Re: Next 2 calls canceled (Oct 09 and Oct 16)

> On Oct 19, 2017, at 12:48 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote:
> 
> I don't think a pass-thru will fly, because it is too easy to use the DNT header as a secret tracking cookie. We have to constrain the entropy.

I think the best path is to add “thou shalt not fingerprint” in appropriate standards language. The irony of DNT possibly being used to track people is a concern, including a concern for users. We can at least be clear that we knew the possible risk and did not design the spec to be abused in that way. It’s a fig leaf, I know. But really, if someone’s going to be anti-social there is not a whole lot to be done by us. DNT has always had to assume good actors; it’s a request, not a PET. 

Other actors like IAB could impose requirements on their members, as they did with baring the use of LSOs for behavioral advertising. EFF’s DNT could include an FTC-actionable promise not to fingerprint based on DNT. I believe the stock phrase is there is a role for regulators here. Plus the class action lawsuits for “I used a setting for privacy and you used it to track me” nearly write themselves, especially in California and Europe, even without anyone else stepping up. So I think there *are* solutions to this threat, but they come from parties external to the WG.

 Aleecia

Received on Thursday, 19 October 2017 21:09:06 UTC