- From: Edward W. Felten <felten@CS.Princeton.EDU>
- Date: Tue, 9 Jul 2013 17:36:17 -0400
- To: Shane Wiley <wileys@yahoo-inc.com>
- Cc: "Mike O'Neill" <michael.oneill@baycloud.com>, achapell <achapell@chapellassociates.com>, "npdoty@w3.org" <npdoty@w3.org>, "tlr@w3.org" <tlr@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "jeff@democraticmedia.org" <jeff@democraticmedia.org>
- Message-ID: <CANZBoGiHktMpWiz0cXXBrtA-4PeDxTJRxutFFtLHUoUdM=JoSw@mail.gmail.com>
I don't see where the DAA text limits the notion of de-identification to "removing an association between a unique ID and a specific user/device." What the DAA text says is that "data" cannot be able to be associated with a user/device. On Tue, Jul 9, 2013 at 2:29 PM, Shane Wiley <wileys@yahoo-inc.com> wrote: > Mike,**** > > ** ** > > Deidentification is about removing the association between a unique ID > (any source: cookie, digital fingerprint, etc.) and the actual/specific > user/device. In this context:**** > > ** ** > > Red: actual user/device**** > > Yellow: not actual user/device but events are linkable (and only usable > for analytics/reporting)**** > > Green: not actual user/device and events are not linkable (outside the > scope of DNT)**** > > ** ** > > - Shane**** > > ** ** > > *From:* Mike O'Neill [mailto:michael.oneill@baycloud.com] > *Sent:* Sunday, June 30, 2013 3:01 PM > *To:* 'achapell'; npdoty@w3.org; tlr@w3.org > > *Cc:* public-tracking@w3.org; jeff@democraticmedia.org > *Subject:* RE: issue-199**** > > ** ** > > Alan,**** > > ** ** > > Persistent identifiers and their duration should be discussed as part of > the red/yellow/green permitted use debate. Browser fingerprinting > identifiers are qualitatively different from those stored in cookies or > localStorage because they are effectively infinite in duration, so I > thought it best to extend the defs. to make that clear. **** > > ** ** > > ** ** > > Mike**** > > ** ** > > ** ** > > *From:* achapell [mailto:achapell@chapellassociates.com<achapell@chapellassociates.com>] > > *Sent:* 30 June 2013 22:39 > *To:* michael.oneill@baycloud.com; npdoty@w3.org; tlr@w3.org > *Cc:* public-tracking@w3.org; jeff@democraticmedia.org > *Subject:* RE: issue-199**** > > ** ** > > Do we want to specify technologies here? **** > > ** ** > > ** ** > > Cheers, > > Alan Chapell > 917 318 8440**** > > > > > -------- Original message -------- > From: Mike O'Neill <michael.oneill@baycloud.com> > Date: 06/30/2013 3:33 PM (GMT-05:00) > To: Nicholas Doty <npdoty@w3.org>,tlr@w3.org > Cc: public-tracking@w3.org,jeff@democraticmedia.org > Subject: issue-199 **** > > Nick, Thomas**** > > Dr Dix’s letter reminded me that we need to have some reference to browser > fingerprinting being ruled out when DNT is set. I have amended the > definitions accordingly. **** > > Do you want me to modify the wiki?**** > > **** > > A *persistent identifier* is an arbitrary value held in, or derived from > other data in, the user agent whose purpose is to identify the user agent > in subsequent transactions to a particular web domain. It may be encoded > for example as the name or value attribute of an HTTP cookie, as an item in > localStorage or recorded in some way in the cache. **** > > The *duration* of a persistent identifier is the maximum period of time > it will be retained in the user agent. This could be implemented for > example using the Expires or Max-Age attributes of an HTTP cookie so that > it is automatically deleted by the user agent after the specified time > period is exceeded. **** > > *Browser* *fingerprinting* is a method of tracking based on creating a > persistent identifier from other information either inherent in the content > request or already stored in the user agent. Such an identifier may not > need itself to be stored in the user-agent as it can be calculated again in > subsequent transactions. It follows from this that its duration is > effectively unlimited. **** > > *Justification.***** > > *With the duration definition, restrictions on permitted uses could then > be made that limit the duration of persistent identifiers.* *Because* *browser > fingerprinting* *cannot be given a finite duration this tracking method > should not be used when DNT is set even if it is for a permitted use.* *In > reality browser fingerprinting solely based on examining initial content > requests is usually not an effective tracking method because the > combination of IP addresses and other headers are not sufficiently user > specific, but we should rule out at least the more complex form when DNT is > set.***** > > Mike**** > -- Edward W. Felten Professor of Computer Science and Public Affairs Director, Center for Information Technology Policy Princeton University 609-258-5906 http://www.cs.princeton.edu/~felten
Received on Tuesday, 9 July 2013 21:37:03 UTC