The GDPR Is Making Me TRACK MORE

From IIW

How The GDPR Is Making Me TRACK MORE


Wednesday 4J

Convener: George Fletcher

Notes-taker(s): George Fletcher


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


General discussion about GDPR requirements (not exhaustive)

  • User ability to…
      • Request what is being tracked
      • Download data the company has on me
      • Update some data elements (if they are incorrect)
      • Delete all my data
    • Clear and informed consent
    • Requirement to report data tracked by device identifier and not directly tied to a user (e.g. persistent browser cookie)
  • The issue of concern. If we have to give out tracked data based on device identifiers, how do we ensure that data is only given to the correct entity
    • low confidence — device reports the identifiers to the host
      • no way to verify that the identifiers the device is claiming is “theirs” are really valid (i.e. the correct value and not impersonated/stolen)
    • medium confidence — possibly OAuth2 dynamical client reg with pub/priv keys, apps report identifiers in a JWS (signed JSON Web Token) on a periodic basis, host builds a risk-based profile of device **based on these signed assertions. At data request time match signed identifiers to risk-based profile to define a higher level of confidence
    • high confidence — didn’t discuss this much… probably requires special hardware on the device
  • Conclusion — in order to support safe release of data to a device identifier additional tracking must be done