W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: ISSUE-111 - Exceptions are broken

From: Sean Harvey <sharvey@google.com>
Date: Thu, 8 Mar 2012 14:45:16 -0500
Message-ID: <CAFy-vucWcKSwzpXDkfDmHBxHTwJjg1q-MmaM=+pqWn_pY6SK5w@mail.gmail.com>
To: Kevin Smith <kevsmith@adobe.com>
Cc: "TOUBIANA, VINCENT (VINCENT)" <Vincent.Toubiana@alcatel-lucent.com>, "Roy T. Fielding" <fielding@gbiv.com>, Shane Wiley <wileys@yahoo-inc.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
at a high level this would be new functionality in the ecosystem. there is
no such thing as a site-specific exemption or site-specific cookie for an
ad servers, etc. coming from a third party domain.

i also agree that this is probably not practically implementable by anyone
-- one potential implementation would involve domain-specific cookies in a
sub-domain of the third party, but this would mean potentially thousands of
cookies on the client browser where previously only one existed. Which does
not sound like an ideal outcome.

And I am also not clear as to the current status of the header spec with
respect to the third party's ability to distinguish a blanket DNT clearance
from a site-specific exemption that would allow for the setting of these
subdomain cookies, perhaps someone else on the committee can comment as to
where we are with that.

in any event at first glance i would guess that ad servers & other third
parties will not be implementing these exemptions even when they encounter
them, if they remain as currently formulated.

To my mind a more effective form of exemption would be a third party
specific exemption, for a specific third party. As a hypothetical example,
if I as a consumer have a trust relationship with a well known company like
Amazon I might allow Amazon specifically to market to me offsite based on
the information i have shared with it. And in that case I might allow a
specific exemption for Amazon to recognize my browser when offsite. That
sounds more realistic from a consumer's standpoint (e.g. an exemption a
consumer might want) and more realistic from an implementation standpoint
as well.

On Thu, Mar 8, 2012 at 12:51 PM, Kevin Smith <kevsmith@adobe.com> wrote:

> Vincent,
> That is an excellent point.  It probably would not be quite as problematic
> since many elements in the advertising chain have the ability to choose
> between multiple next steps, so if one was blocked, it would probably use
> an alternate path.  In the DNT example however, all would be blocked.
>  Still, it is definitely a similar problem.  Can anyone shed some light on
> this?
> -kevin
> -----Original Message-----
> Vincent.Toubiana@alcatel-lucent.com]
> Sent: Thursday, March 08, 2012 3:56 AM
> To: Kevin Smith; Roy T. Fielding; Shane Wiley
> Cc: Tracking Protection Working Group WG
> Subject: RE: ISSUE-111 - Exceptions are broken
> Kevin,
> I think I understand the problem and I'd like to come with a solution, so
> I'm curious to know if that's specific to DNT exceptions.
> >From what I understand, the exactly same problem exists with Opt-Out
> cookies: 1st parties have no way to know if the 3rd parties will receive an
> Opt-Out cookie.
> Does someone know how this is actually handled by 1st parties?
> Vincent
> ________________________________________
> From: Kevin Smith [kevsmith@adobe.com]
> Sent: Wednesday, March 07, 2012 7:02 PM
> To: Roy T. Fielding; Shane Wiley
> Cc: Tracking Protection Working Group WG
> Subject: RE: ISSUE-111 - Exceptions are broken
> In planning a response to this thread, I think I may have run into a snag
> which breaks exceptions completely, both using an * and listing sites
> individually.  I hope I am overlooking something or that the group has
> already worked through this and I missed it.
> The fundamental concepts behind DNT are that the user can choose whether
> or not a site can track them and the site can choose what content to show
> to a user that it cannot fully monetize.  As far as I can tell, exceptions
> will not work at all because it does not allow for either of these to
> happen.  Consider the following path shown in the attached image where the
> publisher's ad server redirects to an SSP which redirects to an Ad Exchange
> which redirects to the Advertiser's Ad Server.  In this case there is a 1st
> party, and 4 3rd parties (and believe me, this is a fairly simple ad path -
> the possibilities are nearly limitless).
> The problem is that an exception would apply to the 1st party site and the
> 3rd party that is included directly on that 1st party site (in this case
> Publisher's Ad Server).  If the exception does not extend to the remainder
> of the chain, then the exception is worse than worthless because the 1st
> party cannot actually monetize the visitor the way it thinks it can.  It
> will think it can serve a targeted ad, but it will actually serve a house
> ad or random ad.  It will make its decision on inaccurate information
> * With DNT:0, the ad request moves through the chain shown and returns a
> targeted ad for which the publisher is paid $x.
> * With DNT:1, the ad cannot be a targeted ad so the publisher's ad server
> chooses to go to a completely different ad network and shows a completely
> random ad for which the publisher is paid $y.
> * $y is much smaller than $x (obviously the publisher makes more money
> when it shows a targeted ad than when it shows a random ad)
> * Now, let's assume that this user has granted an exception for the 1st
> party site and the 3rd party ad server.  The 1st party site receives a
> DNT:0 and the ad server receive a DNT:0 and the site is going to assume it
> can make $x and will show the content which corresponds to this decision.
>  However, once the request hits the 2nd stop in the chain (the ssp in this
> case), those services receive DNT:1, the process is short circuited, and a
> random ad, or even a house ad, ends up being shown.
> * The publisher thought it was making $x, but it made $y and gave its
> content away for much cheaper than it expected.
> So to recap the problem, using any of the exception models we have
> discussed so far, there is no way to ask the user whether they are willing
> to grant an exception to the entire chain (especially since the chain may
> be completely dynamic and change on a per request basis).  Even with an *,
> meaning that the exception applies to all 3rd parties on the 1st party
> site, that exception would still not be applied because the 1st party never
> makes a request to most services on the chain (the ssp is requested from
> the ad server, not the 1st party).  So, unless the browser automatically
> carries on the exception header, I cannot think of any way to get the
> exception to cover the entire advertising chain which means it will not
> work.  So, exceptions are broken.  What am I missing?
> -kevin

Sean Harvey
Business Product Manager
Google, Inc.
Received on Thursday, 8 March 2012 19:45:49 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:46 UTC