Re: June Change Proposal: Definition of Tracking (ISSUE-5)

On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> wrote:

>> that could usefully be made clear (that storing information in a cookie that later should come back to you is still 'retaining'.
> I'd prefer to focus on privacy properties, not particular technical implementations.  My concern is not the use of browser storage.  It's the information flow from the browser to the website.

Sure, my focus is on what information is retained in the sense it is usable by the site(s) after the transaction is over.  Where it is (local, cloud, client, service provider, etc.) are irrelevant.

>>> (And what about fingerprinting, where there is no client-side information stored?)
>> 
>> well, the fingerprint is used as a key to some data storage…
> What if it isn't?  What if a website collects a fingerprint and then discards it?  Surely that should still be prohibited.

So, during the transaction, the server calculates a fingerprint that's plausibly unique to the user, and then when the transaction is complete, it discards the fingerprint.  It can't now have anything retained that's keyed to that fingerprint, and it can't know if the same user visits again (fingerprint match).  I don't see the point, but I don't see a problem.

>>> 
>>> At any rate, I'm inclined to hold this (constructive!) conversation until we decide a) to have a definition of "tracking" and b) to make that definition normative.
>> 
>> The june document has such, so we should make sure it's watertight. that's why I am pressing for specifics. yes, it's helpful.
> The June draft definition is de jure normative, but de facto non-normative since it isn't used anywhere. 

Indeed, I have CPs to make it used.  It's used by implication but not by the text.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Tuesday, 9 July 2013 11:06:12 UTC