RE: New text Issue 25: Aggregated data: collection and use for audience measurement research from Mike O'Neill on 2013-03-09 (public-tracking@w3.org from March 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sat, 9 Mar 2013 14:02:07 -0000
To: "'Kathy Joe'" <kathy@esomar.org>
Cc: <peter@peterswire.net>, <public-tracking@w3.org>, <justin@cdt.org>
Message-ID: <0b0f01ce1cce$baab9210$3002b630$@baycloud.com>
Thanks Kathy that is useful to know. Am I right to assume that the only information passed to the market research server other than the cookie UID (and IP address) is the Url of the containing page? Before the retained IP address value is truncated Is the data record linked to those collected on other domains? The cookie encoding the UID could have a very short duration (i.e. in the expires or max-age component), is that the case?

 

Thanks for your help,

 

Mike

 

 

 

 

From: Kathy Joe [mailto:kathy@esomar.org] 
Sent: 09 March 2013 10:21
To: michael.oneill@baycloud.com
Cc: peter@peterswire.net; public-tracking@w3.org; justin@cdt.org
Subject: New text Issue 25: Aggregated data: collection and use for audience measurement research

 

Hi Mike,  

 

There are 2 forms of pseudonimization commonly used in census-level audience measurement research. First, the audience measurement company assigns a cookie ID to the audience measurement cookie it drops, and measurements are associated with this ID, which by its nature is pseudonymous. Second, a portion of the IP address is obfuscated and then associated with the cookie ID. No other personal information is collected or needed for census-level audience measurement.

 

Best regards

 

Kathy Joe

  From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
To: 'Kathy Joe' [mailto:kathy@esomar.org], 'Rob van Eijk' [mailto:rob@blaeu.com]
Cc: 'Kimon Zorbas' [mailto:vp@iabeurope.eu], peter@peterswire.net, public-tracking@w3.org, justin@cdt.org
Sent: Fri, 08 Mar 2013 15:36:48 +0100
Subject: RE: New text Issue 25: Aggregated data: collection and use for audience measurement research

Hi Kathy,

 

I would like to understand how your use-case works. How is pseudonymisation defined for audience measurement research and what would actually be done to the data to make it pseudonimised? If an advertiser has a domain adnetwork.eu and uses a cookie containing a unique user id in that domain, how is that communicated to the audience measurement servers and what other data is associated with it? Would the data pseudonymising process delete this cookie value?

 

Thanks

 

 

Mike

 

 

From: Kathy Joe [mailto:kathy@esomar.org] 
Sent: 08 March 2013 13:48
To: Rob van Eijk
Cc: Kimon Zorbas; peter@peterswire.net; public-tracking@w3.org; justin@cdt.org
Subject: New text Issue 25: Aggregated data: collection and use for audience measurement research

 

Hi Rob,

 

Many thanks for your comments and yes we agree that panel members are a form of out of band consent and outside the scope of DNT.

 

As you know, we have proposed a very narrow case for audience measurement research. Specific measures are described to limit access to and protect the raw data whilst it is being stored for a limited period through pseudonymisation and contractual measures. This case is also contingent on data and aggregated reports not being used for other purposes and there being no return path to particular individuals or devices. 

 

We believe that these steps seek to be aligned with the underlying principles set out by the Art. 29 WP that can be summarized as a) pseudonymisation is an important approach to risk limitation and b) consent forms one of a number of legal grounds for processing, which includes legitimate interests. 

 

We believe that audience measurement research can be regarded as a legitimate interest as these impartial statistical measures promote trust in the buying and selling of online advertising which is the model by which the Internet remains free and accessible for all.

 

As I understand it, the Global Considerations Berlin meeting will discuss how W3C DNT could work in the EU context where first and third parties are expressed in different terms and the E Privacy law is interpreted differently between member states. Such interpretations may even change eg the Netherlands where it has been questioned if the explicit consent model is meaningful in providing citizens with a fundamental right to privacy, and thus is likely to transition to implied consent.

 

Unfortunately I will not be able to attend the meeting in person but we also think it would not be useful to discuss a narrow and specific use case such as audience measurement research as a test case in an environment where so much needs to be clarified first.

 

Best regards

 

 

Kathy Joe,

ESOMAR. 

From: Rob van Eijk <rob@blaeu.com>
Date: Wednesday, March 6, 2013 2:38 PM
To: Kimon Zorbas <vp@iabeurope.eu>, Kathy <kathy@esomar.org>, Peter Swire <peter@peterswire.net>, "justin@cdt.org" <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Subject: Re: Fw: New text Issue 25: Aggregated data: collection and use for audience measurement research

 


Kimon,

There are at least 2 approaches. Let me point out 2 of them: One that formalizes the concept of tracking by starting with a definition. I would call this top - down. The other is finding out which phenomena are problematic and relevant. I would call this bottom up. The top - down approach needs a shared definition of tracking. The bottom - up approach does not need this at all.

