Here is some additional text to underline that there should be no browser fingerprinting when DNT:1. I have slightly improved the definitions, added unique back to the persistent identifier definition to make it clearer and more consistent to how the term is used elsewhere in the spec. There is now a new line item 3 below the Third Party Compliance paragraph (non-permitted uses) that requires no unique ids or fingerprinting when DNT:1. A persistent unique identifier is an arbitrary value held in, or derived from other data in, the user agent whose purpose is to identify the user agent in subsequent transactions to a particular web domain. It may be encoded for example as the name or value attribute of an HTTP cookie, as an item in localStorage or recorded in some way in the cache. The duration of a persistent unique identifier is the maximum period of time it will be retained in the user agent. This could be specified for example using the Expires or Max-Age attributes of an HTTP cookie so that it is automatically deleted by the user agent after the specified time period is exceeded. Browser fingerprinting is a method of tracking individuals based on creating a persistent identifier from a set of other device specific information, either inherent in a content request or stored within the user-agent and accessed by executing rendered script. Such an identifier may not itself need to be stored in the user-agent as it can be calculated again in subsequent transactions, and so can have an arbitrarily long duration. Third Party Compliance. 3 . the third party MUST NOT create or use persistent unique identifiers, either directly or derived using browser fingerprinting methods, for the purpose of collecting further information from this user or device.
Received on Wednesday, 2 October 2013 12:44:07 UTC