Re: June Change Proposal: Definition of Tracking (ISSUE-5) from Rob van Eijk on 2013-07-09 (public-tracking@w3.org from July 2013)

From: Rob van Eijk <rob@blaeu.com>
Date: Tue, 09 Jul 2013 15:21:13 +0200
To: Alan Chapell <achapell@chapellassociates.com>
Cc: David Singer <singer@apple.com>, <public-tracking@w3.org>
Message-ID: <f7f145eb340efdc54dcaf3bbe0846342@xs4all.nl>
Just to let you know that the DPAs specifically ruled out 
fingerprinting as an alternative for cookie based tracking in the Berlin 
Group opinion on Web Tracking and Privacy.

Keeping a definition technology neutral is fine with me. Wishing 
fingerprinting is off the radar for DPAs is not a preferred move. It 
would be wise to include fingerprinting specifically in non-normative 
text, if a definition has to be part of the standard.


I am proposing a new tracking defintion and non-normative text:

Tracking is any form of collection, retention, use and/or application 
of data that are, or can be, associated with a specific user, user 
agent, or device.

Non normative explanation: Tracking is not exclusively connected to 
unique ID cookies. Tracking includes automated real time decisions, 
intended to analyse or predict the personality or certain personal 
aspects relating to a natural person, including the analysis and 
prediction of the person’s health, economic situation, information on 
political or philosophical beliefs , performance at work, leisure, 
personal preferences or interests, details and patterns on behavior, 
detailed location or movements. Tracking is defined in a technological 
neutral way and includes e.g. cookie based tracking technology, active 
and passive fingerprinting techniques.


Rob

Alan Chapell schreef op 2013-07-09 14:42:
> Well put, David. I'm not sure we want to call out digital 
> fingerprinting
> specifically - technology neutral is best.
> 
> 
> On 7/9/13 8:04 AM, "David Singer" <singer@apple.com> wrote:
> 
>> 
>> On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com> wrote:
>> 
>>> 
>>>>>> well, the fingerprint is used as a key to some data storageŠ
>>>>> What if it isn't?  What if a website collects a fingerprint and 
>>>>> then
>>>>> discards it?  Surely that should still be prohibited.
>>>> So, during the transaction, the server calculates a fingerprint
>>>> that's plausibly unique to the user, and then when the transaction 
>>>> is
>>>> complete, it discards the fingerprint.  It can't now have anything
>>>> retained that's keyed to that fingerprint, and it can't know if the
>>>> same user visits again (fingerprint match).  I don't see the point,
>>>> but I don't see a problem.
>>> 
>>> 
>>> Fingerprints do in may cases end up in data sets as matching
>>> identifiers.
>> 
>> Then data is being retained.
>> 
>>> 
>>> Even if a fingerprint is discarded, it can facilitate the linking of
>>> new data to already collected data.
>> 
>> how?  if I discard the fingerprint (it's not recorded anywhere)Š
>> 
>>> Therefore, fingerprinting is important to address when DNT:1.
>>> 
>>> DNT:1 must cover fingerprinting based tracking equal to cookie based
>>> tracking.
>> 
>> DNT should cover *tracking*, and we might have comments or notes on 
>> what
>> constitutes tracking, retention, etc., but I think it very dangerous 
>> to
>> talk of specific technologies in the normative text.
>> 
>>> 
>>> 
>>> David Singer schreef op 2013-07-09 13:05:
>>>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> 
>>>> wrote:
>>>>>> that could usefully be made clear (that storing information in a
>>>>>> cookie that later should come back to you is still 'retaining'.
>>>>> I'd prefer to focus on privacy properties, not particular 
>>>>> technical
>>>>> implementations.  My concern is not the use of browser storage.  
>>>>> It's
>>>>> the information flow from the browser to the website.
>>>> Sure, my focus is on what information is retained in the sense it 
>>>> is
>>>> usable by the site(s) after the transaction is over.  Where it is
>>>> (local, cloud, client, service provider, etc.) are irrelevant.
>>>>>>> (And what about fingerprinting, where there is no client-side
>>>>>>> information stored?)
>>>>>> well, the fingerprint is used as a key to some data storageŠ
>>>>> What if it isn't?  What if a website collects a fingerprint and 
>>>>> then
>>>>> discards it?  Surely that should still be prohibited.
>>>> So, during the transaction, the server calculates a fingerprint
>>>> that's plausibly unique to the user, and then when the transaction 
>>>> is
>>>> complete, it discards the fingerprint.  It can't now have anything
>>>> retained that's keyed to that fingerprint, and it can't know if the
>>>> same user visits again (fingerprint match).  I don't see the point,
>>>> but I don't see a problem.
>>>>>>> At any rate, I'm inclined to hold this (constructive!) 
>>>>>>> conversation
>>>>>>> until we decide a) to have a definition of "tracking" and b) to 
>>>>>>> make
>>>>>>> that definition normative.
>>>>>> The june document has such, so we should make sure it's 
>>>>>> watertight.
>>>>>> that's why I am pressing for specifics. yes, it's helpful.
>>>>> The June draft definition is de jure normative, but de facto
>>>>> non-normative since it isn't used anywhere.
>>>> Indeed, I have CPs to make it used.  It's used by implication but 
>>>> not
>>>> by the text.
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
>>
Received on Tuesday, 9 July 2013 13:21:47 UTC