W3C home > Mailing lists > Public > public-tracking-comments@w3.org > June 2014

Turn Inc.'s TPE Last Call Comments

From: Max Ochoa <Max.Ochoa@turn.com>
Date: Wed, 18 Jun 2014 22:55:24 +0000
To: "public-tracking-comments@w3.org" <public-tracking-comments@w3.org>
Message-ID: <9F85ABF006AAFC428B773329F82BA9707FA84C8B@turn-mail-bk.turn.corp>
Dear Co-Chairs,

The net result of the TPE is a dramatic concentration of market power in the hands of first parties that have shown themselves willing to collude to manipulate markets[1] and are historically poor stewards of privacy.  First parties operate under consent decrees from the FTC or other regulatory bodies because of unfair or deceptive practices arising from breaches of privacy promises to their customers[2]; they provide citizens' and consumers' PII to governments around the globe in response to thousands of governmental or law enforcement subpoenas, FISA orders, and national security letters[3]; and they have cooperated with or have been targeted by the NSA.[4]

The TPE's organizing principles and assumptions are wrong.  The TPE achieves its unwise ends by using a party's business model as the only organizing principle - whether a company is a "first party" or "third party".  The TPE and the work of the TPWG as a whole ignores a far simpler "North Star" - the average consumer's concerns and expectations regarding personally identifiable information (PII).

The TPE starts from a fundamentally flawed premise: the delivery of online tailored ads by third parties using only non-PII is today's preeminent privacy threat to citizens and consumers.  This premise ignores the plain facts that non-PII cannot be used to identify a specific individual and that responsible third parties bring unalloyed benefits to the web.  Even if one were to accept the deeply flawed premise (which we do not), the TPE codifies an even more illogical corollary: those same online tailored ads present no threat whatsoever if they are delivered by first parties using PII even when they act as third parties.[5]

The primary justification used to support the premise and corollary is that third parties, because we have no direct connection to consumers, can't be "controlled" through natural market forces and consumer choice. This does not pass the smell test.  Business-to-business companies like Turn are no less subject to market forces than business-to-consumer companies.  Indeed, the economy is replete with examples of third parties with no direct connection to consumers whose behavior is amply regulated by market forces. Purchasers of automobiles do not have a direct relationship with the maker of the airbag that will save their child's life and investors do not have a direct relationship with the many third parties involved in processing a stock trade.  Nonetheless, the automobile company and the investment broker exert market pressure on its vendors to enforce business and behavioral norms.  Third parties in the online advertising ecosystem are not uniquely immune from the pressures of the market.  Our customers and counterparties exerts tremendous market pressures, as it should be.  To argue otherwise is na´ve or purposefully ignorant.

The TPE is anticompetitive.  First parties (even when acting as third parties) are exempt from the TPE as a result of the definition of "tracking" and the use of terms like "context".  Responsible third parties like Turn are the only ones bound by and ultimately disadvantaged by the TPE.  The TPE would eliminate vast portions of the online advertising ecosystem and concentrate power in the hands of a very small number of first parties.  Advertisers and publishers would be left with limited alternatives to get effective, high-paying ads in front of consumers.  It is Turn's belief that the TPE would not stand up under a government regulator's mandate to prevent anticompetitive business practices (e.g., US FTC, US DOJ, and EU competition authorities).

The TPE is unfair and deceptive.  It is also Turn's belief that the TPE would not survive the FTC's scrutiny under their Section 5 authority to protect consumers from unfair and deceptive practices.[6]  The TPE is unfair and deceptive because a consumer will reasonably expect that a DNT:1 preference will apply to all market participants regardless of business model.  If a consumer believes that tailored advertising is a harm and that DNT:1 is the solution, she will be sorely disappointed.  She will still get tailored advertising from first parties, the ones with PII.  How can this possibly make sense to the average consumer?  It is also unfair because the DNT framework could very easily have focused on what really matters to citizens and consumers, which is the unintended, non-transparent, and uncontrolled use of their PII by parties that have shown they cannot be trusted with it.[7]

We are the good guys
Turn is proud to be a part of a complex, competitive, job-creating ecosystem that makes the web and app universe richer and more vibrant.  Turn is a software company providing marketing and advertising solutions to marketers around the globe.  Turn and our competitors (first and third parties) bid for the right to put an ad on a website or in an app.  The more bidders in an auction, the higher the clearing price.  We do this over a million times a second.

