Fraud Prevention (ISSUE-24) from Jonathan Mayer on 2012-03-08 (public-tracking@w3.org from March 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Thu, 8 Mar 2012 01:08:36 -0800
To: ifette@google.com
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <AEF4DE08-FE26-49E0-BEE6-2121B019082E@stanford.edu>

(renaming for the issue tracker)

Ian,

I think you may have misunderstood.

I *would* allow a company to retain passively collected information (i.e. protocol logs) for some period so as to detect and prevent fraud.  Here's the language from the Internet-Draft:

> The following activities are excepted:
> . . .
> Protocol logs used solely for advertising fraud detection, and
> subject to a one month retention period.

I *would not* allow a company to actively collect information (i.e. set/log a unique ID cookie) unless it has good reason, based on passively collected information, to believe a browser is engaged in fraudulent behavior.  (For the law wonks in the group - there would be something like a "reasonable suspicion" requirement before you can Terry stop a browser.)

If you did grok my viewpoint, and you're suggesting that a tiered-response approach to fraud prevention isn't workable, then I'd ***very strongly*** urge you to check in with Google ad fraud folks.  Out of respect for the sensitive nature of information in this space, I won't say more than that on the list.

Jonathan

On Mar 7, 2012, at 10:48 PM, Ian Fette (イアンフェッティ) wrote:

> On Wed, Mar 7, 2012 at 4:21 PM, Jonathan Mayer <jmayer@stanford.edu> wrote:
> 
> That said, there are many ways of creatively reaching consensus on fraud prevention (and similar issues).  I've had some very productive conversations with advertising participants in the working group about implementing a tiered-response approach to fraud prevention (e.g. if there is good cause to believe an IP address is associated in fraudulent activity, such as loading 100 ads in under 1 second, then an ID cookie, fingerprinting, etc. would all be fair game).
> 
> 
> I don't buy the premise that you will be able to detect all sorts of suspicious activity at the time it occurs and only log 'suspicious' activity. Many times you discover a fraudulent scheme / party acting fraudulently, and then you look over your logs to determine the extent of the fraud and take appropriate action. This implies having logs to look over.

Received on Thursday, 8 March 2012 09:09:09 UTC