Re: ACTION-286: Propose DAA text regarding de-identification (for unlinkability discussion) from Rob van Eijk on 2012-11-15 (public-tracking@w3.org from November 2012)

From: Rob van Eijk <rob@blaeu.com>
Date: Thu, 15 Nov 2012 21:01:43 +0100
To: <public-tracking@w3.org>
Message-ID: <7d10a22e963c463c3ef7d2f6a159c825@xs4all.nl>
Rachel, could you please enlighten us how irreversibility plays a role 
(if any) in the E-daa approach to making data unlinkable through 
hashing?

Rob

Ed Felten schreef op 2012-11-15 19:47:
> There's still a contradiction here.   In order to maintain a profile
> over time, you have to recognize over time that all of the accesses 
> in
> the profile are coming from the same user or device.   That would
> seem to require that you can tell that user or device apart from all
> other users or devices over time.  
>
> Rachel's definition doesn't talk about whether you can link to PII.  
> It talks about whether you can link to a specific person or
> device--which you can do without knowing any PII.   
>
> On Thu, Nov 15, 2012 at 12:15 PM, Chris Mejia <chris.mejia@iab.net
> [16]> wrote:
>
>> Hi Ed,
>>
>> I believe the demarkation here is with respect to PII and getting
>> back to the specific person/device.  Per the DAA language Rachel
>> has provided (cut-and-pasted from the DAA self-regulatory document)
>> to this working group, a unique profile may be maintained so long as
>> it cannot reasonably be re-associated or connected to an INDIVIDUAL
>> and/or a PARTICULAR computer or device.  This is done through
>> one-way hashing.  In other words, this unique profile can still
>> exist, but it cannot be connected to a specific person/device.
>>
>> Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group
>> | Interactive Advertising Bureau - IAB
>>
>> From: Ed Felten <ed@felten.com [6]>
>> Date: Thursday, November 15, 2012 8:45 AM
>> To: Rachel Thomas - DMA <RThomas@the-dma.org [7]>
>> Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org
>> [8]>, Lou Mastria - DAA <lou@aboutads.info [9]>, Chris Mejia - IAB
>> <chris.mejia@iab.net [10]>, David Wainberg - NAI
>> <david@networkadvertising.org [11]>, Mike Zaneis - IAB <mike@iab.net
>> [12]>, Marc Groman-NAI <mgroman@networkadvertising.org [13]>,
>> Brendan Riordan-Butterworth - IAB <brendan@iab.net [14]>
>> Subject: Re: ACTION-286: Propose DAA text regarding
>> de-identification (for unlinkability discussion)
>>
>> There is a contradiction between this definition and the
>> interpretation that you put on it.  The definition requires that
>> the data "cannot reasonably be reassociated or connected to an
>> individual..."   But the interpretation that is offered would allow
>> situations where the data is used "to recognize ... specific
>> visitors to Web sites".   That's a contradiction--if you use a data
>> item to recognize a specific visitor, then you are reassociating and
>> connecting that data to that specific visitor.
>>
>> On Thu, Nov 15, 2012 at 10:07 AM, Rachel Thomas <RThomas@the-dma.org
>> [15]> wrote:
>>
>>> As I promised Aleecia during yesterday’s TPWG call, I am
>>> submitting the Digital Advertising Alliance (DAA) definition of
>>> “de-identification” to fulfill Action 286 [1] in advance of
>>> the deadline this Friday. 
>>>
>>>  
>>>
>>> The DAA definition is as follows:
>>>
>>>  
>>>
>>> “DE-IDENTIFICATION PROCESS: Data has been De-Identified when an
>>> entity has taken reasonable steps to ensure that the data cannot
>>> reasonably be re-associated or connected to an individual or
>>> connected to or be associated with a particular computer or
>>> device. An entity should take reasonable steps to protect the
>>> non-identifiable nature of data if it is distributed to
>>> non-Affiliates and obtain satisfactory written assurance that such
>>> entities will not attempt to reconstruct the data in a way such
>>> that an individual may be re-identified and will use or disclose
>>> the de-identified data only for uses as specified by the entity.
>>> An entity should also take reasonable steps to ensure that any
>>> non-Affiliate that receives de-identified data will itself ensure
>>> that any further non-Affiliate entities to which such data is
>>> disclosed agree to restrictions and conditions set forth in this
>>> [definition].”
>>>
>>>  
>>>
>>> It is worth noting that this approach to de-identifying data is
>>> modeled on the Federal Trade Commission (FTC) approach to masking
>>> online identifiers to protect children under the Children’s
>>> Online Privacy Protection Act  (COPPA). For example, the FTC
>>> states in question #45 of its COPPA FAQ [2] that Web sites that
>>> “hash” or otherwise alter children’s email addresses when
>>> collecting them to be stored and used to create a password
>>> reminder system are not deemed to be collecting and using personal
>>> information and, therefore, do not trigger COPPA’s parental
>>> consent requirement. (Hashing being a one-way, irreversible
>>> process that protects the original data but permits ongoing
>>> indexing of the hashed values on an anonymous or de-identified
>>> basis). The rule that emerges from this is that it suffices for
>>> purposes of protecting privacy if identifiers are altered after
>>> they are collected such that they cannot be reconstructed into
>>> their original form in the ordinary course of  business but the
>>> altered form remains available to be used by Web sites to
>>> recognize and distinguish among specific visitors to Web sites.
>>>
>>>  
>>>
>>> Thanks, and best,
>>>
>>> Rachel
Received on Thursday, 15 November 2012 20:02:13 UTC