Re: Issue:? Fingerprinting

Thanks Mike. A few points that may be relevant to this thread.

1. Companies such as 41st Parameter have been around for years and help
mostly with security and fraud prevention. I don't think DNT was intended to
impact those areas.
2. If you're going to prohibit "fingerprinting", you'll need to define it.
That may prove more difficult than you'd think.
3. I'll let the AdTruth / 41st Parameter folks speak for themselves, but I
assume that they seem themselves as mostly a "Service Provider" under DNT.
4. 41st Parameter was acquired today by Experian.
(http://www.the41st.com/buzz/announcements/experian-acquire-device-identific
ation-leader-41st-parameter). Is AdTruth now a first party in contexts where
Experian is a First Party?
Thanks!

Alan

From:  Mike O'Neill <michael.oneill@baycloud.com>
Date:  Tuesday, October 1, 2013 2:57 PM
To:  'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester'
<jeff@democraticmedia.org>
Cc:  <public-tracking@w3.org>
Subject:  RE: Issue:? Fingerprinting
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Tue, 01 Oct 2013 18:58:32 +0000

> Justin, 
>  
> Accurate fingerprinting does not at the moment rely on IP addresses because
> with IPv4 reuse and sharing is common due to the limited address space. The
> usual technique is to use rendered script to return more detailed information
> about the user-agent i.e. fonts employed etc. which tend to uniquely identify
> the device. This was how the EFF¹s panopticlick project did it.
>  
> With IPv6 there is a way to do fingerprinting using the IP address which on
> some devices is unique (derived from the device MAC address)., but many
> devices now employ the IPv6 privacy extensions that create short duration
> random addresses and use them. Hopefully this will become the norm, I know IE
> defaults to that ­ though android does not.
>  
> I agree with Jeff that we need to have something in the text that rules out
> fingerprinting when DNT:1, like my proposal on unique identifiers (issue-199)
>  
> Mike
>  
> 
> From: Justin Brookman [mailto:jbrookman@cdt.org]
> Sent: 01 October 2013 19:27
> To: Jeffrey Chester
> Cc: public-tracking@w3.org (public-tracking@w3.org)
> Subject: Re: Issue:? Fingerprinting
>  
> I believe that digital fingerprinting is implicitly addressed in the standard,
> though not directly called our.  Third parties that receive a DNT:1 signal may
> only collect data elements that are reasonably necessary for the enumerated
> permitted uses.  That includes data elements that could be used to fingerprint
> a device.  Some companies may believe that they need to use
> fingerprinting-type techniques for fraud and security purposes even for DNT:1
> users (though they would have to justify that under the standard).  But also
> keep in mind that much fingerprinting, as I understand it, is heavily
> dependent upon IP addresses, the use of which was envisioned for permitted
> uses even under the EFF/Moz/Stanford proposal.
> 
>  
> 
> However, if DNT is set at 0 or unset, the standard does not limit the use of
> fingerprinting, HTML5 cookies, drone surveillance, or anything else.
> 
>  
> 
> If I got any of this wrong, anyone, please feel free to correct me.
> 
>  
> 
> On Oct 1, 2013, at 1:49 PM, Jeffrey Chester <jeff@democraticmedia.org> wrote:
> 
> 
> I want to clarify that included in the spec are approp. definitions that
> address device fingerprinting.   DNT should cover device fingerprinting and
> related device/cross platform identification technologies and practices.
> 
>  
> 
> Is it already incorporated in an existing issue or text?
> 
>  
> 
> Jeff
> 
>  
> 
>  
>  
> 
> Jeffrey Chester
> 
> Center for Digital Democracy
> 
> 1621 Connecticut Ave, NW, Suite 550
> 
> Washington, DC 20009
> 
> www.democraticmedia.org <http://www.democraticmedia.org/>
> 
> www.digitalads.org <http://www.digitalads.org/>
> 
> 202-986-2220
>  
>