W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

RE: Further text associated with the change proposal on Unique Identifiers, issue-199

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Tue, 8 Oct 2013 16:28:06 +0100
To: "'David Wainberg'" <dwainberg@appnexus.com>
Cc: "'Shane M Wiley'" <wileys@yahoo-inc.com>, <public-tracking@w3.org>, "'Geoff Gieron - AdTruth'" <ggieron@adtruth.com>, <jeff@democraticmedia.org>, "'Joseph Lorenzo Hall'" <joe@cdt.org>, "'Alan Chapell'" <achapell@chapellassociates.com>
Message-ID: <2b9f01cec43a$fd50c7c0$f7f25740$@baycloud.com>
Hi David,

 

I am bundling ad blocker & cookie blocker browser extensions along with
privacy settings on browsers that block third-party cookies. What they all
have in common is giving the user control over network interactions
motivated by a wish to render tracking techniques ineffective. They all more
or less act to enforce a users' requirement for privacy. There are other
reasons to use ad blockers such as not wishing to see any ads even
contextual, but IMO this is less a motivation than the privacy one.

 

If DNT was a clearly defined signal, transparently honoured by advertisers
and others, there would be less reason for people to resort to these
technologies, and less reason for browsers to enable them by default. 

 

Mike

 

 

From: David Wainberg [mailto:dwainberg@appnexus.com] 
Sent: 08 October 2013 16:02
To: Mike O'Neill
Cc: 'Shane M Wiley'; public-tracking@w3.org; 'Geoff Gieron - AdTruth';
jeff@democraticmedia.org; 'Joseph Lorenzo Hall'; 'Alan Chapell'
Subject: Re: Further text associated with the change proposal on Unique
Identifiers, issue-199

 

Hi Mike,

I don't understand the assumption that ad blocking has anything to do with
DNT and privacy. Can you explain?

-David

On 2013-10-08 5:33 AM, Mike O'Neill wrote:

Hi Shane,

 

On the 20% ad-blocking estimate there is this:
http://www.adexchanger.com/online-advertising/battle-lines-drawn-were-not-al
l-about-blocking-ads-says-no-1-ad-blocker/

This mentions that "Twenty percent of Germans have an ad blocker installed
and there's growing interest in Eastern Europe, Russia, Poland and France"
and that 19% of ads there being blocked in Germany, Austria and Hungary. In
April it was announced that the number of ADB downloads on Firefox had
reached 200M https://adblockplus.org/blog/200-million-firefox-downloads.
Here is a report from back in May 2012 that reports >9% ads being blocked
http://clarityray.com/Content/ClarityRay_AdBlockReport.pdf

 

Ad blocking and cookie blocking technologies in browsers and extensions are
increasingly popular, recently having been boosted by the Snowden
revelations and alarm at the pervasive collection and trading in web
activity data. The recent move by some to bypass browser based third-party
cookie blocking with fingerprinting will only further fuel this arms race. 

 

Some of these technologies are indiscriminate in the features they block and
their widespread use will have a disastrous effect on the web and innovation
in it. I should imagine that developers are already working on extensions
that will block XHR, POSTs etc. from third-party iframes.

 

You are correct saying that my position is that DNT should clearly signal
that tracking should not occur and that unique ids should not be stored,
used or derived when DNT:1  - unless purpose limited for a permitted use. My
opinion is that it is the interest of significant players to commit to
transparently honouring DNT to head-off the use of blockers and help restore
trust in the web economy.

 

Mike

 

 

 

From: Shane M Wiley [mailto:wileys@yahoo-inc.com] 
Sent: 07 October 2013 19:12
To: Mike O'Neill; public-tracking@w3.org
Cc: 'Geoff Gieron - AdTruth'; jeff@democraticmedia.org; 'Joseph Lorenzo
Hall'; Alan Chapell
Subject: RE: Further text associated with the change proposal on Unique
Identifiers, issue-199

 

Mike,

 

Would you agree that in your approach you prohibit the assignment of Unique
Identifiers, either based on random assignment in a cookie or on a digital
fingerprinting technique, when DNT:1?  In this case, you're equating Cookie
IDs and Digital Fingerprints, correct?  I wanted to be clear with the group
that this is your position (this is similar to the position I took earlier
in conversations with John Simpson).

 

- Shane  

 

From: Mike O'Neill [mailto:michael.oneill@baycloud.com] 
Sent: Wednesday, October 02, 2013 5:44 AM
To: public-tracking@w3.org
Cc: 'Geoff Gieron - AdTruth'; jeff@democraticmedia.org; 'Joseph Lorenzo
Hall'; Alan Chapell
Subject: Further text associated with the change proposal on Unique
Identifiers, issue-199

 

Here is some additional text to underline that there should be no browser
fingerprinting when DNT:1.

 

I have slightly improved the definitions, added unique back to the
persistent identifier definition to make it clearer and more consistent to
how the term is used elsewhere in the spec. There is now a new line item 3
below the Third Party Compliance paragraph (non-permitted uses) that
requires no unique ids or fingerprinting when DNT:1.

 

A persistent unique identifier is an arbitrary value held in, or derived
from other data in, the user agent whose purpose is to identify the user
agent in subsequent transactions to a particular web domain. It may be
encoded for example as the name or value attribute of an HTTP cookie, as an
item in localStorage or recorded in some way in the cache. 

 

The duration of a persistent unique identifier is the maximum period of time
it will be retained in the user agent. This could be specified for example
using the Expires or Max-Age attributes of an HTTP cookie so that it is
automatically deleted by the user agent after the specified time period is
exceeded.

 

Browser fingerprinting is a method of tracking individuals based on creating
a persistent identifier from a set of other device specific information,
either inherent in a content request or stored within the user-agent and
accessed by executing rendered script. Such an identifier may not itself
need to be stored in the user-agent as it can be calculated again in
subsequent transactions, and so can have an arbitrarily long duration. 

 

Third Party Compliance.

 

3 . the third party MUST NOT create or use persistent unique identifiers,
either directly or derived using browser fingerprinting methods,  for the
purpose of collecting further information from this user or device. 

 

 

 
Received on Tuesday, 8 October 2013 15:28:45 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC