Re: TPAC breakout session - Is user agent Fingerprinting a lost cause? from Robin Wilton on 2012-10-25 (public-privacy@w3.org from October to December 2012)

From: Robin Wilton <wilton@isoc.org>
Date: Thu, 25 Oct 2012 13:33:03 +0100
To: David Singer <singer@apple.com>
Cc: Mike O'Neill <michael.oneill@baycloud.com>, public-privacy@w3.org
Message-Id: <42AD36C6-16D2-49D1-A0C8-CF293AA0FEE9@isoc.org>

I think this is a good discussion… among other things, it highlights the difficulty of legislating (e.g. the EU 'Cookie' Directive) in terms that are specific to a given technical mechanism. 

As a 'level-setter': I think it's definitely important for the technically competent to understand and explain the privacy and policy implications of a given function ("expressing a DNT preference") or mechanism ("cookie", "browser fingerprint"), but when it comes to legislating, those need to be translated into something else. The question is, what? Some jurisdictions, such as Europe's civil law countries, prefer to express things in terms of right (so DNT becomes a question of respecting the right to a private life); some prefer an approach based on outcomes ("you shouldn't do x if the result is at odds with the user's legitimate expectations"); some prefer an approach that can be tested in the courts ("if the user can prove harm, you'll be open to a law-suit").

Nothing I've said here invalidates any of the points people have made… I just wanted to note that, IMO, trying to legislate technology by technology is going to be a never-ending game of Whack-a-Mole. Legislators need to focus on outcomes, and technologists need to be able to explain the applicability (or unsuitability!) of a given technology to achieving those outcomes.

HTH,
Robin    

Robin Wilton
Technical Outreach Director - Identity and Privacy
Internet Society

email: wilton@isoc.org
Phone: +44 705 005 2931
Twitter: @futureidentity

On 24 Oct 2012, at 22:17, David Singer wrote:

> 
> On Oct 24, 2012, at 14:04 , Mike O'Neill <michael.oneill@baycloud.com> wrote:
> 
>> David,
>> 
>> I assume it should have been is "is trying to stop user-agent fingerprinting
>> a lost cause?". 
> 
> Thanks.  That is a more addressable question. It's certainly a measure-counter-measure world, and ugly.  I assume, if scripts fit into the equation, we should also ask about user finger-printing (e.g. typing and pointer usage patterns unique to individuals, and so on).
> 
>> 
>> I agree what you say about DNT, but I think browsers could take a more
>> authoritarian role, and help ensure what users want in terms of privacy. If
>> users specify a DNT preference why not enable features that inhibit
>> fingerprinting, block 3rd party cookies etc. It would not be an endless quid
>> pro quo because it would quickly become uneconomic for most of the bad
>> actors to continue.
> 
> Yes, there is always the question of what you do with sites that don't implement DNT or are non-conformant, agreed.  The internet will never again be a place where trust is the norm. On the other hand, we can surely improve on the situation today: there is no underlying reason to continue with today's situation where honest, respectable people and honest, respectable businesses behave with hostility or distrust to each other. Reducing the problem to 'bad actors' on both sides would be a huge improvement.
> 
> 
>> 
>> Mike
>> 
>> -----Original Message-----
>> From: David Singer [mailto:singer@apple.com] 
>> Sent: 24 October 2012 19:01
>> To: public-privacy@w3.org
>> Subject: Re: TPAC breakout session - Is user agent Fingerprinting a lost
>> cause?
>> 
>> I would like to think that fingerprinting is un-needed.  One of the reasons
>> I like the DNT approach is that it is, ideally, consensus-based on both
>> sides. The alternative is the mutually hostile measure-counter-measure, at
>> the end of which, no-one wins.
>> 
>> Examples: 
>> * if we block cookies, the sites find other ways to 'tag' us -- like
>> fingerprints. So then we try to reduce the fingerprint surface. And so on.
>> * if we block 'known trackers', probably by host address, then the sites
>> would probably start cycling their DNS, or masquerading under the name of a
>> legitimate non-tracking entity (e.g. the first party), and so on.
>> 
>> If a site wants to 'tag' me, I want it consensual and evident; cookies are
>> much more evident than a fingerprint I cannot see.
>> 
>> So, reacting to the thread title:  what was the 'cause' that fingerprint was
>> on, that might now be 'lost'?
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
>> 
>> 
> 
> David Singer
> Multimedia and Software Standards, Apple Inc.
> 
>

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Thursday, 25 October 2012 12:34:36 UTC