Because of Turn and third parties like us, advertisers get a better return for their advertising dollar, euro, or baht, consumers see ads that have a chance of being tailored to their interests, publishers make more money from those tailored ads, and society benefits from the content those publishers create.  We do all this using only non-personally identifiable information.  We wave our "third party" flag proudly.  We help keep the internet free while protecting privacy.  We are the good guys.

Technical Questions and Concerns Regarding the TPE
In addition to the impermissible anticompetitive and consumer-harming defects outlined above, we believe that the TPE is unworkable unless the following questions and concerns are satisfactorily addressed:

1.     The TPE does not guarantee that the do not track (DNT) preference is that of the user.  It is impossible to discern if the DNT state was set by the user or by an intermediary (e.g., plug-in integrated into browser, separate software, operating system, ISP or wifi provider, home routers).  Without this guarantee, the entire framework fails.

a.         If an intermediary alters the preference originally set by the user (e.g., from 0 to 1, or 1 to 0), how can downstream recipient servers know?

b.        In the case of conflicting preferences between multiple user agents (e.g., toolbar plug-in + browser), which preference wins?

c.         In the case of conflicting preferences between multiple user agents on the same device (e.g., browser_1 + browser_2), which preference wins for information collected at the device level?

2.     Existing browsers do not fully disclose the information necessary for users to make an informed decision (e.g., free content for tailored advertising; you will still receive tailored advertising from Google, Facebook, etc.).  How does the TPE guarantee that the user is adequately informed of the choice they are making?

3.     How does the definition of "tracking" in the TPE interoperate with compliance regimes that may have different definitions of tracking?

4.     What is the acceptable latency in updating the "well-known resource" with information should the origin server change its information (e.g., 1 day, 1 week, 1 month, 1 year)?

a.         Do origin servers need to track each user's prior DNT preferences in order to respond back with "U" (updated) field?

b.        How do the eight separate tracking status values (TSV) solve the goal of having a simple choice mechanism that the average consumer would understand?

5.     Which organization will be able to support the billions of requests per day to the well-known resource that global user agents may ping for information about the millions of origin servers?

6.     The TPE does not clarify or specify if a site-wide context is limited to a single domain.

7.     How do the server-to-server connections required to generate a single object on a website each pass their well-known resource information on a single GET request?

8.     What is the obligation on intermediaries in the server-to-server daisy chain (publisher ad server -> SSP -> exchange -> DSP) to respond back to the user agent?

9.     Which entity is responsible if a user agent preference is dropped in the daisy chain of server-to-server redirects?  Origin server, transmitter server, recipient server?

10.  Are inferences about users derived from proprietary technology considered user "personal data"?

11.  Why are browsers not required to support user-granted exceptions?

12.  Why is the user preference transmitted via a header with each HTTP transaction instead of centralizing anonymous user preferences in a well-known resource?

13.  Even if the preference is sent via HTTP requests from user agents, why is it on each transaction rather than each session?

14.  How will the success of this standard be measured and/or monitored?

15.  How can distinct user adoption of DNT:1 be measured if the collection of this data violates the user's preference not to be distinctly tracked?

Respectfully submitted,

Max P. Ochoa, CIPP/US
General Counsel and Chief Privacy Officer
Turn Inc.


[1] U.S. v. Adobe Systems, Inc.; Apple Inc.; Google Inc.; inter alia. Case No. 1:10-cv-01629 (D.D.C. Sep. 24, 2010).

DOJ Competitive Impact Statement, available at http://www.justice.gov/atr/cases/f262600/262650.htm.

[2] http://www.ftc.gov/news-events/press-releases/2012/08/google-will-pay-225-million-settle-ftc-charges-it-misrepresented






[3] http://www.google.com/transparencyreport/userdatarequests/?hl=en;




[4] http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data

[5] See endnotes 2-4.

[6] http://www.ftc.gov/about-ftc/what-we-do/enforcement-authority

[7] See endnotes 2-4.
Received on Wednesday, 18 June 2014 23:45:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:37:44 UTC