Re: June Change Proposal: Definition of Tracking (ISSUE-5)

On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com> wrote:

> 
>>>> well, the fingerprint is used as a key to some data storage…
>>> What if it isn't?  What if a website collects a fingerprint and then discards it?  Surely that should still be prohibited.
>> So, during the transaction, the server calculates a fingerprint
>> that's plausibly unique to the user, and then when the transaction is
>> complete, it discards the fingerprint.  It can't now have anything
>> retained that's keyed to that fingerprint, and it can't know if the
>> same user visits again (fingerprint match).  I don't see the point,
>> but I don't see a problem.
> 
> 
> Fingerprints do in may cases end up in data sets as matching identifiers.

Then data is being retained.

> 
> Even if a fingerprint is discarded, it can facilitate the linking of new data to already collected data.

how?  if I discard the fingerprint (it's not recorded anywhere)…

> Therefore, fingerprinting is important to address when DNT:1.
> 
> DNT:1 must cover fingerprinting based tracking equal to cookie based tracking.

DNT should cover *tracking*, and we might have comments or notes on what constitutes tracking, retention, etc., but I think it very dangerous to talk of specific technologies in the normative text.

> 
> 
> David Singer schreef op 2013-07-09 13:05:
>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> wrote:
>>>> that could usefully be made clear (that storing information in a cookie that later should come back to you is still 'retaining'.
>>> I'd prefer to focus on privacy properties, not particular technical implementations.  My concern is not the use of browser storage.  It's the information flow from the browser to the website.
>> Sure, my focus is on what information is retained in the sense it is
>> usable by the site(s) after the transaction is over.  Where it is
>> (local, cloud, client, service provider, etc.) are irrelevant.
>>>>> (And what about fingerprinting, where there is no client-side information stored?)
>>>> well, the fingerprint is used as a key to some data storage…
>>> What if it isn't?  What if a website collects a fingerprint and then discards it?  Surely that should still be prohibited.
>> So, during the transaction, the server calculates a fingerprint
>> that's plausibly unique to the user, and then when the transaction is
>> complete, it discards the fingerprint.  It can't now have anything
>> retained that's keyed to that fingerprint, and it can't know if the
>> same user visits again (fingerprint match).  I don't see the point,
>> but I don't see a problem.
>>>>> At any rate, I'm inclined to hold this (constructive!) conversation until we decide a) to have a definition of "tracking" and b) to make that definition normative.
>>>> The june document has such, so we should make sure it's watertight. that's why I am pressing for specifics. yes, it's helpful.
>>> The June draft definition is de jure normative, but de facto non-normative since it isn't used anywhere.
>> Indeed, I have CPs to make it used.  It's used by implication but not
>> by the text.
>> David Singer
>> Multimedia and Software Standards, Apple Inc.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Tuesday, 9 July 2013 12:04:36 UTC