Re: Rethinking KeyStorage from Seetharama Rao Durbha on 2012-11-08 (public-webcrypto@w3.org from November 2012)

From: Seetharama Rao Durbha <S.Durbha@cablelabs.com>
Date: Wed, 7 Nov 2012 17:10:16 -0700
To: Ryan Sleevi <sleevi@google.com>, Mark Watson <watsonm@netflix.com>
CC: David Dahl <ddahl@mozilla.com>, public-webcrypto <public-webcrypto@w3.org>, Arun Ranganathan <arun@mozilla.com>, Harry Halpin <hhalpin@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>, "runnegar@isoc.org" <runnegar@isoc.org>
Message-ID: <CCC04379.79F1%s.durbha@cablelabs.com>

On 11/7/12 4:43 PM, "Ryan Sleevi" <sleevi@google.com<mailto:sleevi@google.com>> wrote:


I appreciate you pointing out that "pre-provisioned device key" is
effectively identical (regarding security and tracking concerns) to a
"device serial number", since it may help participants better
understand the real privacy risks being proposed here.

[1] http://www.theverge.com/2012/3/25/2900787/apple-rejects-UDID-apps
[2] http://www.businessinsider.com/everything-we-know-about-ifa-and-tracking-in-apples-ios-6-2012-10

I think a certain perspective is being lost here.
Firstly, device finger-printing is already being used - by third-party cookies that users do not even know about, and by DRM clients that necessarily have to finger-print the device (flash cookies !!), among others. So, I do not understand why there is so much talk about privacy – particularly when the requirement is that the user grant permission to use that key. Mark is right – it is a user's choice. It is a necessary information for the service to be provided.

Mark is also right that privacy is a business issue, not a technology issue.

Received on Thursday, 8 November 2012 00:11:03 UTC