By EDRi

This article is also available in:
Deutsch: [ENDitorial: Letzte Chance für die Do-Not-Track-Initiative des W3C | https://www.unwatched.org/EDRigram_11.9_ENDitorial?pk_campaign=edri&pk_kwd=20130508]

As we write this the W3C DNT working group is convening in Sunnyvale,
California. This working group has been trying to come up with a
mechanism to allow users to express their preferences regarding
cross-context tracking of their web usage. This effort has been going on
since September 2011 and with little result to show for it, despite
various participants bending over backwards to meet the demands of the
advertising platforms’ apparent unlimited data hunger. The results so
far instill little-confidence that this multi-stakeholder process will
arrive to a consensus that meets an acceptable minimum standard for
privacy of users. We fear that this will result in a counter-productive
technical arms race that can only reduce the utility of the world wide
web. Contrary to what many actors in the Data Protection Regulation
legislative process think, this working group is not a good example of
working industry self-regulation.

At this stage some minimum core principles of data protection have to be
met to prevent this process from becoming a privacy farce:

1. Data minimisation
As it stands now, there is some lip-service being paid to this
principle, but on substance the current documents appear to be mostly
geared to justify as much data collection as possible. Especially the
parts about browser compliance appear to gear towards the idea that it
should be possible to provide pretexts to ignore non-consent to
tracking. Moreover, there is a worrisome tendency to confuse
pseudonymisation with anonymisation.

2. Siloisation
While we believe there are limits to data collection as a first party
(to use the standard’s vernacular), the primary problem the working
group is supposed to tackle is data collection across different
contexts. The current editor’s draft explicitly allows industry players
that both operate in a direct relationship with users as well as track
usage on behalf of other websites to correlate and cross-link such data.
This is a fundamental threat to privacy as well as enshrining the
current competitive landscape of social media in a (mostly) technical
standard. Contexts should be kept fully separate unless there is
explicit and informed consent from users for cross-correlation and
mixing of tracking data.

3. Knowing who the user deals with
For the purpose of providing informed consent it is essential for users
to know with whom they are dealing with. Right know the documents fail
to delineate the many parties that often are involved with a single web
page in way that is useful for this purpose. Another Another concept
that touches an essential part of the issue of various contexts is that
of ‘affiliate’ and the sharing of collected data with other parties.
Under EU law there is consent needed for sharing data with other parties
(meaning real third-parties, the vernacular of the drafted is
problematic here).

This is not an exhaustive list in the sense that it covers every little
detail, it is about the fundamentals. And to our understanding of the
current proposals, the fundamentals of it just aren’t sound. And that is
not a failure of the editors, it is a failure of the major web platforms
to face the reality that their business models are incompatible with
fundamental rights.

The goals of this standard should be to provide:
a) a meaningful opt-out mechanism, as well as
b) a meaningful opt-in mechanism against data collection across
different contexts.
So far we see little that satisfies either of these two goals.

This working group needs to have a drastic change of its course or to
come to a mutual agreement to disagree and not have to let this drag on
any further. There is no need to have it soil the good name of W3C any
further than it perhaps already has. It is closing time.

DNT draft standard April 2013
http://www.w3.org/TR/2013/WD-tracking-dnt-20130430/

EDRi-gram: Most Internet users would use DNT settings if easily
available (13.02.2013)
http://www.edri.org/edrigram/number11.3/most-users-will-use-do-not-track

EDRi-gram ENDitorial: The Microsoft IE10 Do Not Track “controversy” (7.11.2012)
http://www.edri.org/edrigram/number10.21/microsoft-ie10-dnt

(Contribution by Walter van Holst, invited expert to the W3C DNT WG –
EDRi member Vrijschrift – Netherlands)