W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: Issue:? Fingerprinting

From: Geoff Gieron - AdTruth <ggieron@adtruth.com>
Date: Wed, 2 Oct 2013 00:47:45 +0000
To: Jeffrey Chester <jeff@democraticmedia.org>, Alan Chapell <achapell@chapellassociates.com>
CC: Mike O'Neill <michael.oneill@baycloud.com>, Justin Brookman <jbrookman@cdt.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>, Jeff Jaffe <jeff@w3.org>
Message-ID: <CE70B043.EF83B%ggieron@adtruth.com>

Please note that our recognition technology is not seeking to bypass DNT – as long as the browser transmits the signal of the choice exercised by the consumer or in whatever manner this group determines – those signals will properly be communicated to our client to adhere to that signal accordingly.

AdTruth is not of any party designation since we are never involved with the consumer – our clients are and thus are required to follow guidance that follows suit with their party designation.  We are not seeking or believe we should receive any exemptions – in fact we have been supporters and proponents of the DNT mechanism and it's value to the consumer's ability to control their privacy online.

41st Parameter is still very much focused on fraud prevention and security and will continue to do so under strict adherence to PCI compliance as protecting consumers and businesses from fraudulent behavior is core to the DNA of the organization. Our acquisition by Experian occurred just this morning and they are committed to letting us remain intact and focused on furthering our position in the marketplace, but providing us with investment and resources to continue to combat the growing online fraud problem that impacts consumers and online retailers every day – not to mention the growing fraud issue for online media which has been perpetuated by archaic technologies like cookies.

I assure you we are here to help solve the issues around consumer privacy online and be an active participant in the discussion – I do not think it is fair to categorize us with those who are trying to perpetuate the types of behavior that you are highlighting or concerned about. Our core focus is around privacy and we believe strongly that a device recognition technology like ours, when used in line with regulatory principles, is the best option out there for digital media companies to move forward with – just as we believe that DNT is the most ideal privacy mechanism that consumers can understand and should have access to – I hope that our common focus on delivering such a mechanism will be allowance for collaboration and placing the consumer first and in the forefront of the conversation.

Geoff Gieron
Director of Global Operations & Compliance

geoff.gieron skype
480.776.5525 direct
602.418.8094 mobile

From: Jeffrey Chester <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>>
Date: Tuesday, October 1, 2013 12:51 PM
To: Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>
Cc: Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>>, Justin Brookman <jbrookman@cdt.org<mailto:jbrookman@cdt.org>>, "public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)" <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Jeff Jaffe <jeff@w3.org<mailto:jeff@w3.org>>
Subject: Re: Issue:? Fingerprinting
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Tuesday, October 1, 2013 12:51 PM

Thanks Alan.  This is a serious issue for W3C.  Such techniques used by Adtruth and others, esp when used under First party exemption, weakens any DNT spec.

While 41st Parameter may have historically done security, Experian is in digital targeting business, as you know.  Adtruth and others are firmly there.

We cannot have exemption for fingerprinting due to the first party exemption.


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009

On Oct 1, 2013, at 3:07 PM, Alan Chapell wrote:

Thanks Mike. A few points that may be relevant to this thread.

  1.  Companies such as 41st Parameter have been around for years and help mostly with security and fraud prevention. I don't think DNT was intended to impact those areas.
  2.  If you're going to prohibit "fingerprinting", you'll need to define it. That may prove more difficult than you'd think.
  3.  I'll let the AdTruth / 41st Parameter folks speak for themselves, but I assume that they seem themselves as mostly a "Service Provider" under DNT.
  4.  41st Parameter was acquired today by Experian. (http://www.the41st.com/buzz/announcements/experian-acquire-device-identification-leader-41st-parameter). Is AdTruth now a first party in contexts where Experian is a First Party?



From: Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>>
Date: Tuesday, October 1, 2013 2:57 PM
To: 'Justin Brookman' <jbrookman@cdt.org<mailto:jbrookman@cdt.org>>, 'Jeffrey Chester' <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>>
Cc: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: Issue:? Fingerprinting
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Tue, 01 Oct 2013 18:58:32 +0000


Accurate fingerprinting does not at the moment rely on IP addresses because with IPv4 reuse and sharing is common due to the limited address space. The usual technique is to use rendered script to return more detailed information about the user-agent i.e. fonts employed etc. which tend to uniquely identify the device. This was how the EFF’s panopticlick project did it.

With IPv6 there is a way to do fingerprinting using the IP address which on some devices is unique (derived from the device MAC address)., but many devices now employ the IPv6 privacy extensions that create short duration random addresses and use them. Hopefully this will become the norm, I know IE defaults to that – though android does not.

I agree with Jeff that we need to have something in the text that rules out fingerprinting when DNT:1, like my proposal on unique identifiers (issue-199)


From: Justin Brookman [mailto:jbrookman@cdt.org]
Sent: 01 October 2013 19:27
To: Jeffrey Chester
Cc: public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: Re: Issue:? Fingerprinting

I believe that digital fingerprinting is implicitly addressed in the standard, though not directly called our.  Third parties that receive a DNT:1 signal may only collect data elements that are reasonably necessary for the enumerated permitted uses.  That includes data elements that could be used to fingerprint a device.  Some companies may believe that they need to use fingerprinting-type techniques for fraud and security purposes even for DNT:1 users (though they would have to justify that under the standard).  But also keep in mind that much fingerprinting, as I understand it, is heavily dependent upon IP addresses, the use of which was envisioned for permitted uses even under the EFF/Moz/Stanford proposal.

However, if DNT is set at 0 or unset, the standard does not limit the use of fingerprinting, HTML5 cookies, drone surveillance, or anything else.

If I got any of this wrong, anyone, please feel free to correct me.

On Oct 1, 2013, at 1:49 PM, Jeffrey Chester <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>> wrote:

I want to clarify that included in the spec are approp. definitions that address device fingerprinting.   DNT should cover device fingerprinting and related device/cross platform identification technologies and practices.

Is it already incorporated in an existing issue or text?


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009

The information contained in this e-mail is confidential and/or proprietary of AdTruth. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system.

(image/png attachment: 092FDA24-DFB4-4DB4-8103-1E8DA69D4F5E_24_.png)

Received on Wednesday, 2 October 2013 01:08:04 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC