RE: Issue-39: Tracking of Geographic Data

David,

I'm not sure how often this would occur in real practice but I'm fine with the idea that "cross-site historical reference (use) to geo-location is halted for a 3rd party when the DNT:ON signal is present (and no site-specific-exception exists)".

Most geo-location use in the advertising world is real-time and is NOT referenced from past sessions with a user/agent.  For example, an ad server may be told to only serve a specific ad campaign to US users (most often because their brand is not sold outside of the US so it would be wasteful to market to users outside of the US).  To fuel this feature, the ad server will typically license an IP Address Location map to facilitate the filtering process.  When the ad server is called, it passes the IP Address to the Location Map and asks for the country of origin (typically accurate at this level but some countries have blurry lines).  If the IP Address origin is in the US, then the ad server can serve the ad targeted to US users.  The next time a user/agent is encountered, this process is repeated.  I've never heard of a situation where a 3rd party ad server will look at historical location to make an ad serving decision.

>From a "retention" perspective, the IP Address and resulting geo-location country must be retained in this case as the ad server must be able to prove they did not serve this ad outside of the targeting parameters.  This is important from a financial audit perspective and from a fraud prevention perspective.  One of the fraud issues within the online ad industry are possibly malicious ad networks purposely serving their ads outside of the US to falsely increase impression counts for higher payments).

Can anyone think of a 3rd party geo-location scenario where cross-site geo-location information is used over time?  Outside of Google Maps recording your location in a "history" for easier selection in the future (and this can be cleared at any time), I don't believe this information is leveraged for targeting or altering the user experience.  I would also argue the Google Maps experience would receive 1st party treatment if the user meaningfully interacted with the Widget (entering an address feels "meaningful" to me).

Thoughts?

- Shane

-----Original Message-----
From: David Singer [mailto:singer@apple.com] 
Sent: Wednesday, December 14, 2011 2:22 PM
To: Shane Wiley
Cc: Karl Dubost; Jeffrey Chester; public-tracking@w3.org
Subject: Re: Issue-39: Tracking of Geographic Data

I wonder whether it's useful here also to distinguish between data that is present in the (HTTP) transaction, and remembered data about the user, and other world knowledge?

As a strawman, how is it if we say that DNT:1 means that you put a firewall between this transaction and your stored data about this user (actually, users in general, since with the firewall there you don't know which user it is)?  

There is no firewall between what the user tells you in this transaction, and world knowledge.

So, it's OK to work out "this guy is in San Francisco!" based on the IP address.  It is not OK to record "this guys was in San Francisco on Wednesday" in the database.  And it's not OK to notice "he was in London only two days ago".  The first adds to the database, the second reads from it.  They are 'tracking my movements'.

(Since I can and will tell the 1st party more than 3rd parties, there is also a firewall between the 1st and 3rd parties in terms of data passing, but that's out of scope).

This correlates with the discussion this morning:  if I have agreed with an ad network that they will caption all my video ads, and they set a cookie to remember "I am a caption-needing user", then if that cookie is supplied in a transaction with DNT:1 set, it's OK (maybe even expected) to still caption video ads.  (The user can turn off cookies for 3rd-party sites independently, logically).

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Thursday, 15 December 2011 02:06:41 UTC