.
>And W3C is the venue where we talk about W3C Specifications. That's why I
>think we have a right to discuss criteria to put limitations on arbitrary
>"out-of-band" agreements and when we accept that those can compliantly
>top the 
>W3C Specification.
>
>This gives us a truckload of choices:
>
>1/ Try to really understand what Shane wants to avoid and define this to
>get 
>the Spec closer to reality

I think Shane has been pretty clear here. User consent trumps DNT.
>
>2/ Re-consider JC's solution to give DNT a meaning in a logged-in
>scenario 
>(David, I disagree that this would be too subtle)
>
>3/ require "direct interaction"
>
>4/ explore the browser-maker outrage if we start telling them they should
>show 
>us when we are logged in to something
>
>5/ Define the meaning of "logged in" for the compliance with the W3C
>Specification
>
>etc ... 
>
>If we brainstorm, there are more solutions..
>
>Best, 
>
>Rigo
>
>*My favorite example was that by buying a coffee maker you subscribed to
>receiving a pound of coffee every week for 5 years at an outrageous
>price. 
>(Court decision, Germany, 1957)
>
>On Thursday 29 March 2012 12:10:39 Alan Chapell wrote:
>> I don't think the issue is regarding 'commitment' to meaningful
>>consent. The
>> issue is whether this is the appropriate forum to set pan-world
>>standards
>> for consent. Hence, I await some clarification from our co-chairs on
>> process.
>
>

Received on Monday, 2 April 2012 13:55:44 UTC