Re: My thoughts on permitted uses from Justin Brookman on 2013-05-08 (public-tracking@w3.org from May 2013)

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 08 May 2013 13:25:48 -0400
To: public-tracking@w3.org
Message-ID: <20130508172548.d77ff308@mail.maclaboratory.net>

OK, I've had a couple more conversations with folks that require a revision to my view on market research, but nothing that is intractable, I think.  Lots of people want to be able count unique ad impressions around the web, but they don't care where those ads show up.  I think this could be accomplished with double-keyed cookies or limited retention or a hash of a content-specific ID, but I think this is solvable, as no one needs information about where a user went around the web.
  _____  

From: Justin Brookman [mailto:jbrookman@cdt.org]
To: public-tracking@w3.org
Sent: Wed, 08 May 2013 13:04:29 -0500
Subject: My thoughts on permitted uses

I don't have anyone else on this proposal, but several people have told me confidentially that I am not crazy.

Setting aside the UI/UA issues for now.  

Market research:  Many people I have spoken with have told me that calibration of DNT:1 users does not need to look at cross-site interactions; it just wants to count unique visitors.  If this is true, I do not think we need a separate permitted use.  I would be willing to revise the first party/service provider language to make clear that first-party cookies can be used for market research/unique counting.

De-identification:  Use the existing DAA definition which I think it quite strong.  I would like to add examples that show that simply providing one person in your organization the key to your hashes is insufficient.  I think the key would have to be that it would be an "undue burden" to your company to deidentify (and sotto voce that you wouldn't deidentify it for law enforcement and no one person in your organization could de-identifiy it).  If you're using hashes, you would have to rotate your hashes on a regular basis --- the minimum time period would be determined by the short-term data retention permitted use.  If short-term retention period is 30 days, you would need to throw away your hashing keys within 30 days.

Product improvement/modeling:  No separate permitted use, but de-identified and short term data could obviously be used for this.

Received on Wednesday, 8 May 2013 17:26:16 UTC