RE: issue-199

Rigo,

The element that is missing in your analysis is the "operational nature" of the resulting identifier.  Pseudonyms can still be used in a production setting - meaning that I can alter a user's experience in real-time leveraging historical activity associated with the pseudonym.  In our proposal, the result of de-identification does NOT allow for this and data's only utility is for analytical purposes alone.  Repeat, data in the Yellow Zone CANNOT be used to link back to the real user in anyway.

I believe this is the significant disconnect in attempting to leverage pseudonyms in the context of the DNT standard as they would clearly live in the Red zone - NOT the Yellow zone.

- Shane

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: Tuesday, July 09, 2013 8:59 PM
To: public-tracking@w3.org
Cc: Shane Wiley; Mike O'Neill; 'achapell'; npdoty@w3.org; tlr@w3.org; jeff@democraticmedia.org
Subject: Re: issue-199

Shane, 

let me focus on the wrapping and less on the content. I think we do ourselves a disservice by trying to benefit from the renown of some term and to define something surprising/new under it. 

You clearly try to label stock pseudonymization as de-identification unless you can tell me otherwise. As far as I understand your concept (pointer to some more explanation?), you take an ID you got from a device, you replace this ID by a new ID and you have a mapping table that one is not supposed to use except to add new content to the profile. 

So now instead of cookie abcdxyz and IP 10.15.0.1 you have YahooID schmoozoo321. Both allow you to single out a profile and react on it (the term is "discriminate", positive or negative)

What have we gained in protection against discrimination? Nothing. You just have exchanged pseudonyms by other pseudonyms. Where is the gain that justifies the change in state? 

If we want a truly "yellow" state, there must be some stripping happening. Changing IDs that still allow to single out (without degrading their granularity) and a promise not to look at the matching database is a bit weak to justify the change in state. So for me this is still red. 

Accordingly, your definition of de-identification has still too much identification in it to tell the world it isn't anymore. That's how "de-"identification is generally understood. If identity is the fact of being the same person or thing as claimed[1], if identification is evidence of identity[2], de-identification will be understood as removing the evidence of being the same person. In your definition, this is not the case. Of course we could define uphill as 45 degree downwards and this way, water would run uphill. But isn't this a bit too cheap? I wouldn't dare being seen using that trick. 

That said, I think the idea of having a middle state that allows to do things is really good. But your definition and the use of the word "de- identification" is not doing the trick IMHO.

1.http://www.wordcentral.com/cgi-bin/student?book=Student&va=identity
2.http://www.merriam-webster.com/dictionary/identification

 --Rigo



On Tuesday 09 July 2013 18:29:38 Shane Wiley wrote:
> Deidentification is about removing the association between a unique ID 
> (any source:  cookie, digital fingerprint, etc.) and the 
> actual/specific user/device.  In this context:
> 
> Red:  actual user/device
> Yellow:  not actual user/device but events are linkable (and only 
> usable for analytics/reporting) Green:  not actual user/device and 
> events are not linkable (outside the scope of DNT)

Received on Wednesday, 10 July 2013 07:52:14 UTC