1

ScorecardResearch is a major data collection organisation that serves code onto some major UK web sites. Their privacy policy mentions a lot of tracking, including "hardware or device identifiers" but not as far as I can see anything about performance analysis. Looking at their code they sure do collect every identifier they can but they also appear to do performance analysis:

t || (r = (new Date).getTime(), o = "undefined" != typeof performance && performance.now && 1e3 * performance.now() || 0, t = "xxxxxxxxxxxx4xxxyxxxxxxxxxxxxxxx".replace(/[xy]/g, (function(e) {
    var n = 16 * Math.random();
    return r > 0 ? (n = (r + n) % 16 | 0, r = Math.floor(r / 16)) : (n = (o + n) % 16 | 0, o = Math.floor(o / 16)), ("x" === e ? n : 3 & n | 8).toString(16)
})));
var a = new Date((new Date).getTime() + 33696e6);
b(n, y, t, a), e[0]["cs_fpcu"] = t

I think the result of that code, especially combined with all the other identifiers that it is possible to gather from a bit of javascript, could be used to identify an individual if they visited a different site monitored by ScorecardResearch.

It is reasonable to consider the result of this code personal information? Should it be specifically described in the privacy statement, or would it count as a "hardware or device identifier" on something?

I have asked a question about the technical aspects of this code on Security.SE.

Improve this question
4
  • Presumably this would only identify a unique individual if they had a unique type of computer. Otherwise, you would expect that everyone using a Foocorp Model 1234 computer would have identical (or statistically indistinguishable) performance stats for all possible tests, and therefore would not be identifiable from each other. Now, whether that makes a difference legally, I don't know.
    – Nate Eldredge
    Commented Jun 27 at 0:18
  • Do you have an explanation of what this code actually does? It has the word performance in it but all I see is a bunch of maths that possibly could measure the performance of some computer hardware but not the performance of the user.
    – quarague
    Commented Jun 27 at 7:05
  • @quarague I do not feel well qualified to do so, I was wondering which SE site to ask about that. I THINK it is to fingerprint a particular computer by the performance of the hardware but I could be wrong.
    – User65535
    Commented Jun 27 at 7:52
  • You can easily identify people using very expensive top of the range computers. And have a marketing campaign aimed at people who spent more than £6,000 on their computer.
    – gnasher729
    Commented Jun 28 at 6:44

1 Answer 1

Reset to default
4
  • Device performance data can be personal data if it is tied to the individual user. Scorecard seems to attempt to generate user profiles which would seem to fall under GDPR.
  • Scorecard admits collecting device identifiers. My reading is that this covers not just intentional unique ids but also device fingerprinting through a combination of other parameters. They do not have to put every technical detail into the policy as long as the general description is accurate.
Improve this answer
3
  • I think your second point is the start of a good question.
    – User65535
    Commented Jun 27 at 8:15
  • And that question should ask whether multiple users of the same device could be individually identified via device fingerprinting. (which is probably more a technical question than legal...)
    – Michael Hall
    Commented Jun 27 at 15:29
  • @User65535, if someone asked that question, my reply would be "maybe; for details get a lawyer." I'm convinced that hashing a personal uuid would still be personal data, despite the statistical chance that two individuals get the same hash. A decision to record "iOS or Android" would not be PII. The dividing line is somewhere in between and also depends on risk tolerance and the quality of the legal staff -- how close does one want to skirt the edge to get more customer data?
    – o.m.
    Commented Jun 27 at 16:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .