- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 6 Nov 2013 11:05:32 -0800
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: "'David Singer'" <singer@apple.com>, <public-tracking@w3.org>
On Nov 5, 2013, at 4:18 PM, Mike O'Neill wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > But a combination of the data collected in one context can be used to track someone across the web. Considering only your contracted analytics use case, if the third-party collects a unique id scoped solely to the first-party domain, combining that with the contents of the Referer header will give you a universal unique identifier. A URL query parameter would also suffice. A set of these identifiers will be associated with a single user/device and the third-party can collect all of them. There is a small problem on how to collapse them all to a single manageable (reasonable length) key but that can be done using the device's IP address to thread them together (over a short period it will, even with IPv4 NAT or IPv6 anonymous auto configuration), or by ensuring the unique ids were already universally unique (across all domains). It isn't necessary to think about tracking in terms of identifiers. The mechanism is irrelevant to what the user is requesting. > You might say the act of combining data in this way, perhaps secretly, constitutes tracking but does your definition cover it? Yes, that is "retention, use, or sharing of data derived from that activity outside the context in which it occurred." ....Roy
Received on Wednesday, 6 November 2013 19:05:56 UTC