- From: Alan Chapell <achapell@chapellassociates.com>
- Date: Tue, 01 Oct 2013 15:53:45 -0400
- To: Mike O'Neill <michael.oneill@baycloud.com>, 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester' <jeff@democraticmedia.org>
- CC: <public-tracking@w3.org>
- Message-ID: <CE70A06F.3A70E%achapell@chapellassociates.com>
Thanks Mike (and other respondents). I'll look for your change proposal and provide comment ASAP. Cheers, Alan Chapell Chapell & Associates 917 318 8440 From: Mike O'Neill <michael.oneill@baycloud.com> Date: Tuesday, October 1, 2013 3:17 PM To: Alan Chapell <achapell@chapellassociates.com>, 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester' <jeff@democraticmedia.org> Cc: <public-tracking@w3.org> Subject: RE: Issue:? Fingerprinting Resent-From: <public-tracking@w3.org> Resent-Date: Tue, 01 Oct 2013 19:18:49 +0000 > Hi Alan, > > Security & fraud are permitted uses so thatıs OK even if DNT:1 ( as long as > purpose limited etc.). > > I attempted to define fingerprinting in my change proposal, but I expect it > could be improved. Service-providers would not be able to use fingerprinting > without consent in EU anyway. > > Mike > > > > From: Alan Chapell [mailto:achapell@chapellassociates.com] > Sent: 01 October 2013 20:08 > To: Mike O'Neill; 'Justin Brookman'; 'Jeffrey Chester' > Cc: public-tracking@w3.org > Subject: Re: Issue:? Fingerprinting > > > Thanks Mike. A few points that may be relevant to this thread. > > > 1. Companies such as 41st Parameter have been around for years and help mostly > with security and fraud prevention. I don't think DNT was intended to impact > those areas. > 2. If you're going to prohibit "fingerprinting", you'll need to define it. > That may prove more difficult than you'd think. > 3. I'll let the AdTruth / 41st Parameter folks speak for themselves, but I > assume that they seem themselves as mostly a "Service Provider" under DNT. > 4. 41st Parameter was acquired today by Experian. > (http://www.the41st.com/buzz/announcements/experian-acquire-device-identificat > ion-leader-41st-parameter). Is AdTruth now a first party in contexts where > Experian is a First Party? > Thanks! > > > > Alan > > > > From: Mike O'Neill <michael.oneill@baycloud.com> > Date: Tuesday, October 1, 2013 2:57 PM > To: 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester' > <jeff@democraticmedia.org> > Cc: <public-tracking@w3.org> > Subject: RE: Issue:? Fingerprinting > Resent-From: <public-tracking@w3.org> > Resent-Date: Tue, 01 Oct 2013 18:58:32 +0000 > > >> >> Justin, >> >> Accurate fingerprinting does not at the moment rely on IP addresses because >> with IPv4 reuse and sharing is common due to the limited address space. The >> usual technique is to use rendered script to return more detailed information >> about the user-agent i.e. fonts employed etc. which tend to uniquely identify >> the device. This was how the EFFıs panopticlick project did it. >> >> With IPv6 there is a way to do fingerprinting using the IP address which on >> some devices is unique (derived from the device MAC address)., but many >> devices now employ the IPv6 privacy extensions that create short duration >> random addresses and use them. Hopefully this will become the norm, I know IE >> defaults to that though android does not. >> >> I agree with Jeff that we need to have something in the text that rules out >> fingerprinting when DNT:1, like my proposal on unique identifiers (issue-199) >> >> Mike >> >> >> From: Justin Brookman [mailto:jbrookman@cdt.org] >> Sent: 01 October 2013 19:27 >> To: Jeffrey Chester >> Cc: public-tracking@w3.org (public-tracking@w3.org) >> Subject: Re: Issue:? Fingerprinting >> >> I believe that digital fingerprinting is implicitly addressed in the >> standard, though not directly called our. Third parties that receive a DNT:1 >> signal may only collect data elements that are reasonably necessary for the >> enumerated permitted uses. That includes data elements that could be used to >> fingerprint a device. Some companies may believe that they need to use >> fingerprinting-type techniques for fraud and security purposes even for DNT:1 >> users (though they would have to justify that under the standard). But also >> keep in mind that much fingerprinting, as I understand it, is heavily >> dependent upon IP addresses, the use of which was envisioned for permitted >> uses even under the EFF/Moz/Stanford proposal. >> >> >> >> However, if DNT is set at 0 or unset, the standard does not limit the use of >> fingerprinting, HTML5 cookies, drone surveillance, or anything else. >> >> >> >> If I got any of this wrong, anyone, please feel free to correct me. >> >> >> >> On Oct 1, 2013, at 1:49 PM, Jeffrey Chester <jeff@democraticmedia.org> wrote: >> >> >> >> I want to clarify that included in the spec are approp. definitions that >> address device fingerprinting. DNT should cover device fingerprinting and >> related device/cross platform identification technologies and practices. >> >> >> >> Is it already incorporated in an existing issue or text? >> >> >> >> Jeff >> >> >> >> >> >> >> Jeffrey Chester >> >> Center for Digital Democracy >> >> 1621 Connecticut Ave, NW, Suite 550 >> >> Washington, DC 20009 >> >> www.democraticmedia.org <http://www.democraticmedia.org/> >> >> www.digitalads.org <http://www.digitalads.org/> >> >> 202-986-2220 >> >>
Received on Tuesday, 1 October 2013 19:54:24 UTC