- From: David Singer <singer@apple.com>
- Date: Tue, 09 Jul 2013 13:04:08 +0100
- To: rob@blaeu.com
- Cc: "public-tracking@w3.org WG" <public-tracking@w3.org>
On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com> wrote: > >>>> well, the fingerprint is used as a key to some data storage… >>> What if it isn't? What if a website collects a fingerprint and then discards it? Surely that should still be prohibited. >> So, during the transaction, the server calculates a fingerprint >> that's plausibly unique to the user, and then when the transaction is >> complete, it discards the fingerprint. It can't now have anything >> retained that's keyed to that fingerprint, and it can't know if the >> same user visits again (fingerprint match). I don't see the point, >> but I don't see a problem. > > > Fingerprints do in may cases end up in data sets as matching identifiers. Then data is being retained. > > Even if a fingerprint is discarded, it can facilitate the linking of new data to already collected data. how? if I discard the fingerprint (it's not recorded anywhere)… > Therefore, fingerprinting is important to address when DNT:1. > > DNT:1 must cover fingerprinting based tracking equal to cookie based tracking. DNT should cover *tracking*, and we might have comments or notes on what constitutes tracking, retention, etc., but I think it very dangerous to talk of specific technologies in the normative text. > > > David Singer schreef op 2013-07-09 13:05: >> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> wrote: >>>> that could usefully be made clear (that storing information in a cookie that later should come back to you is still 'retaining'. >>> I'd prefer to focus on privacy properties, not particular technical implementations. My concern is not the use of browser storage. It's the information flow from the browser to the website. >> Sure, my focus is on what information is retained in the sense it is >> usable by the site(s) after the transaction is over. Where it is >> (local, cloud, client, service provider, etc.) are irrelevant. >>>>> (And what about fingerprinting, where there is no client-side information stored?) >>>> well, the fingerprint is used as a key to some data storage… >>> What if it isn't? What if a website collects a fingerprint and then discards it? Surely that should still be prohibited. >> So, during the transaction, the server calculates a fingerprint >> that's plausibly unique to the user, and then when the transaction is >> complete, it discards the fingerprint. It can't now have anything >> retained that's keyed to that fingerprint, and it can't know if the >> same user visits again (fingerprint match). I don't see the point, >> but I don't see a problem. >>>>> At any rate, I'm inclined to hold this (constructive!) conversation until we decide a) to have a definition of "tracking" and b) to make that definition normative. >>>> The june document has such, so we should make sure it's watertight. that's why I am pressing for specifics. yes, it's helpful. >>> The June draft definition is de jure normative, but de facto non-normative since it isn't used anywhere. >> Indeed, I have CPs to make it used. It's used by implication but not >> by the text. >> David Singer >> Multimedia and Software Standards, Apple Inc. David Singer Multimedia and Software Standards, Apple Inc.
Received on Tuesday, 9 July 2013 12:04:36 UTC