RE: <>


That is the accountability element (technical + operational + administrative controls) of the solution - this is not a pure tech solution.  While I understand that an absolute technical solution in isolation equates to full deletion (as you suggest), there are many gradients of acceptable solutions short of full deletion.  In this proposal, organizations are committing to developing a internal implementation that does NOT allow the targeting of an individual.  The purpose of persistent identifier retention (not connected to the real user) is for consistency in reporting - that is all.  As long as an organization has placed the necessary controls in place to reasonably defend that de-identified records cannot be reverse engineered back to a real user/device then the solution is sound.

- Shane

From: Mike O'Neill []
Sent: Thursday, May 16, 2013 7:22 AM
To: Shane Wiley
Cc: John Simpson;;
Subject: <>

Hi Shane,

I just saw your message (for some unfathomable reason I never get your messages to the list forwarded on to me by e-mail).

The problem of any data that contains a persistent UID is that it can always be used to target an individual. You could de-identify each data point as much as you like but further data points collected from the same individual will be appended to it. If the data is so "de-identified" that it no longer contains a derived profiling category (say), then what is the point of retaining the persistent identifier. It would be better for transparency just to delete it. Or just make the duration as short as possible to meet the necessary requirements of any permitted use.

All the evidence we have had indicates that this can be very short.


From: Shane Wiley <<>>
Date: Wed, 15 May 2013 21:23:07 +0000
To: "Mike O'Neill" <<>>, "'John Simpson'" <<>>
CC: "<>" <<>>, "'Tracking Protection Working Group'" <<>>
Message-ID: <<>>

The tri-state de-identification process attempts to solve for a middle ground such that activity can be collected against a persistent identifier but that identifier is not able to connect to devices/users in the real-world so profiling/targeting to an actual data subject does not occur.  There is some risk in this model so to further remove that risk a third state is defined that removes the persistence in identifiers (or removes the identifiers completely) so there is no/less risk of re-identification.

- Shane

Received on Thursday, 16 May 2013 15:32:44 UTC