RE: Issue:? Fingerprinting from Mike O'Neill on 2013-10-01 (public-tracking@w3.org from October 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Tue, 1 Oct 2013 19:57:37 +0100
To: "'Justin Brookman'" <jbrookman@cdt.org>, "'Jeffrey Chester'" <jeff@democraticmedia.org>
Cc: <public-tracking@w3.org>
Message-ID: <1e0a01cebed8$19027d50$4b0777f0$@baycloud.com>

Justin, 

 

Accurate fingerprinting does not at the moment rely on IP addresses because
with IPv4 reuse and sharing is common due to the limited address space. The
usual technique is to use rendered script to return more detailed
information about the user-agent i.e. fonts employed etc. which tend to
uniquely identify the device. This was how the EFF's panopticlick project
did it.

 

With IPv6 there is a way to do fingerprinting using the IP address which on
some devices is unique (derived from the device MAC address)., but many
devices now employ the IPv6 privacy extensions that create short duration
random addresses and use them. Hopefully this will become the norm, I know
IE defaults to that - though android does not.

 

I agree with Jeff that we need to have something in the text that rules out
fingerprinting when DNT:1, like my proposal on unique identifiers
(issue-199)

 

Mike

 

From: Justin Brookman [mailto:jbrookman@cdt.org] 
Sent: 01 October 2013 19:27
To: Jeffrey Chester
Cc: public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: Issue:? Fingerprinting

 

I believe that digital fingerprinting is implicitly addressed in the
standard, though not directly called our.  Third parties that receive a
DNT:1 signal may only collect data elements that are reasonably necessary
for the enumerated permitted uses.  That includes data elements that could
be used to fingerprint a device.  Some companies may believe that they need
to use fingerprinting-type techniques for fraud and security purposes even
for DNT:1 users (though they would have to justify that under the standard).
But also keep in mind that much fingerprinting, as I understand it, is
heavily dependent upon IP addresses, the use of which was envisioned for
permitted uses even under the EFF/Moz/Stanford proposal.

 

However, if DNT is set at 0 or unset, the standard does not limit the use of
fingerprinting, HTML5 cookies, drone surveillance, or anything else.

 

If I got any of this wrong, anyone, please feel free to correct me.

 

On Oct 1, 2013, at 1:49 PM, Jeffrey Chester <jeff@democraticmedia.org>
wrote:





I want to clarify that included in the spec are approp. definitions that
address device fingerprinting.   DNT should cover device fingerprinting and
related device/cross platform identification technologies and practices.

 

Is it already incorporated in an existing issue or text?

 

Jeff

 

 

 

Jeffrey Chester

Center for Digital Democracy

1621 Connecticut Ave, NW, Suite 550

Washington, DC 20009

www.democraticmedia.org <http://www.democraticmedia.org/> 

www.digitalads.org <http://www.digitalads.org/> 

202-986-2220

Received on Tuesday, 1 October 2013 18:58:31 UTC