I don’t see how it can be used as described to identify an individual person.

Multiple requests end up with the same time stamp which means individuals are not traceable but as an aggregate countable

Only multiple requests within a given second get the same time stamp. So if you have less than 86k hits per day, then all your time stamps could be unique.

Edit: I misread the article here, where it said each visit incremented the counter by one second. So my calculation is not correct!

No, they are truncating the timestamp to the day. So all visitors to the site on a specific day get the same initial timestamp.

Ah so they are, thanks! That’s much better. Though for a very, very low-traffic site this would still let me track unique visitors.

It is designed to track unique visitors, but not differentiate between them at all.

both you and i visit the same new site today, we both get a file our browser caches with today's date at 00:00:01. Tomorrow when we go to the same site, our browser says we got the file yesterday, so the server sends a new modified date to the browser, set to tomorrow's date at 00:00:02. Both of us have the same "new" file with the new modification date/time.

if i go back the following day, the only thing the server knows for certain, from just this header, is that i've visited twice before. So i'm not counted as a unique visitor.

That this could be used by assigning a unique timestamp to each visitor is where everyone's mind is going, and it feels like half are annoyed there's another way to leak information, and the other half are annoyed they didn't think of it prior to the end-of-year marketing bonus deadline.

The technique could be used for a lot of tracking.

However, it sounds like they're using it just for quite minimal tracking. It sounds like the only thing they're tracking is how many people viewed the site how many times. They'll know that on a particular day, 1 person viewed the site 500 times, but won't know anything identifying about that person (e.g. IP, name, gender, any sort of unique ID).

How do you go from timestamp to identifying someone?

~Every HTTP response has a Date field with a second-resolution timestamp that might be unique. Are you equally concerned about that?

But how do I then tie that unique timestamp to an actual person? Which is what GDPR is concerned about.

(edit: spelling)

No it wouldn't.

Yes it would because a unique time stamp allows me to indirectly identify a user.

It is not a unique timestamp though. Each day, all visitors start at 00:00:00. All users that visit the site a second time get the timestamp 00:00:01 and so on.

Where are people getting these insane reads of GDPR. Any bit of entropy is not going to violate GDPR. First, an active client-server connection is required for any kind supposed "identity" contained here, which would of course include far more unique bits of identity/entropy, such as IP. Secondly, even if the full DB of page view counts were leaked you could not actually use it to identify a user.

You have somehow perverted GDPR to believe it to mean `no client may ever hold a unique state`. Good luck to anyone making a claim that this is NOT possible in anything but the most rudimentary application.

How?