RE: ACTION-286: Propose DAA text regarding de-identification (for unlinkability discussion)

Ed and Chris,

Is this discussion any materially different than the one we had around the language I submitted as part of the industry proposal?  The language and approach are fairly similar between the two - and the resulting disagreement and discussion appear to be as well.  Are we retreading old ground here?

- Shane

From: Chris Mejia [mailto:chris.mejia@iab.net]
Sent: Thursday, November 15, 2012 12:07 PM
To: Ed Felten
Cc: Rachel Thomas; public-tracking@w3.org; Louis Mastria; David Wainberg (david@networkadvertising.org); Mike Zaneis; mgroman@networkadvertising.org; Brendan Riordan-Butterworth
Subject: Re: ACTION-286: Propose DAA text regarding de-identification (for unlinkability discussion)

Personally identifiable information (PII) is information, from/about an individual, that can be used to uniquely identify that particular individual.  In my reply below, my use of "PII" was perhaps a bit too casual, I agree- sorry for any confusion.

But I still don't see the contradiction.  You can attribute a unique set of data to a person/device, then disassociate it from that person/device (one way hash).  Before the disassociation, the unique person/device is tied to the data collected against her/it, using a unique identifier to mark the person/device.  When you hash that unique ID, you effectively break the link and anonymize the data that is associated with the individual/device- which must be done in a way that cannot be reasonably reversed.  The anonymous data still exists, but you can no longer use it to identify the unique person/device to which it was originally attributed.

Perhaps a productive path forward here would be for you to offer your suggested edits to the proposed text?  That way we can see quite clearly what you would change to avoid the contradiction you have asserted.



Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group | Interactive Advertising Bureau - IAB



From: Ed Felten <ed@felten.com<mailto:ed@felten.com>>
Date: Thursday, November 15, 2012 11:47 AM
To: Chris Mejia - IAB <chris.mejia@iab.net<mailto:chris.mejia@iab.net>>
Cc: Rachel Thomas - DMA <RThomas@the-dma.org<mailto:RThomas@the-dma.org>>, W3C DNT Working Group Mailing List <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Lou Mastria - DAA <lou@aboutads.info<mailto:lou@aboutads.info>>, David Wainberg - NAI <david@networkadvertising.org<mailto:david@networkadvertising.org>>, Mike Zaneis - IAB <mike@iab.net<mailto:mike@iab.net>>, Marc Groman-NAI <mgroman@networkadvertising.org<mailto:mgroman@networkadvertising.org>>, Brendan Riordan-Butterworth - IAB <brendan@iab.net<mailto:brendan@iab.net>>
Subject: Re: ACTION-286: Propose DAA text regarding de-identification (for unlinkability discussion)

There's still a contradiction here.   In order to maintain a profile over time, you have to recognize over time that all of the accesses in the profile are coming from the same user or device.   That would seem to require that you can tell that user or device apart from all other users or devices over time.

Rachel's definition doesn't talk about whether you can link to PII.   It talks about whether you can link to a specific person or device--which you can do without knowing any PII.

On Thu, Nov 15, 2012 at 12:15 PM, Chris Mejia <chris.mejia@iab.net<mailto:chris.mejia@iab.net>> wrote:
Hi Ed,

I believe the demarkation here is with respect to PII and getting back to the specific person/device.  Per the DAA language Rachel has provided (cut-and-pasted from the DAA self-regulatory document) to this working group, a unique profile may be maintained so long as it cannot reasonably be re-associated or connected to an INDIVIDUAL and/or a PARTICULAR computer or device.  This is done through one-way hashing.  In other words, this unique profile can still exist, but it cannot be connected to a specific person/device.



Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group | Interactive Advertising Bureau - IAB



From: Ed Felten <ed@felten.com<mailto:ed@felten.com>>
Date: Thursday, November 15, 2012 8:45 AM
To: Rachel Thomas - DMA <RThomas@the-dma.org<mailto:RThomas@the-dma.org>>
Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Lou Mastria - DAA <lou@aboutads.info<mailto:lou@aboutads.info>>, Chris Mejia - IAB <chris.mejia@iab.net<mailto:chris.mejia@iab.net>>, David Wainberg - NAI <david@networkadvertising.org<mailto:david@networkadvertising.org>>, Mike Zaneis - IAB <mike@iab.net<mailto:mike@iab.net>>, Marc Groman-NAI <mgroman@networkadvertising.org<mailto:mgroman@networkadvertising.org>>, Brendan Riordan-Butterworth - IAB <brendan@iab.net<mailto:brendan@iab.net>>
Subject: Re: ACTION-286: Propose DAA text regarding de-identification (for unlinkability discussion)

There is a contradiction between this definition and the interpretation that you put on it.  The definition requires that the data "cannot reasonably be reassociated or connected to an individual..."   But the interpretation that is offered would allow situations where the data is used "to recognize ... specific visitors to Web sites".   That's a contradiction--if you use a data item to recognize a specific visitor, then you are reassociating and connecting that data to that specific visitor.


On Thu, Nov 15, 2012 at 10:07 AM, Rachel Thomas <RThomas@the-dma.org<mailto:RThomas@the-dma.org>> wrote:
As I promised Aleecia during yesterday's TPWG call, I am submitting the Digital Advertising Alliance (DAA) definition of "de-identification" to fulfill Action 286<https://www.w3.org/2011/tracking-protection/track/actions/286> in advance of the deadline this Friday.

The DAA definition is as follows:


"De-Identification Process: Data has been De-Identified when an entity has taken reasonable steps to ensure that the data cannot reasonably be re-associated or connected to an individual or connected to or be associated with a particular computer or device. An entity should take reasonable steps to protect the non-identifiable nature of data if it is distributed to non-Affiliates and obtain satisfactory written assurance that such entities will not attempt to reconstruct the data in a way such that an individual may be re-identified and will use or disclose the de-identified data only for uses as specified by the entity. An entity should also take reasonable steps to ensure that any non-Affiliate that receives de-identified data will itself ensure that any further non-Affiliate entities to which such data is disclosed agree to restrictions and conditions set forth in this [definition]."



It is worth noting that this approach to de-identifying data is modeled on the Federal Trade Commission (FTC) approach to masking online identifiers to protect children under the Children's Online Privacy Protection Act  (COPPA). For example, the FTC states in question #45 of its COPPA FAQ<http://www.ftc.gov/privacy/coppafaqs.shtm> that Web sites that "hash" or otherwise alter children's email addresses when collecting them to be stored and used to create a password reminder system are not deemed to be collecting and using personal information and, therefore, do not trigger COPPA's parental consent requirement. (Hashing being a one-way, irreversible process that protects the original data but permits ongoing indexing of the hashed values on an anonymous or de-identified basis). The rule that emerges from this is that it suffices for purposes of protecting privacy if identifiers are altered after they are collected such that they cannot be reconstructed into their original form in the ordinary course of  business but the altered form remains available to be used by Web sites to recognize and distinguish among specific visitors to Web sites.



Thanks, and best,

Rachel

Rachel Nyswander Thomas
Vice President, Government Affairs
Direct Marketing Association
(202) 861-2443<tel:%28202%29%20861-2443> office
(202) 560-2335<tel:%28202%29%20560-2335> cell
rthomas@the-dma.org<mailto:rthomas@the-dma.org>