RobvE 

Kimon Zorbas <vp@iabeurope.eu> wrote:

Once again, all points at agreeing on a definition of tracking.

Kind regards,
Kimon

----- Reply message -----
From: "Rob van Eijk" <rob@blaeu.com>
To: "Kimon Zorbas" <vp@iabeurope.eu>, "Kathy Joe" <kathy@esomar.org>, "peter@peterswire.net" <peter@peterswire.net>, "justin@cdt.org" <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Subject: Fw: New text Issue 25: Aggregated data: collection and use for audience measurement research
Date: Wed, Mar 6, 2013 2:22 pm

 

Hi Kimon,

Lets take audience measurement as a usecase in the Global Considerations meeting next week, and work from there. If text comes out of that effort, we will feed it back to Issue 25.

My stance for the moment is that a DNT must be a strong and meaningful DNT that also takes into account fundamental rights to privacy, not just arguments that are geared toward legitimizing a business model that gave way to the expression to not wanting to be tracked in the first place.

RobvE

Kimon Zorbas <vp@iabeurope.eu> wrote: 

Rob,

we need audience measurement. It's THE part of internet that underlines everything. It's only using data in aggregate and not about communicating back to users.

Why don't you tell us how you would like to change the text and we can work on wording, see if there can be a meaningful compromise?

Kind regards,
Kimon

----- Reply message -----
From: "Rob van Eijk" <rob@blaeu.com>
To: "Kathy Joe" <kathy@esomar.org>, "peter@peterswire.net" <peter@peterswire.net>, "justin@cdt.org" <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Subject: Fw: New text Issue 25: Aggregated data: collection and use for audience measurement research
Date: Wed, Mar 6, 2013 2:02 pm

 

Thanks Kathy,

I want to add to the discussion that panel members are a form of out of band consent and can therefore be left out of scope for DNT.
For users who have not opted-in to audience measurement, my position is that DNT must be meaningful. A wide interpretation of audience measurement under a generic exception for aggregated reporting should not be the way forward.

Talking shortly to David Stark on this, he suggested to increase transparence by using a visible element on a page, instead of a hidden pixel. I think it is a great idea. It enables transparency, and is an important step towards convincing users to give consent to audience measurement.

I will add to that, in the discussion here, that the pixel is not the right technology under DNT to fulfull the audience measurement need. My position is that if the technology is not capable of triggering an exception as suggested in the technical spec, the way forward should not be to allow for that limitation in technology throug an exception in the compliance spec.

In short, I raise severe concerns against the proposed text.

RobvE

Kathy Joe <kathy@esomar.org> wrote: 

Here below is the revised text for issue 25 discussed with Justin and others in the group with some modifications to take Justin's comments into account.

Information may be collected to create statistical measures of the reach in relation to the total population, and frequency of exposure of the content to the online audience, including paid components of web pages. One such method is through using a panel of users who have affirmatively agreed to have their media consumption and web surfing behavior measured across sites.

The panel output is calibrated by counting actual hits on tagged content and re-adjusting the results in order to ensure data produced from the panel accurately represents the whole audience. The counts must be pseudonomised. Counts are retained for sample, quality control, and auditing purposes during which time contractual measures mus!
 t be in
place to limit access to, and protect the data from other uses. A 53 week retention period is necessary so that month over month reports for a one year period may be re-run for quality checking purposes, after which the data must be de-identified. The counted data is largely collected on a first party basis, but to ensure complete representation, some will be third party placement. This collection tracks the content rather than involving the collection of a user's browser history.

The purposes must be limited to:

facilitating online media valuation, planning and buying via accurate and reliable audience measurement.

optimizing content and placement on an individual site.

Audience measurement data must be reported as aggregated information such that no recipient is able to build commercial profiles about particular individuals or devices.

To clarify a comment from Justin about auditing, note that  audience measurement sys!
 tems
(whether TV, radio, print or online) are usually managed or monitored by an independent body as
guarantee of accuracy with various stakeholders in a joint industry body defining what is needed to provide a robust and impartial system. 

MRC handles this in the US whilst the JICWEBs reporting standards of ABC handles this in the UK and AGMA  is the German audit body. Here is
a longer list  http://www.i-jic.org/index.php?PHPSESSID=55143f172846ed39c7958cbeb837a85a
and here is ABC  http://www.abc.org.uk/PageFiles/50/Web%20Traffic%20Audit%20Rules%20and%20Guidance%20Notes%20version2%20March%202013%20master.pdf

Regards

Kathy Joe
ESOMAR



!
Received on Saturday, 9 March 2013 14:03:04 UTC