W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: ISSUE-111 - Exceptions are broken

From: Nicholas Doty <npdoty@w3.org>
Date: Thu, 8 Mar 2012 13:44:52 -0800
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Shane Wiley <wileys@yahoo-inc.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <B6A5817B-9B23-49BD-9416-26AAA24D1109@w3.org>
To: Kevin Smith <kevsmith@adobe.com>
On Mar 7, 2012, at 10:02 AM, Kevin Smith wrote:

> EXAMPLE
> 
> * With DNT:0, the ad request moves through the chain shown and returns a targeted ad for which the publisher is paid $x.
> * With DNT:1, the ad cannot be a targeted ad so the publisher's ad server chooses to go to a completely different ad network and shows a completely random ad for which the publisher is paid $y.
> * $y is much smaller than $x (obviously the publisher makes more money when it shows a targeted ad than when it shows a random ad)
> * Now, let's assume that this user has granted an exception for the 1st party site and the 3rd party ad server.  The 1st party site receives a DNT:0 and the ad server receive a DNT:0 and the site is going to assume it can make $x and will show the content which corresponds to this decision.  However, once the request hits the 2nd stop in the chain (the ssp in this case), those services receive DNT:1, the process is short circuited, and a random ad, or even a house ad, ends up being shown.
> * The publisher thought it was making $x, but it made $y and gave its content away for much cheaper than it expected.
> 
> So to recap the problem, using any of the exception models we have discussed so far, there is no way to ask the user whether they are willing to grant an exception to the entire chain (especially since the chain may be completely dynamic and change on a per request basis).  Even with an *, meaning that the exception applies to all 3rd parties on the 1st party site, that exception would still not be applied because the 1st party never makes a request to most services on the chain (the ssp is requested from the ad server, not the 1st party).  

As I understand it, an exception for "*" on a first-party site would imply that the user agent would send DNT:0 to every domain from which a resource was requested as part of loading the first-party page (including subsequent re-directs, iframes and XHR requests).

It is true that if a site requests an exception for a list of particular 3rd-party domains and it doesn't know all of the domains that the browser will need to contact with a DNT:0 header, then it may not reliably be able to determine its monetization capability from the user's granting the a request. I remain uncertain about how often publishers know which third parties are accessed upon loading their pages and would love more input on that question.

(I'm not sure if the arrows in your diagram imply that the browser is making a request to each of those parties in turn or if the ad server communicates with the SSP server-to-server, but I think the concern is focused on the former.)

Thanks,
Nick
Received on Thursday, 8 March 2012 21:45:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC