RE: SOX Requirements RE: ACTION-216 - Financial Reporting "Exceptions" from Shane Wiley on 2012-07-30 (public-tracking@w3.org from July 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Mon, 30 Jul 2012 07:43:08 -0700
To: Tamir Israel <tisrael@cippic.ca>
CC: Lee Tien <tien@eff.org>, Craig Spiezle <craigs@otalliance.org>, "'Chris Mejia'" <chris.mejia@iab.net>, "'David Wainberg'" <david@networkadvertising.org>, "'Jonathan Mayer'" <jmayer@stanford.edu>, "'Dobbs, Brooks'" <Brooks.Dobbs@kbmg.com>, "public-tracking@w3.org" <public-tracking@w3.org>, "'Nicholas Doty'" <npdoty@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8024F8F92BA5B@SP2-EX07VS02.ds.corp.yahoo.com>

Tamir,

I appreciate the desire for an ID-less frequency capping (and now financial reporting system) but I believe it's far too premature to commit to the proposed technical approach as several technologist have pointed out on the email chain that this will not work in a production environment.  Once you layer in real-time bidding, server-to-server communication schemes, and scale (1000+ active campaigns for a single user) these approaches completely fail.  For the time being, if the working group wants to release a standard in 2012 or 2013, a use-limitation approach will need to be taken versus a technologically prescriptive one.  

That said, if/once a workable technical approach is developed and tested at scale (and them implemented across the Internet), you're correct that we'd have to move to being able to demonstrate for external auditors that our approach is financially compliant (process audit vs. data audit).  It would be a significant shift since tens of billions of dollars move through the current auditing approach developed over the past 15 years.  Not something that's going to happen in the time scope of W3C DNT v1.

- Shane

-----Original Message-----
From: Tamir Israel [mailto:tisrael@cippic.ca] 
Sent: Sunday, July 29, 2012 12:41 PM
To: Shane Wiley
Cc: Lee Tien; Craig Spiezle; 'Chris Mejia'; 'David Wainberg'; 'Jonathan Mayer'; 'Dobbs, Brooks'; public-tracking@w3.org; 'Nicholas Doty'
Subject: Re: SOX Requirements RE: ACTION-216 - Financial Reporting "Exceptions"

Shane,

I have not looked into SOX reporting in detail, but at bottom the 
reporting obligations and internal accountability mechanisms seem 
premised on the need to take reasonable steps to ensure accurate 
reporting of assets/transactions.

So if, for example, you can use jonathan/arvind's algorithm to ensure 
that 5,000 advertisements were served and none violated a frequency cap, 
you should have your transaction record w/out need to resort to unique 
ID (assuming the algorithm can work).

Best,
Tamir

On 7/29/2012 1:02 PM, Shane Wiley wrote:
> Tamir,
>
> We use unique IDs for both the impression and the individual to validate the transaction.  I believe this is where the physical world and digital world diverge a bit.  The question is if the grocery store collected a user's loyalty information to discount the price of the good received, are they responsible for saving the loyalty card info with the transaction to prove the discount was fairly and legally applied.  I believe the answer is yes but haven't asked our Finance team that exact question before.
>
> - Shane
>
> -----Original Message-----
> From: Tamir Israel [mailto:tisrael@cippic.ca]
> Sent: Sunday, July 29, 2012 9:58 AM
> To: Shane Wiley
> Cc: Lee Tien; Craig Spiezle; 'Chris Mejia'; 'David Wainberg'; 'Jonathan Mayer'; 'Dobbs, Brooks';public-tracking@w3.org; 'Nicholas Doty'
> Subject: Re: SOX Requirements RE: ACTION-216 - Financial Reporting "Exceptions"
>
> On 7/29/2012 12:22 PM, Shane Wiley wrote:
>> (b) if so, does the retention requirement apply to the actual ad-serving transactional records that are generated by users' interactions with 3rd-party ad networks/companies?
>> (Part of what I'm asking is what data/records the companies are currently retaining because of Sarb-Ox compliance -- and also, I think, the legal standard that defines the compliance line.)
>>
>> [Yes - as this is considered a "receipt" of the transaction as it's the billed element.  It's like asking if a grocery store must keep a record of each item purchased or if they can simply say a customer spent X in their store.  When ads are sold by impression - each impression must be retained to prove its validity and to be the actual record of receipt.]
>>
>> (c) if so, must the records contain user- or device-identifying information, or is that unnecessary?
>> (Again, the legal standard may be ambiguous, but it would be helpful to know what that legal standard is....
>>
>> [Alteration of a legal record could be considered "evidence tampering" and therefore companies tend to stay on the conservative side of this line.]
> This is where you lose me. If, as Jonathan and others have suggested, it
> is possible to confirm the # of transactions without unique IDs, why
> would the SEC care if you are or are not collecting identifiers? To pick
> up your grocery store example, no one forces Walmart to force customers
> to present a drivers license as a condition of cash payments....
>
> Best,
> Tamir
>

Received on Monday, 30 July 2012 14:43:51 UTC