W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: Issue:? Fingerprinting

From: Jeffrey Chester <jeff@democraticmedia.org>
Date: Wed, 2 Oct 2013 08:03:57 -0400
Cc: Alan Chapell <achapell@chapellassociates.com>, Mike O'Neill <michael.oneill@baycloud.com>, Justin Brookman <jbrookman@cdt.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>, Jeff Jaffe <jeff@w3.org>, Nicholas Doty <npdoty@w3.org>
Message-Id: <C1B2BE9F-0AD8-400D-9D7C-9283D214F06D@democraticmedia.org>
To: Geoff Gieron - AdTruth <ggieron@adtruth.com>
Geoff:  Thanks. This issues around what Adtruth and others do involving user cross device tracking, profiling and targeting need to be vetted.  It's good to hear you support DNT.  But users need protection from such invasive cross platform tracking and the spec should not exempt First or Third parties form this, inc. when performing as a service provider.  We cannot afford to pay WC3's DNT spec a public farce.

Justin and Nick:  Can you please send to this public list how device fingerprinting is addressed by any of the current proposals.  I would appreciate hearing on the record what the exemptions are under the current proposals.

Many thanks.  AdTruth info below.


How We Can Help

We can help you recognize your audience across any internet-connected device – whether a laptop, mobile device or even a smart TV. Of course performance tracking is important; however, with AdTruth marketers can do a whole lot more.

Targeting. Enabling advertisers to better target their ads and deliver relevancy based on demographics, past behavior, and context for higher ROI.

Retargeting. Enabling and improving online audience targeting across any internet-connected device to enable more efficient advertising spend with respect to consumer privacy.

Frequency Capping. Identify the frequency at which your audience is exposed to your ads to make smart decisions on capping impressions.

Data Enrichment. Allowing data to flow across the ecosystem and help monetize more ad inventory at higher rates.

Analytics. Giving advertisers the ability to help link more digital activity to recognized devices over a longer period of time to improve analytics and media attribution research. 


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009

On Oct 1, 2013, at 8:47 PM, Geoff Gieron - AdTruth wrote:

> Jeff,
> Please note that our recognition technology is not seeking to bypass DNT – as long as the browser transmits the signal of the choice exercised by the consumer or in whatever manner this group determines – those signals will properly be communicated to our client to adhere to that signal accordingly.
> AdTruth is not of any party designation since we are never involved with the consumer – our clients are and thus are required to follow guidance that follows suit with their party designation.  We are not seeking or believe we should receive any exemptions – in fact we have been supporters and proponents of the DNT mechanism and it's value to the consumer's ability to control their privacy online.
> 41st Parameter is still very much focused on fraud prevention and security and will continue to do so under strict adherence to PCI compliance as protecting consumers and businesses from fraudulent behavior is core to the DNA of the organization. Our acquisition by Experian occurred just this morning and they are committed to letting us remain intact and focused on furthering our position in the marketplace, but providing us with investment and resources to continue to combat the growing online fraud problem that impacts consumers and online retailers every day – not to mention the growing fraud issue for online media which has been perpetuated by archaic technologies like cookies.
> I assure you we are here to help solve the issues around consumer privacy online and be an active participant in the discussion – I do not think it is fair to categorize us with those who are trying to perpetuate the types of behavior that you are highlighting or concerned about. Our core focus is around privacy and we believe strongly that a device recognition technology like ours, when used in line with regulatory principles, is the best option out there for digital media companies to move forward with – just as we believe that DNT is the most ideal privacy mechanism that consumers can understand and should have access to – I hope that our common focus on delivering such a mechanism will be allowance for collaboration and placing the consumer first and in the forefront of the conversation. 
> Geoff Gieron
> Director of Global Operations & Compliance
> <092FDA24-DFB4-4DB4-8103-1E8DA69D4F5E[24].png>
> www.adtruth.com
> ggieron@adtruth.com
> geoff.gieron skype
> 480.776.5525 direct
> 602.418.8094 mobile
> From: Jeffrey Chester <jeff@democraticmedia.org>
> Date: Tuesday, October 1, 2013 12:51 PM
> To: Alan Chapell <achapell@chapellassociates.com>
> Cc: Mike O'Neill <michael.oneill@baycloud.com>, Justin Brookman <jbrookman@cdt.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>, Jeff Jaffe <jeff@w3.org>
> Subject: Re: Issue:? Fingerprinting
> Resent-From: <public-tracking@w3.org>
> Resent-Date: Tuesday, October 1, 2013 12:51 PM
> Thanks Alan.  This is a serious issue for W3C.  Such techniques used by Adtruth and others, esp when used under First party exemption, weakens any DNT spec. 
> While 41st Parameter may have historically done security, Experian is in digital targeting business, as you know.  Adtruth and others are firmly there.  
> We cannot have exemption for fingerprinting due to the first party exemption.
> Jeff
> Jeffrey Chester
> Center for Digital Democracy
> 1621 Connecticut Ave, NW, Suite 550
> Washington, DC 20009
> www.democraticmedia.org
> www.digitalads.org
> 202-986-2220
> On Oct 1, 2013, at 3:07 PM, Alan Chapell wrote:
>> Thanks Mike. A few points that may be relevant to this thread.
>> Companies such as 41st Parameter have been around for years and help mostly with security and fraud prevention. I don't think DNT was intended to impact those areas.
>> If you're going to prohibit "fingerprinting", you'll need to define it. That may prove more difficult than you'd think.
>> I'll let the AdTruth / 41st Parameter folks speak for themselves, but I assume that they seem themselves as mostly a "Service Provider" under DNT.
>> 41st Parameter was acquired today by Experian. (http://www.the41st.com/buzz/announcements/experian-acquire-device-identification-leader-41st-parameter). Is AdTruth now a first party in contexts where Experian is a First Party?
>> Thanks!
>> Alan
>> From: Mike O'Neill <michael.oneill@baycloud.com>
>> Date: Tuesday, October 1, 2013 2:57 PM
>> To: 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester' <jeff@democraticmedia.org>
>> Cc: <public-tracking@w3.org>
>> Subject: RE: Issue:? Fingerprinting
>> Resent-From: <public-tracking@w3.org>
>> Resent-Date: Tue, 01 Oct 2013 18:58:32 +0000
>>> Justin,
>>> Accurate fingerprinting does not at the moment rely on IP addresses because with IPv4 reuse and sharing is common due to the limited address space. The usual technique is to use rendered script to return more detailed information about the user-agent i.e. fonts employed etc. which tend to uniquely identify the device. This was how the EFF’s panopticlick project did it.
>>> With IPv6 there is a way to do fingerprinting using the IP address which on some devices is unique (derived from the device MAC address)., but many devices now employ the IPv6 privacy extensions that create short duration random addresses and use them. Hopefully this will become the norm, I know IE defaults to that – though android does not.
>>> I agree with Jeff that we need to have something in the text that rules out fingerprinting when DNT:1, like my proposal on unique identifiers (issue-199)
>>> Mike
>>> From: Justin Brookman [mailto:jbrookman@cdt.org] 
>>> Sent: 01 October 2013 19:27
>>> To: Jeffrey Chester
>>> Cc: public-tracking@w3.org (public-tracking@w3.org)
>>> Subject: Re: Issue:? Fingerprinting
>>> I believe that digital fingerprinting is implicitly addressed in the standard, though not directly called our.  Third parties that receive a DNT:1 signal may only collect data elements that are reasonably necessary for the enumerated permitted uses.  That includes data elements that could be used to fingerprint a device.  Some companies may believe that they need to use fingerprinting-type techniques for fraud and security purposes even for DNT:1 users (though they would have to justify that under the standard).  But also keep in mind that much fingerprinting, as I understand it, is heavily dependent upon IP addresses, the use of which was envisioned for permitted uses even under the EFF/Moz/Stanford proposal.
>>> However, if DNT is set at 0 or unset, the standard does not limit the use of fingerprinting, HTML5 cookies, drone surveillance, or anything else.
>>> If I got any of this wrong, anyone, please feel free to correct me.
>>> On Oct 1, 2013, at 1:49 PM, Jeffrey Chester <jeff@democraticmedia.org> wrote:
>>> I want to clarify that included in the spec are approp. definitions that address device fingerprinting.   DNT should cover device fingerprinting and related device/cross platform identification technologies and practices.
>>> Is it already incorporated in an existing issue or text?
>>> Jeff
>>> Jeffrey Chester
>>> Center for Digital Democracy
>>> 1621 Connecticut Ave, NW, Suite 550
>>> Washington, DC 20009
>>> www.democraticmedia.org
>>> www.digitalads.org
>>> 202-986-2220
> The information contained in this e-mail is confidential and/or proprietary of AdTruth. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system.
Received on Wednesday, 2 October 2013 12:04:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC