RE: DNT: Agenda for Wednesday call, February 20



I agree with David. There is far from a consensus for permitted use for
Market Research, which in any event requires consent in Europe (it is
explicitly called for in the EC and amended drafts of the DP Regulation).
Some of the market research people I talked to actually see the requirement
of consent as brand protection, as less respectable entrants would have
difficulty obtaining it.


On de-id, all the discussions I was party to concluded that the retention of
a UID would preclude de-identification. There may be possibilities of a
compromise which involved limited duration for identifier retention, with
suitable text to outlaw cloning, but no one has suggested an appropriate
range yet. If de-identification was simply secured by URL string limitation
I think we would end up with a laughable standard, not just a "null" one.




From: David Singer [] 
Sent: 19 February 2013 20:05
To: Peter Swire
Cc: WG
Subject: Re: DNT: Agenda for Wednesday call, February 20



On Feb 19, 2013, at 11:54 , Peter Swire <> wrote:



1. "Market research" has been proposed as a permitted use, to go into the
text of the spec.  It is an important topic in practice for a range of
companies.  The DAA code, which overlaps in its coverage with DNT issues,
has an exception/permitted use for "market research."  To get adoption of
DNT, getting clarity on "market research" seems entirely relevant.


2. In talking with people since I sent the agenda, I believe "truncation of
URIs" may be a better term for the group than LBH.  This truncation point is
inter-woven with the definition of what counts as de-identified and what
uses are permitted for what length of time.  I continue to believe that
greater clarity on how long data is retained, for what purposes, and with
what provisions on the back end (delete, deID), are operationally key issues
for the compliance spec.



I would welcome concrete and specific proposals, but the first was debated
and did not receive even widespread support, let alone consensus, as I
recall.  On the second, I thought de-identification was about not being able
to identify people, not that the records about identifiable people have the
URLs de-identified?


It's an odd sequence to define terms without the context of how they might
be used, or any agreement to use them.


David Singer

Multimedia and Software Standards, Apple Inc.


Received on Tuesday, 19 February 2013 21:14:29 UTC