Re: explicit-explicit exception pairs

Mike, I really disagree with you. You may be misreading my postings.

My effort is driven by a privacy by design motive.

Rob

On 8-5-2012 23:30, Mike Zaneis wrote:
> This discussion is going down the "good" cookie, "bad" cookie route, 
> which is largely an EU regulatory-created myth. I'm not sure it 
> advances the group's thinking to focus on this approach, which has 
> been, shall we say, difficult to implement and enforce.
>
> Mike Zaneis
> SVP & General Counsel, IAB
> (202) 253-1466
>
> On May 8, 2012, at 5:22 PM, "Shane Wiley" <wileys@yahoo-inc.com 
> <mailto:wileys@yahoo-inc.com>> wrote:
>
>> #2 breaks most of the ad ecosystem (security/fraud, financial/audit, 
>> frequency capping, basic analytics, etc.) – unique, anonymous/non-PII 
>> cookies are needed for basic business operations.
>>
>> - Shane
>>
>> *From:*Rob van Eijk [mailto:rob@blaeu.com]
>> *Sent:* Tuesday, May 08, 2012 2:15 PM
>> *To:* rob@blaeu.com <mailto:rob@blaeu.com>
>> *Cc:* Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com 
>> <mailto:ifette@google.com>; Rigo Wenning; public-tracking@w3.org 
>> <mailto:public-tracking@w3.org>; Nicholas Doty; Matthias Schunter
>> *Subject:* Re: explicit-explicit exception pairs
>>
>> All,
>>
>> Thinking mod_cookietrack through for an ad-network. For the sake of 
>> the thought experiment, let's assume all 3rd parties involved use 
>> mod_cookietrack:
>>
>> 1. On a first visit, a user visits a site, which uses 3rd parties to 
>> server an ad through an ad-chain with real time bidding.
>> 2. if DNT=1, and no exceptions have been granted by the user, no 
>> cookies with unique identifiers are set by 3rd parties and as a 
>> result, only a non-personalized ad is the result.
>> 3. If, for example on auto-refresh of the ad after a few seconds, a 
>> personalization of the ad is initiated, then the exception API is 
>> called, to ask for a firstparty/known-parties exception. At that 
>> point, most of the parties involved with the ad-network flow are 
>> known. For those known parties an exception can be asked. After 
>> granting the exception cookies with unique identifiers can be set by 
>> the 3rd parties with an exception.
>>
>> "first-party": [
>>      "example_A",
>>      "example_B",
>>      "example_A"
>>    ]
>>
>> 4. Only the part of the ad-chain where real time bidding for the ad 
>> is involved will result in an unknown number of 3rd parties. Parties 
>> can bid for 'a' user not tied to a unique identifier, not 'the' user.
>> 5. The party with the highest bid can server the ad, but without 
>> setting a unique identifier. If this party want to find out more 
>> about the user to whom the personalized ad was served, and needs a 
>> unique identifier to do so, the party can call for a site or web-wide 
>> exception.
>>
>> => Maybe putting all the weight on the javascript API to solve the 
>> site/* problem is too much to solve the problem. Maybe we need to 
>> include normative text for the server-side. Something like:
>>
>> <normative text>
>> 3rd parties operating in a 1st party context MUST not set cookies 
>> with unique identifiers on a first visit of a user. Instead the 
>> SHOULD ask for an exception.
>> </normative text>
>>
>>
>> Rob
>>
>> On 8-5-2012 21:44, Rob van Eijk wrote:
>>
>> Kimon,
>>
>> Let me make a pro-aktive step here. Recently we touched upon 
>> mod_cookietrack 
>> (http://lists.w3.org/Archives/Public/public-tracking/2012May/0040.html). 
>> One of the things that struck me, is that with a small modification 
>> of mod_usertrack, the author was able to tackle an interesting point: 
>> (https://github.com/jib/mod_cookietrack/blob/master/DOCUMENTATION)
>>
>> "mod_usertrack does not set the cookie on the incoming request, only 
>> on the outgoing request. This means your application doesn't know  
>> what UUID to use for the first visit of a user."
>>
>> Is this server-side behavior in any way useful for the 
>> explicit-explicit exception pairs?
>>
>> Rob
>>
>> On 8-5-2012 21:17, Mike Zaneis wrote:
>>
>> I'm sorry but I object to this line of advocacy and cajoling by the 
>> Article 29 Work Group. The W3C Working Group's mission is not to 
>> create an EU compliance Mechanism, if that happens to occur as part 
>> of our work then so be it, but it is nowhere in our charter and we 
>> should not be continually pressured to work towards that end.
>>
>> Mike Zaneis
>> SVP&  General Counsel, IAB
>> (202) 253-1466
>>
>> On May 8, 2012, at 2:35 PM, "Rob van Eijk"< 
>> <mailto:rob@blaeu.com>rob@blaeu.com <mailto:rob@blaeu.com>>  wrote:
>>
>>
>> Well,
>>
>> At least one thing is for sure: tracking cookies need prior consent 
>> of the user. There is no uncertainty about that. There is some debate 
>> on a possibly very limited list of functional cookies.
>>
>> One of the latest public documents on the status of the 
>> implementation is here ( disclaimer: I haven't checked it in detail):
>> http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePrivacy_Directive-Apr2012.pdf 
>>
>>
>> There is a catch-22 here, because law makers are looking closely to 
>> the outcome of W3C DNT process. Some find it very hopefull, some 
>> think it will not lead to compliance.
>>
>> So I encourage the group to try to get the TPE out of the impasse. 
>> Please tell me, if DNT is not going to have any additional value in 
>> comparison to the current opt-out systems. Because if DNT will not be 
>> able to offer a rich granular dialog 'under the hood' of the browser, 
>> DNT is not going to have the outcome many of us have been hoping for.
>>
>> Rob
>>
>> On 8-5-2012 0:42, Kimon Zorbas wrote:
>>
>> That leaves us all (except for some lawyers) with frustration and 
>> uncertainty how the law will be enforced.
>>