Skip to main content
Law

Return to Question

Added link to technical question
Source Link
User65535
User65535
  • 7.7k
  • 5
  • 28
  • 60

ScorecardResearch is a major data collection organisation that serves code onto some major UK web sites. Their privacy policy mentions a lot of tracking, including "hardware or device identifiers" but not as far as I can see anything about performance analysis. Looking at their code they sure do collect every identifier they can but they also appear to do performance analysis:

t || (r = (new Date).getTime(), o = "undefined" != typeof performance && performance.now && 1e3 * performance.now() || 0, t = "xxxxxxxxxxxx4xxxyxxxxxxxxxxxxxxx".replace(/[xy]/g, (function(e) {
    var n = 16 * Math.random();
    return r > 0 ? (n = (r + n) % 16 | 0, r = Math.floor(r / 16)) : (n = (o + n) % 16 | 0, o = Math.floor(o / 16)), ("x" === e ? n : 3 & n | 8).toString(16)
})));
var a = new Date((new Date).getTime() + 33696e6);
b(n, y, t, a), e[0]["cs_fpcu"] = t

I think the result of that code, especially combined with all the other identifiers that it is possible to gather from a bit of javascript, could be used to identify an individual if they visited a different site monitored by ScorecardResearch.

It is reasonable to consider the result of this code personal information? Should it be specifically described in the privacy statement, or would it count as a "hardware or device identifier" on something?

I have asked a question about the technical aspects of this code on Security.SE.

ScorecardResearch is a major data collection organisation that serves code onto some major UK web sites. Their privacy policy mentions a lot of tracking, including "hardware or device identifiers" but not as far as I can see anything about performance analysis. Looking at their code they sure do collect every identifier they can but they also appear to do performance analysis:

t || (r = (new Date).getTime(), o = "undefined" != typeof performance && performance.now && 1e3 * performance.now() || 0, t = "xxxxxxxxxxxx4xxxyxxxxxxxxxxxxxxx".replace(/[xy]/g, (function(e) {
    var n = 16 * Math.random();
    return r > 0 ? (n = (r + n) % 16 | 0, r = Math.floor(r / 16)) : (n = (o + n) % 16 | 0, o = Math.floor(o / 16)), ("x" === e ? n : 3 & n | 8).toString(16)
})));
var a = new Date((new Date).getTime() + 33696e6);
b(n, y, t, a), e[0]["cs_fpcu"] = t

I think the result of that code, especially combined with all the other identifiers that it is possible to gather from a bit of javascript, could be used to identify an individual if they visited a different site monitored by ScorecardResearch.

It is reasonable to consider the result of this code personal information? Should it be specifically described in the privacy statement, or would it count as a "hardware or device identifier" on something?

ScorecardResearch is a major data collection organisation that serves code onto some major UK web sites. Their privacy policy mentions a lot of tracking, including "hardware or device identifiers" but not as far as I can see anything about performance analysis. Looking at their code they sure do collect every identifier they can but they also appear to do performance analysis:

t || (r = (new Date).getTime(), o = "undefined" != typeof performance && performance.now && 1e3 * performance.now() || 0, t = "xxxxxxxxxxxx4xxxyxxxxxxxxxxxxxxx".replace(/[xy]/g, (function(e) {
    var n = 16 * Math.random();
    return r > 0 ? (n = (r + n) % 16 | 0, r = Math.floor(r / 16)) : (n = (o + n) % 16 | 0, o = Math.floor(o / 16)), ("x" === e ? n : 3 & n | 8).toString(16)
})));
var a = new Date((new Date).getTime() + 33696e6);
b(n, y, t, a), e[0]["cs_fpcu"] = t

I think the result of that code, especially combined with all the other identifiers that it is possible to gather from a bit of javascript, could be used to identify an individual if they visited a different site monitored by ScorecardResearch.

It is reasonable to consider the result of this code personal information? Should it be specifically described in the privacy statement, or would it count as a "hardware or device identifier" on something?

I have asked a question about the technical aspects of this code on Security.SE.

Source Link
User65535
User65535
  • 7.7k
  • 5
  • 28
  • 60

Can computer performance metrics be personal data?

ScorecardResearch is a major data collection organisation that serves code onto some major UK web sites. Their privacy policy mentions a lot of tracking, including "hardware or device identifiers" but not as far as I can see anything about performance analysis. Looking at their code they sure do collect every identifier they can but they also appear to do performance analysis:

t || (r = (new Date).getTime(), o = "undefined" != typeof performance && performance.now && 1e3 * performance.now() || 0, t = "xxxxxxxxxxxx4xxxyxxxxxxxxxxxxxxx".replace(/[xy]/g, (function(e) {
    var n = 16 * Math.random();
    return r > 0 ? (n = (r + n) % 16 | 0, r = Math.floor(r / 16)) : (n = (o + n) % 16 | 0, o = Math.floor(o / 16)), ("x" === e ? n : 3 & n | 8).toString(16)
})));
var a = new Date((new Date).getTime() + 33696e6);
b(n, y, t, a), e[0]["cs_fpcu"] = t

I think the result of that code, especially combined with all the other identifiers that it is possible to gather from a bit of javascript, could be used to identify an individual if they visited a different site monitored by ScorecardResearch.

It is reasonable to consider the result of this code personal information? Should it be specifically described in the privacy statement, or would it count as a "hardware or device identifier" on something?