RE: Issue:? Fingerprinting from Mike O'Neill on 2013-10-01 (public-tracking@w3.org from October 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Tue, 1 Oct 2013 20:17:54 +0100
To: "'Alan Chapell'" <achapell@chapellassociates.com>, "'Justin Brookman'" <jbrookman@cdt.org>, "'Jeffrey Chester'" <jeff@democraticmedia.org>
Cc: <public-tracking@w3.org>
Message-ID: <1e1e01cebeda$eecf6400$cc6e2c00$@baycloud.com>
Hi Alan,

 

Security & fraud are permitted uses so that's OK even if DNT:1 ( as long as
purpose limited etc.). 

 

I attempted to define fingerprinting in my change proposal, but I expect it
could be improved. Service-providers would not be able to use fingerprinting
without consent in EU anyway.

 

Mike

 

 

From: Alan Chapell [mailto:achapell@chapellassociates.com] 
Sent: 01 October 2013 20:08
To: Mike O'Neill; 'Justin Brookman'; 'Jeffrey Chester'
Cc: public-tracking@w3.org
Subject: Re: Issue:? Fingerprinting

 

Thanks Mike. A few points that may be relevant to this thread.

 

1.	Companies such as 41st Parameter have been around for years and help
mostly with security and fraud prevention. I don't think DNT was intended to
impact those areas.
2.	If you're going to prohibit "fingerprinting", you'll need to define
it. That may prove more difficult than you'd think.
3.	I'll let the AdTruth / 41st Parameter folks speak for themselves,
but I assume that they seem themselves as mostly a "Service Provider" under
DNT.
4.	41st Parameter was acquired today by Experian.
(http://www.the41st.com/buzz/announcements/experian-acquire-device-identific
ation-leader-41st-parameter). Is AdTruth now a first party in contexts where
Experian is a First Party?

Thanks!

 

Alan

 

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Tuesday, October 1, 2013 2:57 PM
To: 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester'
<jeff@democraticmedia.org>
Cc: <public-tracking@w3.org>
Subject: RE: Issue:? Fingerprinting
Resent-From: <public-tracking@w3.org>
Resent-Date: Tue, 01 Oct 2013 18:58:32 +0000

 

Justin, 

 

Accurate fingerprinting does not at the moment rely on IP addresses because
with IPv4 reuse and sharing is common due to the limited address space. The
usual technique is to use rendered script to return more detailed
information about the user-agent i.e. fonts employed etc. which tend to
uniquely identify the device. This was how the EFF's panopticlick project
did it.

 

With IPv6 there is a way to do fingerprinting using the IP address which on
some devices is unique (derived from the device MAC address)., but many
devices now employ the IPv6 privacy extensions that create short duration
random addresses and use them. Hopefully this will become the norm, I know
IE defaults to that - though android does not.

 

I agree with Jeff that we need to have something in the text that rules out
fingerprinting when DNT:1, like my proposal on unique identifiers
(issue-199)

 

Mike

 

From: Justin Brookman [mailto:jbrookman@cdt.org] 
Sent: 01 October 2013 19:27
To: Jeffrey Chester
Cc: public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: Issue:? Fingerprinting

 

I believe that digital fingerprinting is implicitly addressed in the
standard, though not directly called our.  Third parties that receive a
DNT:1 signal may only collect data elements that are reasonably necessary
for the enumerated permitted uses.  That includes data elements that could
be used to fingerprint a device.  Some companies may believe that they need
to use fingerprinting-type techniques for fraud and security purposes even
for DNT:1 users (though they would have to justify that under the standard).
But also keep in mind that much fingerprinting, as I understand it, is
heavily dependent upon IP addresses, the use of which was envisioned for
permitted uses even under the EFF/Moz/Stanford proposal.

 

However, if DNT is set at 0 or unset, the standard does not limit the use of
fingerprinting, HTML5 cookies, drone surveillance, or anything else.

 

If I got any of this wrong, anyone, please feel free to correct me.

 

On Oct 1, 2013, at 1:49 PM, Jeffrey Chester <jeff@democraticmedia.org>
wrote:






I want to clarify that included in the spec are approp. definitions that
address device fingerprinting.   DNT should cover device fingerprinting and
related device/cross platform identification technologies and practices.

 

Is it already incorporated in an existing issue or text?

 

Jeff

 

 

 

Jeffrey Chester

Center for Digital Democracy

1621 Connecticut Ave, NW, Suite 550

Washington, DC 20009

www.democraticmedia.org <http://www.democraticmedia.org/> 

www.digitalads.org <http://www.digitalads.org/> 

202-986-2220
Received on Tuesday, 1 October 2013 19:18:47 UTC