Re: Issue:? Fingerprinting from Jeffrey Chester on 2013-10-01 (public-tracking@w3.org from October 2013)

From: Jeffrey Chester <jeff@democraticmedia.org>
Date: Tue, 1 Oct 2013 15:51:35 -0400
To: Alan Chapell <achapell@chapellassociates.com>
Cc: Mike O'Neill <michael.oneill@baycloud.com>, Justin Brookman <jbrookman@cdt.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>, Jeff Jaffe <jeff@w3.org>
Message-Id: <D9B0D871-2256-44AD-B5E0-A41FDC39334B@democraticmedia.org>

Thanks Alan.  This is a serious issue for W3C.  Such techniques used by Adtruth and others, esp when used under First party exemption, weakens any DNT spec.

While 41st Parameter may have historically done security, Experian is in digital targeting business, as you know.  Adtruth and others are firmly there.  

We cannot have exemption for fingerprinting due to the first party exemption.

Jeff


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org
www.digitalads.org
202-986-2220

On Oct 1, 2013, at 3:07 PM, Alan Chapell wrote:

> Thanks Mike. A few points that may be relevant to this thread.
> 
> Companies such as 41st Parameter have been around for years and help mostly with security and fraud prevention. I don't think DNT was intended to impact those areas.
> If you're going to prohibit "fingerprinting", you'll need to define it. That may prove more difficult than you'd think.
> I'll let the AdTruth / 41st Parameter folks speak for themselves, but I assume that they seem themselves as mostly a "Service Provider" under DNT.
> 41st Parameter was acquired today by Experian. (http://www.the41st.com/buzz/announcements/experian-acquire-device-identification-leader-41st-parameter). Is AdTruth now a first party in contexts where Experian is a First Party?
> Thanks!
> 
> Alan
> 
> From: Mike O'Neill <michael.oneill@baycloud.com>
> Date: Tuesday, October 1, 2013 2:57 PM
> To: 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester' <jeff@democraticmedia.org>
> Cc: <public-tracking@w3.org>
> Subject: RE: Issue:? Fingerprinting
> Resent-From: <public-tracking@w3.org>
> Resent-Date: Tue, 01 Oct 2013 18:58:32 +0000
> 
>> Justin,
>>  
>> Accurate fingerprinting does not at the moment rely on IP addresses because with IPv4 reuse and sharing is common due to the limited address space. The usual technique is to use rendered script to return more detailed information about the user-agent i.e. fonts employed etc. which tend to uniquely identify the device. This was how the EFF’s panopticlick project did it.
>>  
>> With IPv6 there is a way to do fingerprinting using the IP address which on some devices is unique (derived from the device MAC address)., but many devices now employ the IPv6 privacy extensions that create short duration random addresses and use them. Hopefully this will become the norm, I know IE defaults to that – though android does not.
>>  
>> I agree with Jeff that we need to have something in the text that rules out fingerprinting when DNT:1, like my proposal on unique identifiers (issue-199)
>>  
>> Mike
>>  
>> From: Justin Brookman [mailto:jbrookman@cdt.org] 
>> Sent: 01 October 2013 19:27
>> To: Jeffrey Chester
>> Cc: public-tracking@w3.org (public-tracking@w3.org)
>> Subject: Re: Issue:? Fingerprinting
>>  
>> I believe that digital fingerprinting is implicitly addressed in the standard, though not directly called our.  Third parties that receive a DNT:1 signal may only collect data elements that are reasonably necessary for the enumerated permitted uses.  That includes data elements that could be used to fingerprint a device.  Some companies may believe that they need to use fingerprinting-type techniques for fraud and security purposes even for DNT:1 users (though they would have to justify that under the standard).  But also keep in mind that much fingerprinting, as I understand it, is heavily dependent upon IP addresses, the use of which was envisioned for permitted uses even under the EFF/Moz/Stanford proposal.
>>  
>> However, if DNT is set at 0 or unset, the standard does not limit the use of fingerprinting, HTML5 cookies, drone surveillance, or anything else.
>>  
>> If I got any of this wrong, anyone, please feel free to correct me.
>>  
>> On Oct 1, 2013, at 1:49 PM, Jeffrey Chester <jeff@democraticmedia.org> wrote:
>> 
>> 
>> I want to clarify that included in the spec are approp. definitions that address device fingerprinting.   DNT should cover device fingerprinting and related device/cross platform identification technologies and practices.
>>  
>> Is it already incorporated in an existing issue or text?
>>  
>> Jeff
>>  
>>  
>>  
>> 
>> Jeffrey Chester
>> Center for Digital Democracy
>> 1621 Connecticut Ave, NW, Suite 550
>> Washington, DC 20009
>> www.democraticmedia.org
>> www.digitalads.org
>> 202-986-2220
>>  
>>

Received on Tuesday, 1 October 2013 19:51:58 UTC