|| ||Boris Zbarsky <bzbarsky-AT-mit.edu> |
|| ||dev-planning-AT-lists.mozilla.org |
|| ||Re: Anonymous metrics collection from Firefox |
|| ||Tue, 07 Feb 2012 11:46:37 -0500|
|| ||Article, Thread
On 2/7/12 9:32 AM, Daniel E wrote:
> When a new document is generated on another day and
> submitted, the client also sends the old document ID to be deleted so
> that there are not two copies of the data on the server. This allows
> us to look at retention. If a document is older than N days, we know
> that there have been no further submissions from that installation.
Would the concerns some people have about sending the old id and new one
together be at all alleviated if the sending of the delete request and
the new report were somewhat decorrelated? That is, if the delete
request were sent some random amount of time after the new report? If
so, is that setup reasonable?
> This implementation does still require policy and trust. It requires
> that we not record IP addresses with the data set. It requires that
> we do not longitudinally track location. There might be further ways
> we can make it easier to follow those policies.
One problem is that some people will assume that if data is being sent
then it's being used, no matter what we actually do with it and say we
do with it. So if we _can_ design things such that we couldn't misuse
them even if we were to want to, we should. I understand that in
general this is pretty difficult....
to post comments)