You are currently browsing EDRi's old website. Our new website is available at https://edri.org

If you wish to help EDRI promote digital rights, please consider making a private donation.


Flattr this

logo

EDRi booklets

ENDitorial: Last Call for the W3C Do Not Track process

8 May, 2013
» 

This article is also available in:
Deutsch: ENDitorial: Letzte Chance für die Do-Not-Track-Initiative des W3C


As we write this the W3C DNT working group is convening in Sunnyvale, California. This working group has been trying to come up with a mechanism to allow users to express their preferences regarding cross-context tracking of their web usage. This effort has been going on since September 2011 and with little result to show for it, despite various participants bending over backwards to meet the demands of the advertising platforms' apparent unlimited data hunger. The results so far instill little-confidence that this multi-stakeholder process will arrive to a consensus that meets an acceptable minimum standard for privacy of users. We fear that this will result in a counter-productive technical arms race that can only reduce the utility of the world wide web. Contrary to what many actors in the Data Protection Regulation legislative process think, this working group is not a good example of working industry self-regulation.

At this stage some minimum core principles of data protection have to be met to prevent this process from becoming a privacy farce:

1. Data minimisation
As it stands now, there is some lip-service being paid to this principle, but on substance the current documents appear to be mostly geared to justify as much data collection as possible. Especially the parts about browser compliance appear to gear towards the idea that it should be possible to provide pretexts to ignore non-consent to tracking. Moreover, there is a worrisome tendency to confuse pseudonymisation with anonymisation.

2. Siloisation
While we believe there are limits to data collection as a first party (to use the standard's vernacular), the primary problem the working group is supposed to tackle is data collection across different contexts. The current editor's draft explicitly allows industry players that both operate in a direct relationship with users as well as track usage on behalf of other websites to correlate and cross-link such data. This is a fundamental threat to privacy as well as enshrining the current competitive landscape of social media in a (mostly) technical standard. Contexts should be kept fully separate unless there is explicit and informed consent from users for cross-correlation and mixing of tracking data.

3. Knowing who the user deals with
For the purpose of providing informed consent it is essential for users to know with whom they are dealing with. Right know the documents fail to delineate the many parties that often are involved with a single web page in way that is useful for this purpose. Another Another concept that touches an essential part of the issue of various contexts is that of 'affiliate' and the sharing of collected data with other parties. Under EU law there is consent needed for sharing data with other parties (meaning real third-parties, the vernacular of the drafted is problematic here).

This is not an exhaustive list in the sense that it covers every little detail, it is about the fundamentals. And to our understanding of the current proposals, the fundamentals of it just aren't sound. And that is not a failure of the editors, it is a failure of the major web platforms to face the reality that their business models are incompatible with fundamental rights.

The goals of this standard should be to provide:
a) a meaningful opt-out mechanism, as well as
b) a meaningful opt-in mechanism against data collection across different contexts.
So far we see little that satisfies either of these two goals.

This working group needs to have a drastic change of its course or to come to a mutual agreement to disagree and not have to let this drag on any further. There is no need to have it soil the good name of W3C any further than it perhaps already has. It is closing time.

DNT draft standard April 2013
http://www.w3.org/TR/2013/WD-tracking-dnt-20130430/

EDRi-gram: Most Internet users would use DNT settings if easily available (13.02.2013)
http://www.edri.org/edrigram/number11.3/most-users-will-use-do-not-tra...

EDRi-gram ENDitorial: The Microsoft IE10 Do Not Track “controversy” (7.11.2012)
http://www.edri.org/edrigram/number10.21/microsoft-ie10-dnt

(Contribution by Walter van Holst, invited expert to the W3C DNT WG - EDRi member Vrijschrift - Netherlands)

 

Syndicate:

Syndicate contentCreative Commons License

With financial support from the EU's Fundamental Rights and Citizenship Programme.
eu logo