RE: ISSUE-111 - Exceptions are broken from Kevin Smith on 2012-03-08 (public-tracking@w3.org from March 2012)

From: Kevin Smith <kevsmith@adobe.com>
Date: Thu, 8 Mar 2012 14:13:09 -0800
To: Sean Harvey <sharvey@google.com>, Nicholas Doty <npdoty@w3.org>
CC: "TOUBIANA, VINCENT (VINCENT)" <Vincent.Toubiana@alcatel-lucent.com>, "Roy T. Fielding" <fielding@gbiv.com>, Shane Wiley <wileys@yahoo-inc.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <6E120BECD1FFF142BC26B61F4D994CF3064CCAB947@nambx07.corp.adobe.com>

I don't think siloing is required when you have an exception.  Exceptions state that you are allowed to treat the individual as DNT:0 (in fact, you will probably get DNT:0)

From: Sean Harvey [mailto:sharvey@google.com]
Sent: Thursday, March 08, 2012 3:12 PM
To: Nicholas Doty
Cc: Kevin Smith; TOUBIANA, VINCENT (VINCENT); Roy T. Fielding; Shane Wiley; Tracking Protection Working Group WG
Subject: Re: ISSUE-111 - Exceptions are broken

e.g. silo-ing is the issue here. unless silo-ing is not a requirement.

On Thu, Mar 8, 2012 at 5:09 PM, Sean Harvey <sharvey@google.com<mailto:sharvey@google.com>> wrote:
Thanks Nick. Please do tell me if you think I'm not thinking clearly about this. But regardless of whether it is being handled by the browser, you would still need separate cookies per "site" if the exception is site-specific.

Example use case: I am third party ad server AdDoty (yes there are brand names this and more stupid in our industry) and I have a site specific exemption from both Yahoo and AOL. How do I differentiate this data on the server side, regardless of whether or not the browser is "handling it"?

On Thu, Mar 8, 2012 at 5:06 PM, Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>> wrote:
On Mar 8, 2012, at 11:45 AM, Sean Harvey wrote:

> at a high level this would be new functionality in the ecosystem. there is no such thing as a site-specific exemption or site-specific cookie for an ad servers, etc. coming from a third party domain.
>
> i also agree that this is probably not practically implementable by anyone -- one potential implementation would involve domain-specific cookies in a sub-domain of the third party, but this would mean potentially thousands of cookies on the client browser where previously only one existed. Which does not sound like an ideal outcome.
Sorry, I'm not sure I understand here. As proposed, the user-agent-managed site-specific exception would be handled by the browser (choosing when to send DNT:0) rather than asking the ad server or other third-parties to create separate cookies to manage that state for each first-party site. Right now when an ad network receives a request from a browser that has an opt-out cookie for that network, it has to use a different behavior (not showing a targeted ad) no matter what the first-party site is, right? Can these site-specific exception headers prompt per-request behavior in the same way that an opt-out cookie does?

Or is the concern that site-specific exceptions would require siloing of data and that requires different cookies for each first-party site?

My take on Vincent and Kevin's question: Do first-party publishers get any indication from the user or the third-party that the user has an opt-out cookie installed and is potentially generating less revenue for the publisher?

Thanks,
Nick

--
Sean Harvey
Business Product Manager
Google, Inc.
212-381-5330<tel:212-381-5330>
sharvey@google.com<mailto:sharvey@google.com>

--
Sean Harvey
Business Product Manager
Google, Inc.
212-381-5330
sharvey@google.com<mailto:sharvey@google.com>

Received on Thursday, 8 March 2012 22:13:41 UTC