RE: SOX Requirements RE: ACTION-216 - Financial Reporting "Exceptions"

Lee,

To your questions:

(a) does this retention requirement apply to the 3rd-party companies generally?
(highly likely given our Bellevue discussion, but I don't fully understand how the statute works)

[Yes - any corporation - doesn't hinge on their party relationship in the Internet ecosystem.]

(b) if so, does the retention requirement apply to the actual ad-serving transactional records that are generated by users' interactions with 3rd-party ad networks/companies?
(Part of what I'm asking is what data/records the companies are currently retaining because of Sarb-Ox compliance -- and also, I think, the legal standard that defines the compliance line.)

[Yes - as this is considered a "receipt" of the transaction as it's the billed element.  It's like asking if a grocery store must keep a record of each item purchased or if they can simply say a customer spent X in their store.  When ads are sold by impression - each impression must be retained to prove its validity and to be the actual record of receipt.]

(c) if so, must the records contain user- or device-identifying information, or is that unnecessary?
(Again, the legal standard may be ambiguous, but it would be helpful to know what that legal standard is....

[Alteration of a legal record could be considered "evidence tampering" and therefore companies tend to stay on the conservative side of this line.]

The core issue we continue to contend with is data use vs. technical remedy to remove the possibility of use.  Outside of government intervention, as long as a company only uses the data expressly for this limited purpose I believe we've agreed there is no user harm.  As there is no evidence of any government in the world requesting anonymous cookie logs from a 3rd party ad serving company, this seems to imply even the government intervention risk is not real (but theoretically possible even if technically difficult to produce any real results from this type of data).  Otherwise stated - we're wasting a lot of time continually re-exploring these areas (in my opinion).

- Shane

-----Original Message-----
From: Lee Tien [mailto:tien@eff.org]
Sent: Friday, July 27, 2012 3:47 PM
To: Craig Spiezle
Cc: 'Chris Mejia'; 'David Wainberg'; 'Jonathan Mayer'; 'Dobbs, Brooks'; public-tracking@w3.org; 'Nicholas Doty'
Subject: Re: SOX Requirements RE: ACTION-216 - Financial Reporting "Exceptions"

Craig,

Thanks for bringing this up, since we were both in that discussion.  I reluctantly did a tiny bit of Sarb-Ox research but didn't get very far.  That said, I came up with some questions to focus the research, and I'm curious if these are the right questions.

Sarbanes-Oxley Sec. 802 generally requires companies to retain certain financial records.  It created 18 U.S.C. § 1520, which in part provides criminal sanctions for destruction of corporate audit records (and provides that it does not alter any other obligations or duties imposed by federal or state laws or regulations regarding record retention).  The record retention limit was set at 7 years in an SEC rule-making several years ago.

"These records include workpapers and other documents that form the basis of the audit or review, and memoranda, correspondence, communications, other documents, and records (including electronic records), which are created, sent or received in connection with the audit or review, and contain conclusions, opinions, analyses, or financial data related to the audit or review. To coordinate with forthcoming auditing standards concerning the retention of audit documentation, the rule requires that these records be retained for seven years after the auditor concludes the audit or review of the financial statements, rather than the proposed period of five years from the end of the fiscal period in which an audit or review was concluded. As proposed, 2the rule addresses the retention of records related to the audits and reviews of not only issuers' financial statements but also the financial statements of registered investment companies."

sec.gov/rules/final/33-8180.htm

I think my specific questions are:

(a) does this retention requirement apply to the 3rd-party companies generally?
(highly likely given our Bellevue discussion, but I don't fully understand how the statute works)

(b) if so, does the retention requirement apply to the actual ad-serving transactional records that are generated by users' interactions with 3rd-party ad networks/companies?
(Part of what I'm asking is what data/records the companies are currently retaining because of Sarb-Ox compliance -- and also, I think, the legal standard that defines the compliance line.)

(c) if so, must the records contain user- or device-identifying information, or is that unnecessary?
(Again, the legal standard may be ambiguous, but it would be helpful to know what that legal standard is.... )

My thinking is to deconstruct legal/regulatory retention clearly enough so that we have a common understanding of what companies must do.  As with any legal compliance issue there will be fuzzy areas but I'm looking for as much clarity as possible.

Am I asking the right questions?  Corrections welcome.

