- From: Aleecia M. McDonald <aleecia@aleecia.com>
- Date: Thu, 19 Oct 2017 14:08:36 -0700
- To: "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
> On Oct 19, 2017, at 12:48 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > > I don't think a pass-thru will fly, because it is too easy to use the DNT header as a secret tracking cookie. We have to constrain the entropy. I think the best path is to add “thou shalt not fingerprint” in appropriate standards language. The irony of DNT possibly being used to track people is a concern, including a concern for users. We can at least be clear that we knew the possible risk and did not design the spec to be abused in that way. It’s a fig leaf, I know. But really, if someone’s going to be anti-social there is not a whole lot to be done by us. DNT has always had to assume good actors; it’s a request, not a PET. Other actors like IAB could impose requirements on their members, as they did with baring the use of LSOs for behavioral advertising. EFF’s DNT could include an FTC-actionable promise not to fingerprint based on DNT. I believe the stock phrase is there is a role for regulators here. Plus the class action lawsuits for “I used a setting for privacy and you used it to track me” nearly write themselves, especially in California and Europe, even without anyone else stepping up. So I think there *are* solutions to this threat, but they come from parties external to the WG. Aleecia
Received on Thursday, 19 October 2017 21:09:06 UTC