- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Wed, 10 Jul 2013 07:52:13 +0000
- To: "Edward W. Felten" <felten@cs.princeton.edu>
- CC: "rob@blaeu.com" <rob@blaeu.com>, Alan Chapell <achapell@chapellassociates.com>, David Singer <singer@apple.com>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <DCCF036E573F0142BD90964789F720E3140EA2C1@GQ1-MB01-02.y.corp.yahoo.com>
Activity = “URLs”. IDs = “specific user, user agent, computer, or device”. “Activity…linked to a specific user, user agent, computer, or device” = IDs + URLs. - Shane From: Edward W. Felten [mailto:felten@cs.princeton.edu] Sent: Tuesday, July 09, 2013 10:22 PM To: Shane Wiley Cc: rob@blaeu.com; Alan Chapell; David Singer; public-tracking@w3.org Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5) The definition in the DAA text is "Tracking is the collection and retention , or use, after a network interaction is complete, of data records that are, or can be, associated with of activity across non-affiliated websites linked to a specific user, user agent computer, or device." I don't see anything in that definition that limits it to "IDs + URLs". It seems to cover "data records that are, or can be, associated with activity ..." On Tue, Jul 9, 2013 at 2:24 PM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote: Rob, This definition is too broad and therefore not likely to be implemented. If we instead focus on tracking as being the association of a unique ID (any source - including digital fingerprints) with web activity (URLs) across non-affiliated sites - we have a foundation upon which we can build a lasting DNT standard (and one that will be implemented and advanced user privacy in a real way). Could you please provide examples where you feel the industry definition is too narrow (IDs + URLs)? This appears to hit right at the very heart of the concept of "online tracking" and hopefully builds a definition by which our activities can be appropriately focused. Please keep in mind the technical side of the specification is so easy to game that we should expect rates exceeding 50% to 80% of DNT:1. - Shane -----Original Message----- From: Rob van Eijk [mailto:rob@blaeu.com<mailto:rob@blaeu.com>] Sent: Tuesday, July 09, 2013 6:21 AM To: Alan Chapell Cc: David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org> Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5) Just to let you know that the DPAs specifically ruled out fingerprinting as an alternative for cookie based tracking in the Berlin Group opinion on Web Tracking and Privacy. Keeping a definition technology neutral is fine with me. Wishing fingerprinting is off the radar for DPAs is not a preferred move. It would be wise to include fingerprinting specifically in non-normative text, if a definition has to be part of the standard. I am proposing a new tracking defintion and non-normative text: Tracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device. Non normative explanation: Tracking is not exclusively connected to unique ID cookies. Tracking includes automated real time decisions, intended to analyse or predict the personality or certain personal aspects relating to a natural person, including the analysis and prediction of the person’s health, economic situation, information on political or philosophical beliefs , performance at work, leisure, personal preferences or interests, details and patterns on behavior, detailed location or movements. Tracking is defined in a technological neutral way and includes e.g. cookie based tracking technology, active and passive fingerprinting techniques. Rob Alan Chapell schreef op 2013-07-09 14:42: > Well put, David. I'm not sure we want to call out digital > fingerprinting specifically - technology neutral is best. > > > On 7/9/13 8:04 AM, "David Singer" <singer@apple.com<mailto:singer@apple.com>> wrote: > >> >> On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com<mailto:rob@blaeu.com>> wrote: >> >>> >>>>>> well, the fingerprint is used as a key to some data storageŠ >>>>> What if it isn't? What if a website collects a fingerprint and >>>>> then discards it? Surely that should still be prohibited. >>>> So, during the transaction, the server calculates a fingerprint >>>> that's plausibly unique to the user, and then when the transaction >>>> is complete, it discards the fingerprint. It can't now have >>>> anything retained that's keyed to that fingerprint, and it can't >>>> know if the same user visits again (fingerprint match). I don't >>>> see the point, but I don't see a problem. >>> >>> >>> Fingerprints do in may cases end up in data sets as matching >>> identifiers. >> >> Then data is being retained. >> >>> >>> Even if a fingerprint is discarded, it can facilitate the linking of >>> new data to already collected data. >> >> how? if I discard the fingerprint (it's not recorded anywhere)Š >> >>> Therefore, fingerprinting is important to address when DNT:1. >>> >>> DNT:1 must cover fingerprinting based tracking equal to cookie based >>> tracking. >> >> DNT should cover *tracking*, and we might have comments or notes on >> what constitutes tracking, retention, etc., but I think it very >> dangerous to talk of specific technologies in the normative text. >> >>> >>> >>> David Singer schreef op 2013-07-09 13:05: >>>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>> >>>> wrote: >>>>>> that could usefully be made clear (that storing information in a >>>>>> cookie that later should come back to you is still 'retaining'. >>>>> I'd prefer to focus on privacy properties, not particular >>>>> technical implementations. My concern is not the use of browser >>>>> storage. >>>>> It's >>>>> the information flow from the browser to the website. >>>> Sure, my focus is on what information is retained in the sense it >>>> is usable by the site(s) after the transaction is over. Where it >>>> is (local, cloud, client, service provider, etc.) are irrelevant. >>>>>>> (And what about fingerprinting, where there is no client-side >>>>>>> information stored?) >>>>>> well, the fingerprint is used as a key to some data storageŠ >>>>> What if it isn't? What if a website collects a fingerprint and >>>>> then discards it? Surely that should still be prohibited. >>>> So, during the transaction, the server calculates a fingerprint >>>> that's plausibly unique to the user, and then when the transaction >>>> is complete, it discards the fingerprint. It can't now have >>>> anything retained that's keyed to that fingerprint, and it can't >>>> know if the same user visits again (fingerprint match). I don't >>>> see the point, but I don't see a problem. >>>>>>> At any rate, I'm inclined to hold this (constructive!) >>>>>>> conversation until we decide a) to have a definition of >>>>>>> "tracking" and b) to make that definition normative. >>>>>> The june document has such, so we should make sure it's >>>>>> watertight. >>>>>> that's why I am pressing for specifics. yes, it's helpful. >>>>> The June draft definition is de jure normative, but de facto >>>>> non-normative since it isn't used anywhere. >>>> Indeed, I have CPs to make it used. It's used by implication but >>>> not by the text. >>>> David Singer >>>> Multimedia and Software Standards, Apple Inc. >> >> David Singer >> Multimedia and Software Standards, Apple Inc. >> >> >> -- Edward W. Felten Professor of Computer Science and Public Affairs Director, Center for Information Technology Policy Princeton University 609-258-5906 http://www.cs.princeton.edu/~felten
Received on Wednesday, 10 July 2013 07:54:09 UTC