Thanks,
Lee


On Jul 27, 2012, at 9:26 AM, Craig Spiezle wrote:

> I may have missed this but In the FTF in Seattle there was a heated debate on SOX reporting and data retention requirements.  As I recall Chris and or Brooks had stated due to reporting and frequency capping, data was required to be retained for 7 years.   While there were strong opinions, it was clear none of us  (including myself) were experts .  I thought there was an action item taken to seek an opinion from the SEC or another agency on what is required.
>
> Has this been addressed?
>
> From: Chris Mejia [mailto:chris.mejia@iab.net]
> Sent: Thursday, July 26, 2012 12:34 PM
> To: David Wainberg; Jonathan Mayer
> Cc: Dobbs, Brooks; public-tracking@w3.org; Nicholas Doty
> Subject: Re: ACTION-216 - Financial Reporting "Exceptions"
>
> Brooks- great breakdown, nice work.  Have you examined the other regulatory obligations to reporting on advertising insertion orders- names SOX compliance in the US?  We know these tie back to the impression and the user (without need for PII).  Specific countries in the EU have similar, if not more stringent regulatory requirements; not sure about other jurisdictions.  Btw- any loosening of these requirements will most certainly lead to opening the door for increased fraud (and I mean actual fraud).
>
> Chris
>
> Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group | Interactive Advertising Bureau - IAB
>
> From: David Wainberg - NAI <david@networkadvertising.org>
> Date: Wednesday, July 25, 2012 4:41 PM
> To: Jonathan Mayer <jmayer@stanford.edu>
> Cc: "Dobbs, Brooks" <Brooks.Dobbs@kbmg.com>, W3C DNT Working Group Mailing List <public-tracking@w3.org>, "Nicholas \"Nick\" Doty - W3C" <npdoty@w3.org>
> Subject: Re: ACTION-216 - Financial Reporting "Exceptions"
> Resent-From: W3C DNT Working Group Mailing List <public-tracking@w3.org>
> Resent-Date: Wednesday, July 25, 2012 4:42 PM
>
> Instead of 'fraud', I'm going to use 'illegitimate'. Jon, assuming that's what you meant by 'ad fraud', can you explain how ad reporting and the prevention of illegitimate activity are very different problems? Advertisers need to confirm they are not being billed for illegitimate imps or clicks. This requires a certain level of detailed reporting. On the server end, detection and prevention of illegitimate activity requires a certain level of data collection. Aren't these two sides of the same coin?
>
> On 7/24/12 7:09 PM, Jonathan Mayer wrote:
> Brooks,
>
> I believe you've conflated ad reporting with ad fraud prevention, two very different engineering and policy problems.  I'd be glad to discuss the myriad approaches to fraud prevention without ID cookies.  As for logistics, my understanding is that many industry participants would prefer to have such conversations off-list.
>
> Jonathan
>
> On Tuesday, July 24, 2012 at 2:57 PM, Dobbs, Brooks wrote:
>
> It may be useful to look at your proposal in terms of how well that level of data collection might ensure quality measurements.  By way of example, if the search term "Atlanta Insurance Quotes" goes for hypothetically $60/click could the purchaser of 100 clicks feel confident in $6,000 worth of value if they didn't see  ~100 different cookies, ~100 different IP addresses and a meaningful distribution of UAs?  If they only saw 100 time stamps, 5 discreet abbreviated UAs and "North Georgia" under IP address how would you detect and remove the cost of one user clicking on the ad 5 times (intentionally or not)?
>
> I think we agree that if we leave a system gameable such that with $N of effort a person can derive $N+1 dollars of economic utility, we should expect gaming.  This is a self correcting system because eventually prices drop until, relatively speaking, it is too expensive to game.  If you take away the ability to detect gaming, it becomes very cheap to do so and prices drop accordingly.  As per my comments at the F2F, this is not a behavioral targeting question, this is a question about the general confidence in all financial reporting.
>
> I use CPC here, but you can make similar cases for CPM or CPA.  Counting is trivial.  Determining "non-quality" and removing it from billing is more difficult and has evolved for close to 20 years.
>
> -Brooks
>
> --
>
> Brooks Dobbs, CIPP | Chief Privacy Officer |KBM Group | Part of the Wunderman Network
> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
> brooks.dobbs@kbmg.com
>
> <image001.png>
>
> This email - including attachments - may contain confidential information. If you are not the intended recipient,
>  do not copy, distribute or act on it. Instead, notify the sender immediately and delete the message.
>
>
> From: Jonathan Mayer <jmayer@stanford.edu>
> Date: Tuesday, July 24, 2012 4:57 PM
> To: Brooks Dobbs <brooks.dobbs@kbmg.com>
> Cc: "public-tracking@w3.org" <public-tracking@w3.org>, Nicholas Doty <npdoty@w3.org>
> Subject: Re: ACTION-216 - Financial Reporting "Exceptions"
>
> I would encourage participants following this topic to read a blog post on privacy-improved advertising measurement that I co-authored with Arvind Narayanan.
>
> http://webpolicy.org/2012/07/24/tracking-not-required-advertising-measurement/
> https://github.com/jonathanmayer/Tracking-Not-Required/tree/master/conversion-measurement
>
