Re: explicit-explicit exception pairs from Rob van Eijk on 2012-05-08 (public-tracking@w3.org from May 2012)

From: Rob van Eijk <rob@blaeu.com>
Date: Tue, 08 May 2012 23:14:37 +0200
To: rob@blaeu.com
CC: Mike Zaneis <mike@iab.net>, Kimon Zorbas <vp@iabeurope.eu>, Jonathan Mayer <jmayer@stanford.edu>, "ifette@google.com" <ifette@google.com>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, Nicholas Doty <npdoty@w3.org>, Matthias Schunter <mts-std@schunter.org>
Message-ID: <4FA98CBD.30100@blaeu.com>

All,

Thinking mod_cookietrack through for an ad-network. For the sake of the 
thought experiment, let's assume all 3rd parties involved use 
mod_cookietrack:

1. On a first visit, a user visits a site, which uses 3rd parties to 
server an ad through an ad-chain with real time bidding.
2. if DNT=1, and no exceptions have been granted by the user, no cookies 
with unique identifiers are set by 3rd parties and as a result, only a 
non-personalized ad is the result.
3. If, for example on auto-refresh of the ad after a few seconds, a 
personalization of the ad is initiated, then the exception API is 
called, to ask for a firstparty/known-parties exception. At that point, 
most of the parties involved with the ad-network flow are known. For 
those known parties an exception can be asked. After granting the 
exception cookies with unique identifiers can be set by the 3rd parties 
with an exception.

"first-party": [
     "example_A",
     "example_B",
     "example_A"
   ]

4. Only the part of the ad-chain where real time bidding for the ad is 
involved will result in an unknown number of 3rd parties. Parties can 
bid for 'a' user not tied to a unique identifier, not 'the' user.
5. The party with the highest bid can server the ad, but without setting 
a unique identifier. If this party want to find out more about the user 
to whom the personalized ad was served, and needs a unique identifier to 
do so, the party can call for a site or web-wide exception.

=> Maybe putting all the weight on the javascript API to solve the 
site/* problem is too much to solve the problem. Maybe we need to 
include normative text for the server-side. Something like:

<normative text>
3rd parties operating in a 1st party context MUST not set cookies with 
unique identifiers on a first visit of a user. Instead the SHOULD ask 
for an exception.
</normative text>

Rob

On 8-5-2012 21:44, Rob van Eijk wrote:
> Kimon,
>
> Let me make a pro-aktive step here. Recently we touched upon 
> mod_cookietrack 
> (http://lists.w3.org/Archives/Public/public-tracking/2012May/0040.html). 
> One of the things that struck me, is that with a small modification of 
> mod_usertrack, the author was able to tackle an interesting point: 
> (https://github.com/jib/mod_cookietrack/blob/master/DOCUMENTATION)
>
> "mod_usertrack does not set the cookie on the incoming request, only 
> on the outgoing request. This means your application doesn't know  
> what UUID to use for the first visit of a user."
>
> Is this server-side behavior in any way useful for the 
> explicit-explicit exception pairs?
>
> Rob
>
> On 8-5-2012 21:17, Mike Zaneis wrote:
>> I'm sorry but I object to this line of advocacy and cajoling by the 
>> Article 29 Work Group. The W3C Working Group's mission is not to 
>> create an EU compliance Mechanism, if that happens to occur as part 
>> of our work then so be it, but it is nowhere in our charter and we 
>> should not be continually pressured to work towards that end.
>>
>> Mike Zaneis
>> SVP&  General Counsel, IAB
>> (202) 253-1466
>>
>> On May 8, 2012, at 2:35 PM, "Rob van Eijk"<rob@blaeu.com>  wrote:
>>
>>> Well,
>>>
>>> At least one thing is for sure: tracking cookies need prior consent 
>>> of the user. There is no uncertainty about that. There is some 
>>> debate on a possibly very limited list of functional cookies.
>>>
>>> One of the latest public documents on the status of the 
>>> implementation is here ( disclaimer: I haven't checked it in detail):
>>> http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePrivacy_Directive-Apr2012.pdf 
>>>
>>>
>>> There is a catch-22 here, because law makers are looking closely to 
>>> the outcome of W3C DNT process. Some find it very hopefull, some 
>>> think it will not lead to compliance.
>>>
>>> So I encourage the group to try to get the TPE out of the impasse. 
>>> Please tell me, if DNT is not going to have any additional value in 
>>> comparison to the current opt-out systems. Because if DNT will not 
>>> be able to offer a rich granular dialog 'under the hood' of the 
>>> browser, DNT is not going to have the outcome many of us have been 
>>> hoping for.
>>>
>>> Rob
>>>
>>> On 8-5-2012 0:42, Kimon Zorbas wrote:
>>>> That leaves us all (except for some lawyers) with frustration and 
>>>> uncertainty how the law will be enforced.
>
>

Received on Tuesday, 8 May 2012 21:15:47 UTC