Data minimization (ISSUES-31, 199, 211, 220, 223)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Justin,

My proposal was for the case when unique identifiers are used to support a permitted use. I think we should be clear that they should not be stored by third-parties when DNT:1 (unless explicit consent has been given or for a permitted use), and add a sentence to the data minimisation section saying that, if they are used, their duration should only be as long as needed for the purpose.

I now think that my proposal to change the name to "persistent identifiers" confused everybody so I have gone back to the original term.

So I propose we add another sentence to the third party compliance section to make it clear that UIDs should not be stored and add another sentence to the end of the section on Data Minimization, Retention and Transparency to say that if unique identifiers are used they should have a limited duration.

So:

If a third party receives a DNT: 1 signal, then:
1. the third party MUST NOT collect, retain, share, or use data related to the network interaction as part of which it received the DNT: 1 signal outside of the permitted uses as defined within this recommendation and any explicitly-granted exceptions provided in accordance with the requirements of this recommendation;
2. the third party MUST NOT use data gathered in another context about the user, other than with their explicit consent or for permitted uses as defined within this recommendation.
3. the third party MUST NOT store in the user-agent, or derive from data already stored in the user-agent, any unique identifiers other than with the users explicit consent or to support permitted uses as defined within this recommendation.

4.2.1.2 Data Minimization, Retention and Transparency

Data collected by a party for permitted uses MUST be limited to the data reasonably necessary for such permitted uses. Such data MUST NOT be retained any longer than is proportionate to and reasonably necessary for such permitted uses.

A party MUST provide public transparency of the time periods for which data collected for permitted uses are retained. The party MAY enumerate different retention periods for different permitted uses. Data MUST NOT be used for a permitted use once the data retention period for that permitted use has expired. After there are no remaining permitted uses for given data, the data MUST be deleted or de-identified.

A party that collects data for a permitted use MUST make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained, and MUST NOT rely on unique identifiers if alternative solutions are reasonably available. If unique identifiers are relied upon then their duration SHOULD be limited to the maximum necessary for such permitted use.


Definitions:

A unique identifier is an arbitrary value held in, or derived from other data in, the user agent whose purpose is to identify the user agent in subsequent transactions to a particular web domain. It may be encoded for example as the name or value attribute of an HTTP cookie, as an item in DOM storage or recorded in some way in the cache.

The duration of a unique identifier is the maximum period of time it will be retained in the user agent. This could be implemented for example using the Expires or Max-Age attributes of an HTTP cookie so that it is automatically deleted by the user agent after the specified time period is exceeded.

Browser fingerprinting is a method of tracking based on creating a unique identifier from other information either inherent in the content request or already stored in the user agent. Such an identifier may not need itself to be stored in the user-agent as it can be calculated again in subsequent transactions. It follows from this that its duration is effectively unlimited.

> -----Original Message-----
> From: Justin Brookman [mailto:jbrookman@cdt.org]
> Sent: 24 June 2014 20:44
> To: W3C DNT Working Group Mailing List
> Subject: Data minimization (ISSUES-31, 199, 211, 220, 223)
>
> Mike, can you clarify your current proposal on limiting the use of unique
> identifiers?  From the discussion last week, I believe that you wanted to prohibit
> the use of persistent identifiers when DNT:1 is turned on; however, the language
> in the wiki doesn't quite reflect that.  Instead, you define persistent identifiers,
> and then say that "If persistent identifiers are used then their duration SHOULD
> be limited to the maximum necessary for such permitted use."
>
> Also, I know that Roy objected to the definitions you used for persistent
> identifiers; not sure if those disagreements can be ironed out.
>
> Since no one has spoken up for Dan Auerbach's proposal, I will relabel that as an
> old proposal.
>
> Also, as no one has objected, I am going to mark Jack Hobaugh's proposed
> editorial suggestion (replacing "limited" with "minimized") for inclusion in the
> editors' draft.
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJTqfAoAAoJEHMxUy4uXm2JOXIIAMfXu5lJqSInQOsOOL6Xf7Hm
MEGfvbjCL3rGPZqdkoCahlZHlmfobvzswmE7xiESPD9+EKakqCHs5zf4xZZ2aM0s
KVCXCPX3RKsS6Lh7SsUoVqzRmuMh/D7sqDND3IChEj7vIcA0lWEbLaSGRME04i+r
lFkKd1GxUfJMcJ10nX8NTrtZwIaaggVKhTFVvpoZ8ttsAkBL5WPcpPgxi0gsHKda
4faxA5jWaZxjcwNuXHhtetxbzBmyJC05KJRf72ci2ivwlb/Cv0oqgmYGc/T/9be5
FzUHJhHY/maoMHsQ+fEq/yC8EORu4CGbSpPvEhKMekjjaONTV/K90NB6+ii9WHo=
=OXGX
-----END PGP SIGNATURE-----