- From: Alan Chapell <achapell@chapellassociates.com>
- Date: Tue, 09 Jul 2013 08:42:36 -0400
- To: David Singer <singer@apple.com>, <rob@blaeu.com>
- CC: "public-tracking@w3.org WG" <public-tracking@w3.org>
Well put, David. I'm not sure we want to call out digital fingerprinting specifically - technology neutral is best. On 7/9/13 8:04 AM, "David Singer" <singer@apple.com> wrote: > >On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com> wrote: > >> >>>>> well, the fingerprint is used as a key to some data storageŠ >>>> What if it isn't? What if a website collects a fingerprint and then >>>>discards it? Surely that should still be prohibited. >>> So, during the transaction, the server calculates a fingerprint >>> that's plausibly unique to the user, and then when the transaction is >>> complete, it discards the fingerprint. It can't now have anything >>> retained that's keyed to that fingerprint, and it can't know if the >>> same user visits again (fingerprint match). I don't see the point, >>> but I don't see a problem. >> >> >> Fingerprints do in may cases end up in data sets as matching >>identifiers. > >Then data is being retained. > >> >> Even if a fingerprint is discarded, it can facilitate the linking of >>new data to already collected data. > >how? if I discard the fingerprint (it's not recorded anywhere)Š > >> Therefore, fingerprinting is important to address when DNT:1. >> >> DNT:1 must cover fingerprinting based tracking equal to cookie based >>tracking. > >DNT should cover *tracking*, and we might have comments or notes on what >constitutes tracking, retention, etc., but I think it very dangerous to >talk of specific technologies in the normative text. > >> >> >> David Singer schreef op 2013-07-09 13:05: >>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> wrote: >>>>> that could usefully be made clear (that storing information in a >>>>>cookie that later should come back to you is still 'retaining'. >>>> I'd prefer to focus on privacy properties, not particular technical >>>>implementations. My concern is not the use of browser storage. It's >>>>the information flow from the browser to the website. >>> Sure, my focus is on what information is retained in the sense it is >>> usable by the site(s) after the transaction is over. Where it is >>> (local, cloud, client, service provider, etc.) are irrelevant. >>>>>> (And what about fingerprinting, where there is no client-side >>>>>>information stored?) >>>>> well, the fingerprint is used as a key to some data storageŠ >>>> What if it isn't? What if a website collects a fingerprint and then >>>>discards it? Surely that should still be prohibited. >>> So, during the transaction, the server calculates a fingerprint >>> that's plausibly unique to the user, and then when the transaction is >>> complete, it discards the fingerprint. It can't now have anything >>> retained that's keyed to that fingerprint, and it can't know if the >>> same user visits again (fingerprint match). I don't see the point, >>> but I don't see a problem. >>>>>> At any rate, I'm inclined to hold this (constructive!) conversation >>>>>>until we decide a) to have a definition of "tracking" and b) to make >>>>>>that definition normative. >>>>> The june document has such, so we should make sure it's watertight. >>>>>that's why I am pressing for specifics. yes, it's helpful. >>>> The June draft definition is de jure normative, but de facto >>>>non-normative since it isn't used anywhere. >>> Indeed, I have CPs to make it used. It's used by implication but not >>> by the text. >>> David Singer >>> Multimedia and Software Standards, Apple Inc. > >David Singer >Multimedia and Software Standards, Apple Inc. > > >
Received on Tuesday, 9 July 2013 12:43:08 UTC