Re: Anonymous metrics collection from Firefox

On 2/7/12 9:32 AM, Daniel E wrote:
> When a new document is generated on another day and
> submitted, the client also sends the old document ID to be deleted so
> that there are not two copies of the data on the server.  This allows
> us to look at retention.  If a document is older than N days, we know
> that there have been no further submissions from that installation.

A question.

Would the concerns some people have about sending the old id and new one 
together be at all alleviated if the sending of the delete request and 
the new report were somewhat decorrelated?  That is, if the delete 
request were sent some random amount of time after the new report?  If 
so, is that setup reasonable?

> This implementation does still require policy and trust.  It requires
> that we not record IP addresses with the data set.  It requires that
> we do not longitudinally track location.  There might be further ways
> we can make it easier to follow those policies.

One problem is that some people will assume that if data is being sent 
then it's being used, no matter what we actually do with it and say we 
do with it.  So if we _can_ design things such that we couldn't misuse 
them even if we were to want to, we should.  I understand that in 
general this is pretty difficult....

-Boris