RE: Issue-188

Hi Mike,

In your example, I consider that there would be one unique identifier that would be used for multiple records (one record containing the number of visits of page containing pregnancy information, another containing visits on fashion sites) so that would not be anonymous.

I agree that this could be a "yellow" state however. Unfortunately none of the current proposal use these three states approach anymore. Having three states would be a good compromise and we could re-use Rob and Shane proposal.

Thank you for the amendment, I believe it could work but I still don't see why a third party needs to be able to link between sessions if it's not for a permitted use. Is there any illustrative use case?

Thank you,


-----Message d'origine-----
De : Mike O'Neill [] 
Envoyé : vendredi 18 juillet 2014 21:30
À : TOUBIANA Vincent
Cc :; 'Roy T. Fielding'
Objet : Issue-188

Hash: SHA1

Hi Vincent,

What I was getting at was the text as is would allow data to be collected (into a record keyed by a unique identifier) as long as there was only one record (bit pattern whatever) per user device linked to the key. If the data retained contained a score (a low-entropy bit pattern categorising but not identifying the user) updated after every transaction (i.e. this user has visited n pages containing pregnancy information, m sites about fashion for young women  etc.) then the score could be updated and all the data other than the scores and keys discarded.

There would only be one “record” per user but the user is still being tracked and therefore profiled. I do not think this data-set could be regarded as de-identified (so that DNT could be ignored), although a case could be made for some intermediate state like the yellow state Shane and Rob were talking about i.e. “pseudonymous” PII, if we needed to go down that path.

I see from your reply to Roy that you did not mean that, and that the data-set should be incapable of being linked to another data-set, which I take to encompass data derived from a subsequent transaction. To allow session related UI, linking to data from subsequent transactions could be allowed within a duration of a few hours (say 2).

How about the following friendly amendment to make that clearer, would this be acceptable?

A data-set is de-identified when it is no longer possible to:
- - isolate any data which corresponds to a particular device or user,
- - link any such data with data derived from a transaction more than 2 hours later concerning the same device or user
- - deduce, with significant probability, information about a device or user.

Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.3.26.5094 -

Charset: utf-8


Received on Monday, 21 July 2014 10:21:03 UTC