- From: Rob van Eijk <rob@blaeu.com>
- Date: Tue, 09 Jul 2013 13:33:01 +0200
- To: David Singer <singer@apple.com>
- Cc: "public-tracking@w3.org WG" <public-tracking@w3.org>
>>> well, the fingerprint is used as a key to some data storageā¦ >> What if it isn't? What if a website collects a fingerprint and then >> discards it? Surely that should still be prohibited. > > So, during the transaction, the server calculates a fingerprint > that's plausibly unique to the user, and then when the transaction is > complete, it discards the fingerprint. It can't now have anything > retained that's keyed to that fingerprint, and it can't know if the > same user visits again (fingerprint match). I don't see the point, > but I don't see a problem. Fingerprints do in may cases end up in data sets as matching identifiers. Even if a fingerprint is discarded, it can facilitate the linking of new data to already collected data. Therefore, fingerprinting is important to address when DNT:1. DNT:1 must cover fingerprinting based tracking equal to cookie based tracking. David Singer schreef op 2013-07-09 13:05: > On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> wrote: > >>> that could usefully be made clear (that storing information in a >>> cookie that later should come back to you is still 'retaining'. >> I'd prefer to focus on privacy properties, not particular technical >> implementations. My concern is not the use of browser storage. It's >> the information flow from the browser to the website. > > Sure, my focus is on what information is retained in the sense it is > usable by the site(s) after the transaction is over. Where it is > (local, cloud, client, service provider, etc.) are irrelevant. > >>>> (And what about fingerprinting, where there is no client-side >>>> information stored?) >>> >>> well, the fingerprint is used as a key to some data storageā¦ >> What if it isn't? What if a website collects a fingerprint and then >> discards it? Surely that should still be prohibited. > > So, during the transaction, the server calculates a fingerprint > that's plausibly unique to the user, and then when the transaction is > complete, it discards the fingerprint. It can't now have anything > retained that's keyed to that fingerprint, and it can't know if the > same user visits again (fingerprint match). I don't see the point, > but I don't see a problem. > >>>> >>>> At any rate, I'm inclined to hold this (constructive!) conversation >>>> until we decide a) to have a definition of "tracking" and b) to make >>>> that definition normative. >>> >>> The june document has such, so we should make sure it's watertight. >>> that's why I am pressing for specifics. yes, it's helpful. >> The June draft definition is de jure normative, but de facto >> non-normative since it isn't used anywhere. > > Indeed, I have CPs to make it used. It's used by implication but not > by the text. > > David Singer > Multimedia and Software Standards, Apple Inc.
Received on Tuesday, 9 July 2013 11:33:33 UTC