Re: TPAC breakout session - Is user agent Fingerprinting a lost cause? from David Singer on 2012-10-25 (public-privacy@w3.org from October to December 2012)

From: David Singer <singer@apple.com>
Date: Thu, 25 Oct 2012 10:13:07 -0700
To: Robin Wilton <wilton@isoc.org>
Cc: Mike O'Neill <michael.oneill@baycloud.com>, "public-privacy@w3.org list" <public-privacy@w3.org>
Message-id: <F845DB2F-3305-4510-A671-0575DE07F39D@apple.com>
On Oct 25, 2012, at 5:33 , Robin Wilton <wilton@isoc.org> wrote:

> I think this is a good discussion… among other things, it highlights the difficulty of legislating (e.g. the EU 'Cookie' Directive) in terms that are specific to a given technical mechanism. 
> 
> As a 'level-setter': I think it's definitely important for the technically competent to understand and explain the privacy and policy implications of a given function ("expressing a DNT preference") or mechanism ("cookie", "browser fingerprint"), but when it comes to legislating, those need to be translated into something else.

I totally agree.  There was a complaint recently that technical groups are discussing policy 'too much', and certainly I think regulators discuss technology  too much.  Don't tell us how to design things, or how to manage specific technologies; tell us the principles and policies, and we'll try to apply that to all the relevant technologies.  Regulating explicitly cookies just moves the problem to fingerprints, local storage, or a host of other techniques.

> The question is, what? Some jurisdictions, such as Europe's civil law countries, prefer to express things in terms of right (so DNT becomes a question of respecting the right to a private life); some prefer an approach based on outcomes ("you shouldn't do x if the result is at odds with the user's legitimate expectations"); some prefer an approach that can be tested in the courts ("if the user can prove harm, you'll be open to a law-suit").
> 
> Nothing I've said here invalidates any of the points people have made… I just wanted to note that, IMO, trying to legislate technology by technology is going to be a never-ending game of Whack-a-Mole.

Exactly.

> Legislators need to focus on outcomes, and technologists need to be able to explain the applicability (or unsuitability!) of a given technology to achieving those outcomes.
> 
> HTH,
> Robin    
> 
> Robin Wilton
> Technical Outreach Director - Identity and Privacy
> Internet Society
> 
> email: wilton@isoc.org
> Phone: +44 705 005 2931
> Twitter: @futureidentity
> 
> 
> 
> 
> On 24 Oct 2012, at 22:17, David Singer wrote:
> 
>> 
>> On Oct 24, 2012, at 14:04 , Mike O'Neill <michael.oneill@baycloud.com> wrote:
>> 
>>> David,
>>> 
>>> I assume it should have been is "is trying to stop user-agent fingerprinting
>>> a lost cause?". 
>> 
>> Thanks.  That is a more addressable question. It's certainly a measure-counter-measure world, and ugly.  I assume, if scripts fit into the equation, we should also ask about user finger-printing (e.g. typing and pointer usage patterns unique to individuals, and so on).
>> 
>>> 
>>> I agree what you say about DNT, but I think browsers could take a more
>>> authoritarian role, and help ensure what users want in terms of privacy. If
>>> users specify a DNT preference why not enable features that inhibit
>>> fingerprinting, block 3rd party cookies etc. It would not be an endless quid
>>> pro quo because it would quickly become uneconomic for most of the bad
>>> actors to continue.
>> 
>> Yes, there is always the question of what you do with sites that don't implement DNT or are non-conformant, agreed.  The internet will never again be a place where trust is the norm. On the other hand, we can surely improve on the situation today: there is no underlying reason to continue with today's situation where honest, respectable people and honest, respectable businesses behave with hostility or distrust to each other. Reducing the problem to 'bad actors' on both sides would be a huge improvement.
>> 
>> 
>>> 
>>> Mike
>>> 
>>> -----Original Message-----
>>> From: David Singer [mailto:singer@apple.com] 
>>> Sent: 24 October 2012 19:01
>>> To: public-privacy@w3.org
>>> Subject: Re: TPAC breakout session - Is user agent Fingerprinting a lost
>>> cause?
>>> 
>>> I would like to think that fingerprinting is un-needed.  One of the reasons
>>> I like the DNT approach is that it is, ideally, consensus-based on both
>>> sides. The alternative is the mutually hostile measure-counter-measure, at
>>> the end of which, no-one wins.
>>> 
>>> Examples: 
>>> * if we block cookies, the sites find other ways to 'tag' us -- like
>>> fingerprints. So then we try to reduce the fingerprint surface. And so on.
>>> * if we block 'known trackers', probably by host address, then the sites
>>> would probably start cycling their DNS, or masquerading under the name of a
>>> legitimate non-tracking entity (e.g. the first party), and so on.
>>> 
>>> If a site wants to 'tag' me, I want it consensual and evident; cookies are
>>> much more evident than a fingerprint I cannot see.
>>> 
>>> So, reacting to the thread title:  what was the 'cause' that fingerprint was
>>> on, that might now be 'lost'?
>>> 
>>> David Singer
>>> Multimedia and Software Standards, Apple Inc.
>>> 
>>> 
>>> 
>>> 
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Thursday, 25 October 2012 17:13:51 UTC