- From: Sean Harvey <sharvey@google.com>
- Date: Thu, 8 Mar 2012 14:45:16 -0500
- To: Kevin Smith <kevsmith@adobe.com>
- Cc: "TOUBIANA, VINCENT (VINCENT)" <Vincent.Toubiana@alcatel-lucent.com>, "Roy T. Fielding" <fielding@gbiv.com>, Shane Wiley <wileys@yahoo-inc.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
- Message-ID: <CAFy-vucWcKSwzpXDkfDmHBxHTwJjg1q-MmaM=+pqWn_pY6SK5w@mail.gmail.com>
at a high level this would be new functionality in the ecosystem. there is no such thing as a site-specific exemption or site-specific cookie for an ad servers, etc. coming from a third party domain. i also agree that this is probably not practically implementable by anyone -- one potential implementation would involve domain-specific cookies in a sub-domain of the third party, but this would mean potentially thousands of cookies on the client browser where previously only one existed. Which does not sound like an ideal outcome. And I am also not clear as to the current status of the header spec with respect to the third party's ability to distinguish a blanket DNT clearance from a site-specific exemption that would allow for the setting of these subdomain cookies, perhaps someone else on the committee can comment as to where we are with that. in any event at first glance i would guess that ad servers & other third parties will not be implementing these exemptions even when they encounter them, if they remain as currently formulated. To my mind a more effective form of exemption would be a third party specific exemption, for a specific third party. As a hypothetical example, if I as a consumer have a trust relationship with a well known company like Amazon I might allow Amazon specifically to market to me offsite based on the information i have shared with it. And in that case I might allow a specific exemption for Amazon to recognize my browser when offsite. That sounds more realistic from a consumer's standpoint (e.g. an exemption a consumer might want) and more realistic from an implementation standpoint as well. On Thu, Mar 8, 2012 at 12:51 PM, Kevin Smith <kevsmith@adobe.com> wrote: > Vincent, > > That is an excellent point. It probably would not be quite as problematic > since many elements in the advertising chain have the ability to choose > between multiple next steps, so if one was blocked, it would probably use > an alternate path. In the DNT example however, all would be blocked. > Still, it is definitely a similar problem. Can anyone shed some light on > this? > > -kevin > > -----Original Message----- > From: TOUBIANA, VINCENT (VINCENT) [mailto: > Vincent.Toubiana@alcatel-lucent.com] > Sent: Thursday, March 08, 2012 3:56 AM > To: Kevin Smith; Roy T. Fielding; Shane Wiley > Cc: Tracking Protection Working Group WG > Subject: RE: ISSUE-111 - Exceptions are broken > > Kevin, > > I think I understand the problem and I'd like to come with a solution, so > I'm curious to know if that's specific to DNT exceptions. > >From what I understand, the exactly same problem exists with Opt-Out > cookies: 1st parties have no way to know if the 3rd parties will receive an > Opt-Out cookie. > Does someone know how this is actually handled by 1st parties? > > Vincent > ________________________________________ > From: Kevin Smith [kevsmith@adobe.com] > Sent: Wednesday, March 07, 2012 7:02 PM > To: Roy T. Fielding; Shane Wiley > Cc: Tracking Protection Working Group WG > Subject: RE: ISSUE-111 - Exceptions are broken > > In planning a response to this thread, I think I may have run into a snag > which breaks exceptions completely, both using an * and listing sites > individually. I hope I am overlooking something or that the group has > already worked through this and I missed it. > > THE PROBLEM > > The fundamental concepts behind DNT are that the user can choose whether > or not a site can track them and the site can choose what content to show > to a user that it cannot fully monetize. As far as I can tell, exceptions > will not work at all because it does not allow for either of these to > happen. Consider the following path shown in the attached image where the > publisher's ad server redirects to an SSP which redirects to an Ad Exchange > which redirects to the Advertiser's Ad Server. In this case there is a 1st > party, and 4 3rd parties (and believe me, this is a fairly simple ad path - > the possibilities are nearly limitless). > > The problem is that an exception would apply to the 1st party site and the > 3rd party that is included directly on that 1st party site (in this case > Publisher's Ad Server). If the exception does not extend to the remainder > of the chain, then the exception is worse than worthless because the 1st > party cannot actually monetize the visitor the way it thinks it can. It > will think it can serve a targeted ad, but it will actually serve a house > ad or random ad. It will make its decision on inaccurate information > > EXAMPLE > > * With DNT:0, the ad request moves through the chain shown and returns a > targeted ad for which the publisher is paid $x. > * With DNT:1, the ad cannot be a targeted ad so the publisher's ad server > chooses to go to a completely different ad network and shows a completely > random ad for which the publisher is paid $y. > * $y is much smaller than $x (obviously the publisher makes more money > when it shows a targeted ad than when it shows a random ad) > * Now, let's assume that this user has granted an exception for the 1st > party site and the 3rd party ad server. The 1st party site receives a > DNT:0 and the ad server receive a DNT:0 and the site is going to assume it > can make $x and will show the content which corresponds to this decision. > However, once the request hits the 2nd stop in the chain (the ssp in this > case), those services receive DNT:1, the process is short circuited, and a > random ad, or even a house ad, ends up being shown. > * The publisher thought it was making $x, but it made $y and gave its > content away for much cheaper than it expected. > > So to recap the problem, using any of the exception models we have > discussed so far, there is no way to ask the user whether they are willing > to grant an exception to the entire chain (especially since the chain may > be completely dynamic and change on a per request basis). Even with an *, > meaning that the exception applies to all 3rd parties on the 1st party > site, that exception would still not be applied because the 1st party never > makes a request to most services on the chain (the ssp is requested from > the ad server, not the 1st party). So, unless the browser automatically > carries on the exception header, I cannot think of any way to get the > exception to cover the entire advertising chain which means it will not > work. So, exceptions are broken. What am I missing? > > -kevin > > > > > > -- Sean Harvey Business Product Manager Google, Inc. 212-381-5330 sharvey@google.com
Received on Thursday, 8 March 2012 19:45:49 UTC