Re: [Pearg] Call for adoption: draft-learmonth-pearg-safe-internet-measurement-02.txt

Vittorio Bertola <> Tue, 28 May 2019 08:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 930CF120148 for <>; Tue, 28 May 2019 01:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.575
X-Spam-Status: No, score=-3.575 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v8zIAtBIgUal for <>; Tue, 28 May 2019 01:18:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8EF4E1200C4 for <>; Tue, 28 May 2019 01:18:57 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 110BC6A28B; Tue, 28 May 2019 10:18:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=201705; t=1559031535; bh=E97Tv1xorgE6V2quU+yB35kqWe/OiOGDwlmnVHpRaNY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From; b=avBUYplPOUfL8MypBhc61IPx5/MaH6u6YTgAb3PDR/CbV18kh/y9jGjQNPDBbnvId v+y7VpeE/zcOgI6Z6xI0en+OfqqCjxKTBVKdipF5iy6S42cN2vZ+daHLRAwjMhISEw fB5Kn6IddfZhJeJ65p1s2KqXcgWpHtRcvlkEIM3zn2J4dNSM41/SwiyUtUPtZWqkOg 6StCt0Uth2QA8QFR4c3wptAZpXVUc5XXXB7unRGJlMduLw4YWMG7iphZvlYt2jBab6 AyA1AP/TX1sy5Y5MW7al+f6lonQ0jSTnJmdBzYhpmvZCeW1oDvnS5lChyphVGnHTiL YM88eLWZXTQDA==
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 041FD3C031A; Tue, 28 May 2019 10:18:55 +0200 (CEST)
Date: Tue, 28 May 2019 10:18:54 +0200 (CEST)
From: Vittorio Bertola <>
Reply-To: Vittorio Bertola <>
To: Eric Rescorla <>
Cc: "" <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.10.2-Rev4
X-Originating-Client: open-xchange-appsuite
Autocrypt:; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <>
Subject: Re: [Pearg] Call for adoption: draft-learmonth-pearg-safe-internet-measurement-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 28 May 2019 08:19:00 -0000

Il 27 maggio 2019 17:44 Eric Rescorla <> ha scritto:

On Mon, May 27, 2019 at 8:23 AM Vittorio Bertola <> wrote:
On top of that, the text asking for consent to these cookies should specify that you will not just be shown customized ads, but that personal information about you will be collected.

You may be misunderstanding my point here, as these studies don't really rely on tracking cookies. If you're browsing the Web with JS on, your browser will execute whatever code it gets served. That's just the nature of the Web.
Ok, let's see it from this viewpoint then: the fact that I visit a web page that executes code (client and/or server side) is not a valid authorization for that web page to collect any personal information about me. If it were so, then no consent request for data collection would ever be necessary on the web. Instead, whenever the web page wants to record personal information about me, it needs to ask for explicit and specific consent (again, this is true in the European framework, which is anyway the model for most other privacy regulations).

Privacy protection and consent management works by purpose: if I access a web site with the objective of watching a video, you may imply consent to any data processing activity which is strictly necessary to make me watch the video, but not to other activities such as running your tests (if they gather personal information). That would require another, separate and optional, expression of consent.

All in all, this problem mostly goes away if the data gathered by your tests is anonymized or at least pseudonymized in a way that makes it impossible to associate it back with the actual person (IP address included). This is advice that can be given to testers, and it would be interesting to understand, from your experience, if there is any reason why these tests cannot always be made in anonymized form.
This isn't really the appropriate place to discuss the legal parameters of various methodologies, especially as they vary from jurisdiction to jurisdiction.
True, but if the I*TF wants to provide advice on how to make Internet tests without harming privacy, one would expect it to set the bar at least at the same level of the best privacy protection rules that are currently in force around the world.



Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
Office @ Via Treviso 12, 10144 Torino, Italy