W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: Issue:? Fingerprinting

From: Alan Chapell <achapell@chapellassociates.com>
Date: Tue, 01 Oct 2013 15:53:45 -0400
To: Mike O'Neill <michael.oneill@baycloud.com>, 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester' <jeff@democraticmedia.org>
CC: <public-tracking@w3.org>
Message-ID: <CE70A06F.3A70E%achapell@chapellassociates.com>
Thanks Mike  (and other respondents). I'll look for your change proposal and
provide comment ASAP.


Cheers,

Alan Chapell
Chapell & Associates
917 318 8440


From:  Mike O'Neill <michael.oneill@baycloud.com>
Date:  Tuesday, October 1, 2013 3:17 PM
To:  Alan Chapell <achapell@chapellassociates.com>, 'Justin Brookman'
<jbrookman@cdt.org>, 'Jeffrey Chester' <jeff@democraticmedia.org>
Cc:  <public-tracking@w3.org>
Subject:  RE: Issue:? Fingerprinting
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Tue, 01 Oct 2013 19:18:49 +0000

> Hi Alan,
>  
> Security & fraud are permitted uses so thatıs OK even if DNT:1 ( as long as
> purpose limited etc.).
>  
> I attempted to define fingerprinting in my change proposal, but I expect it
> could be improved. Service-providers would not be able to use fingerprinting
> without consent in EU anyway.
>  
> Mike
>  
>  
> 
> From: Alan Chapell [mailto:achapell@chapellassociates.com]
> Sent: 01 October 2013 20:08
> To: Mike O'Neill; 'Justin Brookman'; 'Jeffrey Chester'
> Cc: public-tracking@w3.org
> Subject: Re: Issue:? Fingerprinting
>  
> 
> Thanks Mike. A few points that may be relevant to this thread.
> 
>  
> 1. Companies such as 41st Parameter have been around for years and help mostly
> with security and fraud prevention. I don't think DNT was intended to impact
> those areas.
> 2. If you're going to prohibit "fingerprinting", you'll need to define it.
> That may prove more difficult than you'd think.
> 3. I'll let the AdTruth / 41st Parameter folks speak for themselves, but I
> assume that they seem themselves as mostly a "Service Provider" under DNT.
> 4. 41st Parameter was acquired today by Experian.
> (http://www.the41st.com/buzz/announcements/experian-acquire-device-identificat
> ion-leader-41st-parameter). Is AdTruth now a first party in contexts where
> Experian is a First Party?
> Thanks!
> 
>  
> 
> Alan
> 
>  
> 
> From: Mike O'Neill <michael.oneill@baycloud.com>
> Date: Tuesday, October 1, 2013 2:57 PM
> To: 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester'
> <jeff@democraticmedia.org>
> Cc: <public-tracking@w3.org>
> Subject: RE: Issue:? Fingerprinting
> Resent-From: <public-tracking@w3.org>
> Resent-Date: Tue, 01 Oct 2013 18:58:32 +0000
> 
>  
>> 
>> Justin, 
>>  
>> Accurate fingerprinting does not at the moment rely on IP addresses because
>> with IPv4 reuse and sharing is common due to the limited address space. The
>> usual technique is to use rendered script to return more detailed information
>> about the user-agent i.e. fonts employed etc. which tend to uniquely identify
>> the device. This was how the EFFıs panopticlick project did it.
>>  
>> With IPv6 there is a way to do fingerprinting using the IP address which on
>> some devices is unique (derived from the device MAC address)., but many
>> devices now employ the IPv6 privacy extensions that create short duration
>> random addresses and use them. Hopefully this will become the norm, I know IE
>> defaults to that ­ though android does not.
>>  
>> I agree with Jeff that we need to have something in the text that rules out
>> fingerprinting when DNT:1, like my proposal on unique identifiers (issue-199)
>>  
>> Mike
>>  
>> 
>> From: Justin Brookman [mailto:jbrookman@cdt.org]
>> Sent: 01 October 2013 19:27
>> To: Jeffrey Chester
>> Cc: public-tracking@w3.org (public-tracking@w3.org)
>> Subject: Re: Issue:? Fingerprinting
>>  
>> I believe that digital fingerprinting is implicitly addressed in the
>> standard, though not directly called our.  Third parties that receive a DNT:1
>> signal may only collect data elements that are reasonably necessary for the
>> enumerated permitted uses.  That includes data elements that could be used to
>> fingerprint a device.  Some companies may believe that they need to use
>> fingerprinting-type techniques for fraud and security purposes even for DNT:1
>> users (though they would have to justify that under the standard).  But also
>> keep in mind that much fingerprinting, as I understand it, is heavily
>> dependent upon IP addresses, the use of which was envisioned for permitted
>> uses even under the EFF/Moz/Stanford proposal.
>> 
>>  
>> 
>> However, if DNT is set at 0 or unset, the standard does not limit the use of
>> fingerprinting, HTML5 cookies, drone surveillance, or anything else.
>> 
>>  
>> 
>> If I got any of this wrong, anyone, please feel free to correct me.
>> 
>>  
>> 
>> On Oct 1, 2013, at 1:49 PM, Jeffrey Chester <jeff@democraticmedia.org> wrote:
>> 
>> 
>> 
>> I want to clarify that included in the spec are approp. definitions that
>> address device fingerprinting.   DNT should cover device fingerprinting and
>> related device/cross platform identification technologies and practices.
>> 
>>  
>> 
>> Is it already incorporated in an existing issue or text?
>> 
>>  
>> 
>> Jeff
>> 
>>  
>> 
>>  
>>  
>> 
>> Jeffrey Chester
>> 
>> Center for Digital Democracy
>> 
>> 1621 Connecticut Ave, NW, Suite 550
>> 
>> Washington, DC 20009
>> 
>> www.democraticmedia.org <http://www.democraticmedia.org/>
>> 
>> www.digitalads.org <http://www.digitalads.org/>
>> 
>> 202-986-2220
>>  
>>  
Received on Tuesday, 1 October 2013 19:54:24 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC