W3C home > Mailing lists > Public > public-tracking@w3.org > July 2013

Re: June Change Proposal: Definition of Tracking (ISSUE-5)

From: Rob van Eijk <rob@blaeu.com>
Date: Tue, 09 Jul 2013 13:33:01 +0200
To: David Singer <singer@apple.com>
Cc: "public-tracking@w3.org WG" <public-tracking@w3.org>
Message-ID: <bf5ff8550773757a5ce641b91d5d78a1@xs4all.nl>

>>> well, the fingerprint is used as a key to some data storageā€¦
>> What if it isn't?  What if a website collects a fingerprint and then 
>> discards it?  Surely that should still be prohibited.
> 
> So, during the transaction, the server calculates a fingerprint
> that's plausibly unique to the user, and then when the transaction is
> complete, it discards the fingerprint.  It can't now have anything
> retained that's keyed to that fingerprint, and it can't know if the
> same user visits again (fingerprint match).  I don't see the point,
> but I don't see a problem.


Fingerprints do in may cases end up in data sets as matching 
identifiers.

Even if a fingerprint is discarded, it can facilitate the linking of 
new data to already collected data. Therefore, fingerprinting is 
important to address when DNT:1.

DNT:1 must cover fingerprinting based tracking equal to cookie based 
tracking.


David Singer schreef op 2013-07-09 13:05:
> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> wrote:
> 
>>> that could usefully be made clear (that storing information in a 
>>> cookie that later should come back to you is still 'retaining'.
>> I'd prefer to focus on privacy properties, not particular technical 
>> implementations.  My concern is not the use of browser storage.  It's 
>> the information flow from the browser to the website.
> 
> Sure, my focus is on what information is retained in the sense it is
> usable by the site(s) after the transaction is over.  Where it is
> (local, cloud, client, service provider, etc.) are irrelevant.
> 
>>>> (And what about fingerprinting, where there is no client-side 
>>>> information stored?)
>>> 
>>> well, the fingerprint is used as a key to some data storageā€¦
>> What if it isn't?  What if a website collects a fingerprint and then 
>> discards it?  Surely that should still be prohibited.
> 
> So, during the transaction, the server calculates a fingerprint
> that's plausibly unique to the user, and then when the transaction is
> complete, it discards the fingerprint.  It can't now have anything
> retained that's keyed to that fingerprint, and it can't know if the
> same user visits again (fingerprint match).  I don't see the point,
> but I don't see a problem.
> 
>>>> 
>>>> At any rate, I'm inclined to hold this (constructive!) conversation 
>>>> until we decide a) to have a definition of "tracking" and b) to make 
>>>> that definition normative.
>>> 
>>> The june document has such, so we should make sure it's watertight. 
>>> that's why I am pressing for specifics. yes, it's helpful.
>> The June draft definition is de jure normative, but de facto 
>> non-normative since it isn't used anywhere.
> 
> Indeed, I have CPs to make it used.  It's used by implication but not
> by the text.
> 
> David Singer
> Multimedia and Software Standards, Apple Inc.
Received on Tuesday, 9 July 2013 11:33:33 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:16 UTC