> I haven't heard any stakeholder suggest that advertising companies shouldn't be able to measure their ads.  Disagreement arises over *how* advertising companies measure their ads-and, in particular, whether ID cookies should be allowed.
>
> Jonathan
>
> On Monday, July 23, 2012 at 3:29 PM, Dobbs, Brooks wrote:
>
> I was apparently assigned the unenviable task of summarizing the need for financial reporting exceptions.  Please find below a condensed examination of the issue and a broad exception that data used exclusively for financial reporting ought to be out of scope for DNT.
>
> I am cognizant that this is a very broad exception, but I think the basis for discussion is laid out below.   In looking at this I am specifically aware of the danger of creating exceptions which may favor one sales basis over another or indeed one entity over another.
>
> ---------------------
>
> Internet based advertising is typically sold based on one of, or a combination of, three bases: 1) CPM - where the billable event is an individual ad serve (though prices are generally quoted in terms of thousands), 2) CPC - where the billable event is an individual click or interaction with the ad unit or 3) CPA - where the billable event is an action or post click activity subsequent and attributable to some interaction with the ad unit.  The dollar value of each billable event generally rises through the above progression and while prices for each vary with other factors, including ad targeting, the specific revenues measured per event are often in the order of the following:  CPM events in the fraction of cents per event, CPC events in the whole dollar per event and CPA events in the 10s of dollars or potentially higher per event.
>
> It goes without saying that it is only the ability for the purchaser to maintain confidence in the quality of the billable event that allows for the value exchange to work, and, as per event prices rise, so does the need for unique events to be associated with supporting data which allows for increased repudiation.  This said, even were the value of unique billable events is relatively low (CPM), the sum of their values may not be low requiring commensurate examination of the underlying quality of each billable event.
>
> A closer look at each form of advertising and the need for quality assurance is below:
>
> - CPM billing contracts may vary, but for the fundamental confidence in the system to be maintained the purchasing advertiser needs to ensure the quality of their ad buy by examining all event level data pointswhich could reasonably allow them to conclude charges where not made to, e.g.: non-human activity or to delivery at times, in places or in contexts outside of agreed upon terms.
>
> - CPC billing is based on the purchaser's confidence that the quality of the click is sufficient to warrant the relatively high per event expenditure.  To validate this the advertiser needs data showing the event was, for instance: not resultant of a non-human activity and not initiated by a party with ulterior financial motivation.
>
> - CPA billing is often based on the advertiser sharing part of its realized revenue with the supplier of such advertising opportunity.  Unlike CPM and CPC, CPA requires data collection at minimum at two times and two addresses.  At the relatively high per event cost of CPA advertising, the advertiser must feel confident not only that the sale was linkable to a previous ad view through the collection of both post ad serve and ad serve event level data, but further the ability to maintain that offlinecollection of revenues (or lack thereof) can be referenced back to the billing/payment system.
>
> Each of these systems currently utilizes a wide range of event level data to ensure billable quality.  In the US alone, 2011 confidence in these models allowed over 31 billion dollars in advertising and subsequent ad supported services to be provided.   Of note here is that confidence in quality of billable events is distinct from issues of fraud, as most events in need of billing correction do not rise to the level of legal fraud, e.g. a technologist spidering a site and "calling" all resultant CPM ads is not "fraud" on the part of either the technologist or the unknowing website, but is still an event which may be contractually prohibited from billing.  For this reason, exceptions tied to "fraud prevention" are too narrow to maintain confidence in the ecosystem.
>
> Owing to the diversity in techniques used to determinequality, any restriction on the collection and/or use of data which is reasonably stored or processed solely for ensuring the quality of terms of a contract or other agreement as between buyer and seller should not be considered "tracking" and should be out of scope of requirements of a Do Not Track guideline.  Data collected and used under a financial reporting exception, which would otherwise be impacted by this specification, may not be used for any other purpose not covered by this or another exception.
>
>
> --
>
> Brooks Dobbs, CIPP | Chief Privacy Officer |KBM Group| Part of the Wunderman Network
> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
> brooks.dobbs@kbmg.com
>
> <image001.png>
>
> This email - including attachments - may contain confidential information. If you are not the intended recipient,
>  do not copy, distribute or act on it. Instead, notify the sender immediately and delete the message.
>
>
>
>

Received on Sunday, 29 July 2012 16:26:26 UTC