Re: June Change Proposal: Definition of Tracking (ISSUE-5)

Well put, David. I'm not sure we want to call out digital fingerprinting
specifically - technology neutral is best.
 

On 7/9/13 8:04 AM, "David Singer" <singer@apple.com> wrote:

>
>On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com> wrote:
>
>> 
>>>>> well, the fingerprint is used as a key to some data storageŠ
>>>> What if it isn't?  What if a website collects a fingerprint and then
>>>>discards it?  Surely that should still be prohibited.
>>> So, during the transaction, the server calculates a fingerprint
>>> that's plausibly unique to the user, and then when the transaction is
>>> complete, it discards the fingerprint.  It can't now have anything
>>> retained that's keyed to that fingerprint, and it can't know if the
>>> same user visits again (fingerprint match).  I don't see the point,
>>> but I don't see a problem.
>> 
>> 
>> Fingerprints do in may cases end up in data sets as matching
>>identifiers.
>
>Then data is being retained.
>
>> 
>> Even if a fingerprint is discarded, it can facilitate the linking of
>>new data to already collected data.
>
>how?  if I discard the fingerprint (it's not recorded anywhere)Š
>
>> Therefore, fingerprinting is important to address when DNT:1.
>> 
>> DNT:1 must cover fingerprinting based tracking equal to cookie based
>>tracking.
>
>DNT should cover *tracking*, and we might have comments or notes on what
>constitutes tracking, retention, etc., but I think it very dangerous to
>talk of specific technologies in the normative text.
>
>> 
>> 
>> David Singer schreef op 2013-07-09 13:05:
>>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> wrote:
>>>>> that could usefully be made clear (that storing information in a
>>>>>cookie that later should come back to you is still 'retaining'.
>>>> I'd prefer to focus on privacy properties, not particular technical
>>>>implementations.  My concern is not the use of browser storage.  It's
>>>>the information flow from the browser to the website.
>>> Sure, my focus is on what information is retained in the sense it is
>>> usable by the site(s) after the transaction is over.  Where it is
>>> (local, cloud, client, service provider, etc.) are irrelevant.
>>>>>> (And what about fingerprinting, where there is no client-side
>>>>>>information stored?)
>>>>> well, the fingerprint is used as a key to some data storageŠ
>>>> What if it isn't?  What if a website collects a fingerprint and then
>>>>discards it?  Surely that should still be prohibited.
>>> So, during the transaction, the server calculates a fingerprint
>>> that's plausibly unique to the user, and then when the transaction is
>>> complete, it discards the fingerprint.  It can't now have anything
>>> retained that's keyed to that fingerprint, and it can't know if the
>>> same user visits again (fingerprint match).  I don't see the point,
>>> but I don't see a problem.
>>>>>> At any rate, I'm inclined to hold this (constructive!) conversation
>>>>>>until we decide a) to have a definition of "tracking" and b) to make
>>>>>>that definition normative.
>>>>> The june document has such, so we should make sure it's watertight.
>>>>>that's why I am pressing for specifics. yes, it's helpful.
>>>> The June draft definition is de jure normative, but de facto
>>>>non-normative since it isn't used anywhere.
>>> Indeed, I have CPs to make it used.  It's used by implication but not
>>> by the text.
>>> David Singer
>>> Multimedia and Software Standards, Apple Inc.
>
>David Singer
>Multimedia and Software Standards, Apple Inc.
>
>
>

Received on Tuesday, 9 July 2013 12:43:08 UTC