RE: issue-199 from Shane Wiley on 2013-07-10 (public-tracking@w3.org from July 2013)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Wed, 10 Jul 2013 07:30:36 +0000
To: John Simpson <john@consumerwatchdog.org>
CC: "Mike O'Neill" <michael.oneill@baycloud.com>, "'achapell'" <achapell@chapellassociates.com>, "npdoty@w3.org" <npdoty@w3.org>, "tlr@w3.org" <tlr@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, "jeff@democraticmedia.org" <jeff@democraticmedia.org>
Message-ID: <DCCF036E573F0142BD90964789F720E3140EA1DD@GQ1-MB01-02.y.corp.yahoo.com>

John,

The slides are admittedly terse but attempt to provide a simplified roadmap to the conceptual framework of the proposal associated with visuals on de-identification and a more detailed view of Permitted Uses by De-Identification/De-Linkage step (R-Y-G).  The language in the proposal itself lacks examples as the focus at this stage is on normative text - hopefully these are directly aligned between the two (I know the definition of tracking I proposed in the slides is slightly different but the concept is the same).  I'm hopeful we're able to reuse some of the examples and Permitted Use break-outs in non-normative text once we're beyond the normative stage.

- Shane

From: John Simpson [mailto:john@consumerwatchdog.org]
Sent: Tuesday, July 09, 2013 7:54 PM
To: Shane Wiley
Cc: Mike O'Neill; 'achapell'; npdoty@w3.org; tlr@w3.org; public-tracking@w3.org; jeff@democraticmedia.org
Subject: Re: issue-199

Shane,

I am having an extremely difficult time understanding where in the DAA text proposal this is spelled out. Can you please point me to that.

In other words, how do your slides presented on the June 26 (I think) call relate to the DAA text? Perhaps I'm dense, but I don't see the connection.

Thanks,
John

On Jul 9, 2013, at 11:29 AM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:

Mike,

Deidentification is about removing the association between a unique ID (any source:  cookie, digital fingerprint, etc.) and the actual/specific user/device.  In this context:

Red:  actual user/device
Yellow:  not actual user/device but events are linkable (and only usable for analytics/reporting)
Green:  not actual user/device and events are not linkable (outside the scope of DNT)

- Shane

From: Mike O'Neill [mailto:michael.oneill@baycloud.com<http://baycloud.com>]
Sent: Sunday, June 30, 2013 3:01 PM
To: 'achapell'; npdoty@w3.org<mailto:npdoty@w3.org>; tlr@w3.org<mailto:tlr@w3.org>
Cc: public-tracking@w3.org<mailto:public-tracking@w3.org>; jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>
Subject: RE: issue-199

Alan,

Persistent identifiers and their duration should be discussed as part of the red/yellow/green permitted use debate. Browser fingerprinting identifiers are qualitatively different from those stored in cookies or localStorage because they are effectively infinite in duration, so I thought it best to extend the defs. to make that clear.

Mike

From: achapell [mailto:achapell@chapellassociates.com]
Sent: 30 June 2013 22:39
To: michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>; npdoty@w3.org<mailto:npdoty@w3.org>; tlr@w3.org<mailto:tlr@w3.org>
Cc: public-tracking@w3.org<mailto:public-tracking@w3.org>; jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>
Subject: RE: issue-199

Do we want to specify technologies here?

Cheers,

Alan Chapell
917 318 8440

-------- Original message --------
From: Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>>
Date: 06/30/2013 3:33 PM (GMT-05:00)
To: Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>>,tlr@w3.org<mailto:tlr@w3.org>
Cc: public-tracking@w3.org,jeff@democraticmedia.org<mailto:public-tracking@w3.org,jeff@democraticmedia.org>
Subject: issue-199

Nick, Thomas

Dr Dix's letter reminded me that we need to have some reference to browser fingerprinting being ruled out when DNT is set. I have amended the definitions accordingly.

Do you want me to modify the wiki?

A persistent identifier is an arbitrary value held in, or derived from other data in, the user agent whose purpose is to identify the user agent in subsequent transactions to a particular web domain. It may be encoded for example as the name or value attribute of an HTTP cookie, as an item in localStorage or recorded in some way in the cache.

The duration of a persistent identifier is the maximum period of time it will be retained in the user agent. This could be implemented for example using the Expires or Max-Age attributes of an HTTP cookie so that it is automatically deleted by the user agent after the specified time period is exceeded.

Browser fingerprinting is a method of tracking based on creating a persistent identifier from other information either inherent in the content request or already stored in the user agent. Such an identifier may not need itself to be stored in the user-agent as it can be calculated again in subsequent transactions. It follows from this that its duration is effectively unlimited.

Justification.

With the duration definition, restrictions on permitted uses could then be made that limit the duration of persistent identifiers.Because browser fingerprinting cannot be given a finite duration this tracking method should not be used when DNT is set even if it is for a permitted use. In reality browser fingerprinting solely based on examining initial content requests is usually not an effective tracking method because the combination of IP addresses and other headers are not sufficiently user specific, but we should rule out at least the more complex form when DNT is set.
Mike

Received on Wednesday, 10 July 2013 07:31:37 UTC