W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: Issue:? Fingerprinting

From: Geoff Gieron - AdTruth <ggieron@adtruth.com>
Date: Tue, 1 Oct 2013 22:30:57 +0000
To: Alan Chapell <achapell@chapellassociates.com>, Mike O'Neill <michael.oneill@baycloud.com>, 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester' <jeff@democraticmedia.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CE706D46.EF54D%ggieron@adtruth.com>
Thank you Alan

As Alan stated, my company 41st Parameter has been doing Device Recognition for over 9 years – our core technology is used to help protect consumers and businesses online from fraud.  Our clients are among the largest banks, travel and ecommerce sites on the web today.  AdTruth, the division I work for, was developed to utilize this same core technology to help digital media navigate the deprecation or loss of existing identifiers, allow for companies to seek out new opportunities among growing number of internet enabled devices and offer, ultimately, what we believe is the right solution for respecting consumer privacy.

I hope to help clarify our role in the industry and am happy to coordinate further conversation with myself and my team to go into further detail.

1. We are technology provider of a neutral identification layer – we provide our clients with software that they install, host and use within their own data center – we do not interact with the consumer directly and we do not access, aggregate or store any data.  This ensures that our client is in control of their adherence to self-regulatory and government privacy laws.  We use Germany as our baseline for global compliance – so in the rare case we need to leverage the IP Address to create entropy in mobile devices where none exists – we only utilize the first 3 octets and discard the last octet before ever ingesting into the recipe engine.

2. We are statistically probabilistic solution – not deterministic – meaning that our collection of innocuous parameters from ONLY the user's browser along with typical server to server communication (http headers, user agent, etc..) delivered to the recipe engine (software located within our client's data center) and the result output is a 40 character Sha-1 hash – all elements used in the ID generation are immediately deleted.  We are designed to never be 100% unique, as the device evolves – this will cause the consumer to appear different and thus generate a new ID.

3. We do not tag, mark, leave residue on the device. We do not leverage existing identifiers, browsing history, mac address', etc…  We never touch any data that is considered PII or sensitive data – in fact we indemnify our clients on the collection of parameters – and use the FTC definition of PII as stated in the write up of the HTC case from earlier this year – ensuring we take a far stricter stance than required by self-regulation.

4. We provide support DNT, OBA opt-out, opt-in, Limit Ad Tracking and essentially any signal that is outwardly communicated for us to listen to and ensure we present back to our clients so they can abide by required law and regulation in their various jurisdictions.  We included use of transmitting the DNT signal from the launch of this division 2 years ago and after we went to Mozilla and spoke with Sid Stamm and his team.  We are not in the business of regulation or enforcement  - but our focus is to support industry and government by enabling our clients to do the right thing.

5. Due to being a statistically probabilistic – we cannot be used as an opt-out or opt-in solution (as stated by the FTC) - and without being a part of the consumer interaction directly – so we have partnered with both Evidon and TRUSTe to help offer a consumer opt-out for our clients using our solution, we contractually obligate our clients abide by NAI, DAA, eDAA self-regulatory principles and conduct, EU Data Protection and Privacy Directives, COPPA – and we are working with the DMA/BBB to allow them a way to regulate the industry without exposing our technology in a way that would put consumers in jeopard of online fraudulent activity.

I believe device fingerprinting is a much more evasive method than what we do and try to maintain – we do not wish to mark people like animals or household their devices – we believe our privacy by design approach to this consumer privacy conversation is one that encourages a step back from the direction that performance marketing has taken and to encourage industry to think more in lines with audience segments – much like the high brand dollar TV ad market and to acknowledge that accuracy and uniqueness perhaps cannot coexist with privacy.  We simply want to ensure a path forward for industry and work collaboratively with Regulators, Government and Privacy Groups/Advocates to ensure that we are meeting and exceeding standards in place so that consumers can benefit from control over their privacy online, but also benefit from free access to content and relevant and personalized marketing communication.

Geoff Gieron
Director of Global Operations & Compliance

geoff.gieron skype
480.776.5525 direct
602.418.8094 mobile

From: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>
Date: Tuesday, October 1, 2013 12:07 PM
To: Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>>, 'Justin Brookman' <jbrookman@cdt.org<mailto:jbrookman@cdt.org>>, 'Jeffrey Chester' <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>>
Cc: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: Issue:? Fingerprinting
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Tuesday, October 1, 2013 12:09 PM

Thanks Mike. A few points that may be relevant to this thread.

  1.  Companies such as 41st Parameter have been around for years and help mostly with security and fraud prevention. I don't think DNT was intended to impact those areas.
  2.  If you're going to prohibit "fingerprinting", you'll need to define it. That may prove more difficult than you'd think.
  3.  I'll let the AdTruth / 41st Parameter folks speak for themselves, but I assume that they seem themselves as mostly a "Service Provider" under DNT.
  4.  41st Parameter was acquired today by Experian. (http://www.the41st.com/buzz/announcements/experian-acquire-device-identification-leader-41st-parameter). Is AdTruth now a first party in contexts where Experian is a First Party?



From: Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>>
Date: Tuesday, October 1, 2013 2:57 PM
To: 'Justin Brookman' <jbrookman@cdt.org<mailto:jbrookman@cdt.org>>, 'Jeffrey Chester' <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>>
Cc: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: Issue:? Fingerprinting
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Tue, 01 Oct 2013 18:58:32 +0000


Accurate fingerprinting does not at the moment rely on IP addresses because with IPv4 reuse and sharing is common due to the limited address space. The usual technique is to use rendered script to return more detailed information about the user-agent i.e. fonts employed etc. which tend to uniquely identify the device. This was how the EFF’s panopticlick project did it.

With IPv6 there is a way to do fingerprinting using the IP address which on some devices is unique (derived from the device MAC address)., but many devices now employ the IPv6 privacy extensions that create short duration random addresses and use them. Hopefully this will become the norm, I know IE defaults to that – though android does not.

I agree with Jeff that we need to have something in the text that rules out fingerprinting when DNT:1, like my proposal on unique identifiers (issue-199)


From: Justin Brookman [mailto:jbrookman@cdt.org]
Sent: 01 October 2013 19:27
To: Jeffrey Chester
Cc: public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: Re: Issue:? Fingerprinting

I believe that digital fingerprinting is implicitly addressed in the standard, though not directly called our.  Third parties that receive a DNT:1 signal may only collect data elements that are reasonably necessary for the enumerated permitted uses.  That includes data elements that could be used to fingerprint a device.  Some companies may believe that they need to use fingerprinting-type techniques for fraud and security purposes even for DNT:1 users (though they would have to justify that under the standard).  But also keep in mind that much fingerprinting, as I understand it, is heavily dependent upon IP addresses, the use of which was envisioned for permitted uses even under the EFF/Moz/Stanford proposal.

However, if DNT is set at 0 or unset, the standard does not limit the use of fingerprinting, HTML5 cookies, drone surveillance, or anything else.

If I got any of this wrong, anyone, please feel free to correct me.

On Oct 1, 2013, at 1:49 PM, Jeffrey Chester <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>> wrote:

I want to clarify that included in the spec are approp. definitions that address device fingerprinting.   DNT should cover device fingerprinting and related device/cross platform identification technologies and practices.

Is it already incorporated in an existing issue or text?


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009

The information contained in this e-mail is confidential and/or proprietary of AdTruth. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system.

(image/png attachment: 092FDA24-DFB4-4DB4-8103-1E8DA69D4F5E_15_.png)

Received on Tuesday, 1 October 2013 22:37:21 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC