W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: ISSUE-111 - Exceptions are broken

From: Sean Harvey <sharvey@google.com>
Date: Thu, 8 Mar 2012 17:11:48 -0500
Message-ID: <CAFy-vuc2LfYH+7H0YFm_Xk1=njebz+jBgzsiw_Mbj_pWoFrVJA@mail.gmail.com>
To: Nicholas Doty <npdoty@w3.org>
Cc: Kevin Smith <kevsmith@adobe.com>, "TOUBIANA, VINCENT (VINCENT)" <Vincent.Toubiana@alcatel-lucent.com>, "Roy T. Fielding" <fielding@gbiv.com>, Shane Wiley <wileys@yahoo-inc.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
e.g. silo-ing is the issue here. unless silo-ing is not a requirement.


On Thu, Mar 8, 2012 at 5:09 PM, Sean Harvey <sharvey@google.com> wrote:

> Thanks Nick. Please do tell me if you think I'm not thinking clearly about
> this. But regardless of whether it is being handled by the browser, you
> would still need separate cookies per "site" if the exception is
> site-specific.
>
> Example use case: I am third party ad server AdDoty (yes there are brand
> names this and more stupid in our industry) and I have a site specific
> exemption from both Yahoo and AOL. How do I differentiate this data on the
> server side, regardless of whether or not the browser is "handling it"?
>
>
>
>
>
> On Thu, Mar 8, 2012 at 5:06 PM, Nicholas Doty <npdoty@w3.org> wrote:
>
>> On Mar 8, 2012, at 11:45 AM, Sean Harvey wrote:
>>
>> > at a high level this would be new functionality in the ecosystem. there
>> is no such thing as a site-specific exemption or site-specific cookie for
>> an ad servers, etc. coming from a third party domain.
>> >
>> > i also agree that this is probably not practically implementable by
>> anyone -- one potential implementation would involve domain-specific
>> cookies in a sub-domain of the third party, but this would mean potentially
>> thousands of cookies on the client browser where previously only one
>> existed. Which does not sound like an ideal outcome.
>>
>> Sorry, I'm not sure I understand here. As proposed, the
>> user-agent-managed site-specific exception would be handled by the browser
>> (choosing when to send DNT:0) rather than asking the ad server or other
>> third-parties to create separate cookies to manage that state for each
>> first-party site. Right now when an ad network receives a request from a
>> browser that has an opt-out cookie for that network, it has to use a
>> different behavior (not showing a targeted ad) no matter what the
>> first-party site is, right? Can these site-specific exception headers
>> prompt per-request behavior in the same way that an opt-out cookie does?
>>
>> Or is the concern that site-specific exceptions would require siloing of
>> data and that requires different cookies for each first-party site?
>>
>> My take on Vincent and Kevin's question: Do first-party publishers get
>> any indication from the user or the third-party that the user has an
>> opt-out cookie installed and is potentially generating less revenue for the
>> publisher?
>>
>> Thanks,
>> Nick
>
>
>
>
> --
> Sean Harvey
> Business Product Manager
> Google, Inc.
> 212-381-5330
> sharvey@google.com
>



-- 
Sean Harvey
Business Product Manager
Google, Inc.
212-381-5330
sharvey@google.com
Received on Thursday, 8 March 2012 22:12:19 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC