Re: links: DNT, FTC and google, Creepy geoloc app from Bjoern Hoehrmann on 2011-04-15 (public-privacy@w3.org from April to June 2011)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 16 Apr 2011 00:25:00 +0200
To: Karl Dubost <karld@opera.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <7edhq6lfqcpeg3fuf4pvdu0peerbf94fpn@hive.bjoern.hoehrmann.de>

* Karl Dubost wrote:
>In Advertisers and Publishers Adopt and Implement Do Not Track ??| The Mozilla Blog
>At http://blog.mozilla.com/blog/2011/03/30/advertisers-and-publishers-adopt-and-implement-do-not-track/
>
>The Associated Press (AP) is the first company to deploy DNT on a large
>scale, and it only took a few hours for one engineer to implement. The
>AP News Registry tracks 1 billion impressions of news content, with 175
>million unique visitors per month, and has membership with more than 800
>sites. When consumers send a DNT preference via the browser while
>viewing a story at one of its publisher’s sites, the AP News Registry no
>longer sets any cookies. 

Which goes on to say:

  When consumers send a DNT preference via the browser while viewing a
  story at one of its publisher’s sites, the AP News Registry no longer
  sets any cookies. The previous solution was for users to opt-out via a
  link to a central opt-out page referenced in each participating news
  site’s privacy policy. They still count the total number of
  impressions for each news story, but aggregate consumer data for those
  with DNT in a non-identifiable way.

If I were to implement "DNT" and also wanted to derive information about
"impressions", my first problem would be how to prevent one user from
generating many impressions (like when the browser is set to reload the
page automatically, or when someone deliberately reloads a page to boost
impression counts); and doing that would seem to require gathering and
keeping (at least for a while) information that can also be used to
track users.

Without a specification that said, for instance, "Logging IP addresses
for longer than 7 days, or deriving information from them that results
in groups of users smaller than 5% of the country the user probably
lives in, then you do not implement 'DNT'", there is some risk that the
header is regarded as just "do not set cookie" with anything beyond that
being fair game, which would make very little difference in practise.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Friday, 15 April 2011 22:25:29 UTC