- From: Rob van Eijk <rob@blaeu.com>
- Date: Thu, 15 Nov 2012 21:01:43 +0100
- To: <public-tracking@w3.org>
Rachel, could you please enlighten us how irreversibility plays a role (if any) in the E-daa approach to making data unlinkable through hashing? Rob Ed Felten schreef op 2012-11-15 19:47: > There's still a contradiction here. In order to maintain a profile > over time, you have to recognize over time that all of the accesses > in > the profile are coming from the same user or device. That would > seem to require that you can tell that user or device apart from all > other users or devices over time. > > Rachel's definition doesn't talk about whether you can link to PII. > It talks about whether you can link to a specific person or > device--which you can do without knowing any PII. > > On Thu, Nov 15, 2012 at 12:15 PM, Chris Mejia <chris.mejia@iab.net > [16]> wrote: > >> Hi Ed, >> >> I believe the demarkation here is with respect to PII and getting >> back to the specific person/device. Per the DAA language Rachel >> has provided (cut-and-pasted from the DAA self-regulatory document) >> to this working group, a unique profile may be maintained so long as >> it cannot reasonably be re-associated or connected to an INDIVIDUAL >> and/or a PARTICULAR computer or device. This is done through >> one-way hashing. In other words, this unique profile can still >> exist, but it cannot be connected to a specific person/device. >> >> Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group >> | Interactive Advertising Bureau - IAB >> >> From: Ed Felten <ed@felten.com [6]> >> Date: Thursday, November 15, 2012 8:45 AM >> To: Rachel Thomas - DMA <RThomas@the-dma.org [7]> >> Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org >> [8]>, Lou Mastria - DAA <lou@aboutads.info [9]>, Chris Mejia - IAB >> <chris.mejia@iab.net [10]>, David Wainberg - NAI >> <david@networkadvertising.org [11]>, Mike Zaneis - IAB <mike@iab.net >> [12]>, Marc Groman-NAI <mgroman@networkadvertising.org [13]>, >> Brendan Riordan-Butterworth - IAB <brendan@iab.net [14]> >> Subject: Re: ACTION-286: Propose DAA text regarding >> de-identification (for unlinkability discussion) >> >> There is a contradiction between this definition and the >> interpretation that you put on it. The definition requires that >> the data "cannot reasonably be reassociated or connected to an >> individual..." But the interpretation that is offered would allow >> situations where the data is used "to recognize ... specific >> visitors to Web sites". That's a contradiction--if you use a data >> item to recognize a specific visitor, then you are reassociating and >> connecting that data to that specific visitor. >> >> On Thu, Nov 15, 2012 at 10:07 AM, Rachel Thomas <RThomas@the-dma.org >> [15]> wrote: >> >>> As I promised Aleecia during yesterday’s TPWG call, I am >>> submitting the Digital Advertising Alliance (DAA) definition of >>> “de-identification” to fulfill Action 286 [1] in advance of >>> the deadline this Friday. >>> >>> >>> >>> The DAA definition is as follows: >>> >>> >>> >>> “DE-IDENTIFICATION PROCESS: Data has been De-Identified when an >>> entity has taken reasonable steps to ensure that the data cannot >>> reasonably be re-associated or connected to an individual or >>> connected to or be associated with a particular computer or >>> device. An entity should take reasonable steps to protect the >>> non-identifiable nature of data if it is distributed to >>> non-Affiliates and obtain satisfactory written assurance that such >>> entities will not attempt to reconstruct the data in a way such >>> that an individual may be re-identified and will use or disclose >>> the de-identified data only for uses as specified by the entity. >>> An entity should also take reasonable steps to ensure that any >>> non-Affiliate that receives de-identified data will itself ensure >>> that any further non-Affiliate entities to which such data is >>> disclosed agree to restrictions and conditions set forth in this >>> [definition].” >>> >>> >>> >>> It is worth noting that this approach to de-identifying data is >>> modeled on the Federal Trade Commission (FTC) approach to masking >>> online identifiers to protect children under the Children’s >>> Online Privacy Protection Act (COPPA). For example, the FTC >>> states in question #45 of its COPPA FAQ [2] that Web sites that >>> “hash” or otherwise alter children’s email addresses when >>> collecting them to be stored and used to create a password >>> reminder system are not deemed to be collecting and using personal >>> information and, therefore, do not trigger COPPA’s parental >>> consent requirement. (Hashing being a one-way, irreversible >>> process that protects the original data but permits ongoing >>> indexing of the hashed values on an anonymous or de-identified >>> basis). The rule that emerges from this is that it suffices for >>> purposes of protecting privacy if identifiers are altered after >>> they are collected such that they cannot be reconstructed into >>> their original form in the ordinary course of business but the >>> altered form remains available to be used by Web sites to >>> recognize and distinguish among specific visitors to Web sites. >>> >>> >>> >>> Thanks, and best, >>> >>> Rachel
Received on Thursday, 15 November 2012 20:02:13 UTC