Tara and I regularly attended EFF events, which nobody seemed to show up for other than people who worked at the EFF, and over the incredible free buffet they provided to guests I'd talk to people who work at the EFF about the privacy initiatives we have at Coursicle. This led to a call with the director of engineering at the EFF.

read more 
- [ ] What are your thoughts on using browser fingerprinting to create a persistent identity for a user without collecting personally identifiable information (like email)? 
- [ ] How much do you think the elimination of the fairness act by the FCC is responsible for the. Should the fairness act be re-enacted and apply to social media, since they're essentially press with regard to their relation with government. 
- [ ] How much is there a long tail of bad misleading content on social media and to what extent is it just 100 posts/day that go viral? 

First wanted to make sure we were using first party cookies, not third party cookies. That was good that we weren't third party, he said that got rid of some of his other questions. 

We don't track the fingerprint hashes over time, just the last two. He was concerned we had all this information for how the fingerprint changed. 

350 public images. He thinks we should increase this because with our user count it's not going to be enough to ensure few people experience the same image twice. 

He thinks the default should be an opt-in, not an opt-out, in general. 

But if there's an opt-in, by default we're not tracking things. He thinks we should probably not track by default, but then set a cookie saying that they can be tracked if they opt in. 

He said we should clear all information about them when they do opt-out and I think he said we should respect the "Do not track" signal that some browsers send. 

Wouldn't try to figure out if it's incognito mode. He sees it as another fingerprinting vector. I kind of pushed back a bit because the entropy is so low, it's a binary thing, and it also changes frequently over time. Sometimes incognito, sometimes not. I did agree that it's a problem for giving users control because it allows limited access to content and that sort of thing, like in NYTimes. 

Asked about the possibility of the browsers doing a whitelist basically allowing some sites to track things like whether someone is incognito, he said that's basically what they did with Privacy Badger, like what they did was his is what they tried with the do not track signal.  EFF DNT policy, if we put it in your domain. They treat the domains differently.  They can't possibly check all the sites to make sure they're compliant, but Didn't really ever become a thing for DNT.  The threat to companies was if they made this public and then they got caught not following it, then FTC could get involved and that would be very bad for the company. It's in Firefox, for DNT. 

He thinks it's a bad idea, the good cases are tiny compared to the bad. He said this is the only good case he knows about fingerprinting. Wants to remove the possibility of fingerprinting entirely, so this hopefully shouldn't be possible in the future. 

Our findings from the fingerprinting. Asks about publishing it.  He is very interested in the data, nobody is going to publish it except us because everyone uses it for bad things. 

How to recover your account: 
Link that you can find in your email. He's concerned about how easy it is to hijack accounts that way. Monty made the point that you can do that with just a reset password email, but I made the point that you increasingly have 2-auth on your email account and their security is good, so piggybacking off of them is good. That said, I did recognize that text messages aren't as secure, and police intercepting cell towers stuff, and he was pretty excited I made that point I think. 

He really liked how we decided not to take passwords because password reuse in edtech means getting into school accounts, which means SSN and bank account information. 

They'll never promote the way a single company does something, but they would promote a technical solution in general. Open source thing, using it as a standard. If there was a general interest in. Anytime they adopt a standard, it takes a lot of work to approve it. 

Ping him again in 2 months. Get lunch. 

Thoughts on using the user ID for syncing devices rather than a 6 digit code? He said it could be better because nothing to correlate, no way to figure out UUID, or the seed of the hash. Not a big deal if the user only does it a couple times, why take the risk. Could split test to see if users like one more than the other.