(Issue - 21) Enable External Audit of DNT Compliance

• From: Kevin Trilli <ktrilli@truste.com>
• Date: Tue, 27 Mar 2012 13:46:25 -0700
• To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
• Message-ID: <FC53DC86-F45B-4CD3-ADDF-8CD05549C10E@truste.com>

Our mini-team reviewed the original email and re-structured it per the list feedback.  There was still some feeling in the group that some "hook" between an external audit the TPE exist to enable for a future utilization of this status as described below.

I may not be on the call tomorrow, so Alex can explain this briefly if desired.

Also, there were some motivations to continue to define what an audit framework could look like, well-knowing this would be out of direct scope of our working group.  Lauren can explain further if she is on the call.



Issue URL: http://www.w3.org/2011/tracking-protection/track/issues/21

Contributors to this text:

Alan Chapell
Alex Deliyannis
Joanne Furtsch
Kevin Trilli
Lauren Gelman
 
Description:

Baseline compliance with DNT is handled via a public-statement in the form of a privacy policy or other means.  However, users of the DNT system may desire higher levels of trust and simplicity in the form of third party verified compliance through an audit or oversight.  The specification of such an audit program is beyond the scope of this group, but it is recommended that technical enablement be provided for to allow for mechanisms to communicate this kind of additional verification.

Ultimately, data collection and usage involves systems that exhibit certain externally observable behavior, but primarily also involves proprietary data systems that not observable (e.g., that a profile is in fact not used after a user requests an opt-out).  One such mechanism for compliance that may exist is a communication between the browser and an audit authority selected by the user through a User Agent to provide information regarding the party’s compliance with DNT.  The User Agent returns basic information regarding whether there is a privacy policy present, and if it certified by an audit authority along with verification.    

Specification:

A party MAY seek additional compliance verification with DNT through an audit authority communicating that a privacy policy is present (yes/no), and it has been certified; at minimum its in compliance with the DNT standard or in alignment with certain best practices. 

The User Agent MAY enable for a representation of this additional status in the form of an additional mechanism such as one of the following:

1.              Tracker Selection List [TSL] that enables a third party to register domains that are under oversight

2.              A mechanism to indicate “third party certified” such that the User Agent can provide additional trust indications for end users

3.              A link for users to submit a dispute to a resolution mechanism.

Examples and use cases:

User has indicated DNT:1 and wants to verify her preference is being honored.  The user can request audit information through a User Agent such as a browser plugin.  The browser communicates with an audit authority selected by the user to access basic compliance information.  Compliance information will include whether a privacy policy is present (yes/no), been certified by an audit authority (yes/no) and the name of the audit authority, and link to a verification mechanism such as a TSL list. 

            

Received on Tuesday, 27 March 2012 20:46:56 UTC