Re: ACTION-286: Propose DAA text regarding de-identification (for unlinkability discussion) from Lauren Gelman on 2012-11-15 (public-tracking@w3.org from November 2012)

From: Lauren Gelman <gelman@blurryedge.com>
Date: Thu, 15 Nov 2012 08:35:26 -0800
To: Ed Felten <ed@felten.com>
Cc: Rachel Thomas <RThomas@the-dma.org>, "public-tracking@w3.org" <public-tracking@w3.org>, Louis Mastria <lou@aboutads.info>, "Chris Mejia (chris.mejia@iab.net)" <chris.mejia@iab.net>, "David Wainberg (david@networkadvertising.org)" <david@networkadvertising.org>, Mike Zaneis <mike@iab.net>, "mgroman@networkadvertising.org" <mgroman@networkadvertising.org>, "Brendan Riordan-Butterworth (Brendan@iab.net)" <Brendan@iab.net>
Message-Id: <DBEFB1F6-11E5-4403-A6D2-39DC32BCE76E@blurryedge.com>

I read that last sentence to mean that the hashed identifier could be used to identify *unique users* (user 1 , user 2, user 3) as long as it is not re-identified by being linked to personally identifiable information: name, email, address,  IP/device identifier, etc.

I also believe that the DAA standard here prevents an entity from associating the hashed identifier with more and more pieces of non-personally identifiable data, such that it could be linked to an individual. Of course that depends on the interpretation of "reasonable steps taken to be reasonably sure that data is not linkable", but I believe the FTC would agree with me based on the language in the reports.  And note the DAA language does not say just that the company can't associate it, but that it is not associate-able.  Which should require companies to consider the data falling into the hands of individuals who are smarter about these technical questions than they are.

So Jonathan's definition is cleaner because it gives industry a bright line definition of how to comply-- which I know my clients prefer.  But my sense is that both accomplish the same thing.



Lauren Gelman
@laurengelman
BlurryEdge Strategies
415-627-8512

On Nov 15, 2012, at 7:45 AM, Ed Felten wrote:

> There is a contradiction between this definition and the interpretation that you put on it.  The definition requires that the data "cannot reasonably be reassociated or connected to an individual..."   But the interpretation that is offered would allow situations where the data is used "to recognize ... specific visitors to Web sites".   That's a contradiction--if you use a data item to recognize a specific visitor, then you are reassociating and connecting that data to that specific visitor.
> 
> 
> 
> On Thu, Nov 15, 2012 at 10:07 AM, Rachel Thomas <RThomas@the-dma.org> wrote:
> As I promised Aleecia during yesterday’s TPWG call, I am submitting the Digital Advertising Alliance (DAA) definition of “de-identification” to fulfill Action 286 in advance of the deadline this Friday. 
> 
>  
> 
> The DAA definition is as follows:
> 
>  
> 
> “De-Identification Process: Data has been De-Identified when an entity has taken reasonable steps to ensure that the data cannot reasonably be re-associated or connected to an individual or connected to or be associated with a particular computer or device. An entity should take reasonable steps to protect the non-identifiable nature of data if it is distributed to non-Affiliates and obtain satisfactory written assurance that such entities will not attempt to reconstruct the data in a way such that an individual may be re-identified and will use or disclose the de-identified data only for uses as specified by the entity. An entity should also take reasonable steps to ensure that any non-Affiliate that receives de-identified data will itself ensure that any further non-Affiliate entities to which such data is disclosed agree to restrictions and conditions set forth in this [definition].”
> 
>  
> 
> It is worth noting that this approach to de-identifying data is modeled on the Federal Trade Commission (FTC) approach to masking online identifiers to protect children under the Children’s Online Privacy Protection Act  (COPPA). For example, the FTC states in question #45 of its COPPA FAQ that Web sites that “hash” or otherwise alter children’s email addresses when collecting them to be stored and used to create a password reminder system are not deemed to be collecting and using personal information and, therefore, do not trigger COPPA’s parental consent requirement. (Hashing being a one-way, irreversible process that protects the original data but permits ongoing indexing of the hashed values on an anonymous or de-identified basis). The rule that emerges from this is that it suffices for purposes of protecting privacy if identifiers are altered after they are collected such that they cannot be reconstructed into their original form in the ordinary course of  business but the altered form remains available to be used by Web sites to recognize and distinguish among specific visitors to Web sites.
> 
>  
> 
> Thanks, and best,
> 
> Rachel
> 
>  
> 
> Rachel Nyswander Thomas
> 
> Vice President, Government Affairs
> 
> Direct Marketing Association
> 
> (202) 861-2443 office
> 
> (202) 560-2335 cell
> 
> rthomas@the-dma.org
> 
>

Received on Thursday, 15 November 2012 16:35:57 UTC