issue-199

Nick, Thomas

Dr Dix's letter reminded me that we need to have some reference to browser
fingerprinting being ruled out when DNT is set. I have amended the
definitions accordingly. 

Do you want me to modify the wiki?

 

A persistent identifier is an arbitrary value held in, or derived from other
data in, the user agent whose purpose is to identify the user agent in
subsequent transactions to a particular web domain. It may be encoded for
example as the name or value attribute of an HTTP cookie, as an item in
localStorage or recorded in some way in the cache. 

The duration of a persistent identifier is the maximum period of time it
will be retained in the user agent. This could be implemented for example
using the Expires or Max-Age attributes of an HTTP cookie so that it is
automatically deleted by the user agent after the specified time period is
exceeded. 

Browser fingerprinting is a method of tracking based on creating a
persistent identifier from other information either inherent in the content
request or already stored in the user agent. Such an identifier may not need
itself to be stored in the user-agent as it can be calculated again in
subsequent transactions. It follows from this that its duration is
effectively unlimited. 

Justification.

With the duration definition, restrictions on permitted uses could then be
made that limit the duration of persistent identifiers. Because browser
fingerprinting cannot be given a finite duration this tracking method should
not be used when DNT is set even if it is for a permitted use. In reality
browser fingerprinting solely based on examining initial content requests is
usually not an effective tracking method because the combination of IP
addresses and other headers are not sufficiently user specific, but we
should rule out at least the more complex form when DNT is set.

Mike