Re: Next 2 calls canceled (Oct 09 and Oct 16)

Rob,

1.  Yes - assumed this was a given based on the discussion.
2.  For site-wide there isn't an issue.  The Publisher adds consent UGEs
for each of the 3rd parties the user has provided consent using the duple
structure (publisher domain, 3rd party domain).  For web-wide UGEs the
publisher would need to daisy-chain through each UGE by domain in an iFrame
similar to the way E/DAA and NAI opt-outs work today.

- Shane

On Fri, Oct 13, 2017 at 2:40 PM, Rob van Eijk <rob@blaeu.com> wrote:

> Shane,
>
> I also start to understand the use case better.
>
> I understand the need for granularity. I cannot answer the legal question
> whether all or nothing is allowed or not, since the final text on the ePR
> is not there. WP29 is working on guidance for transparency and for consent,
> but these will most likely not provide a definite answer either..
>
> Two issues to add to the technical discussion of your use case:
>
> 1.  Some embedded (RTB) resources may be unknown to the publisher but
> needed for the ad. These resources should have a way to convey their set of
> purposes to the publisher. The TSR is the perfect building block for that
> task imho (pre-flight check in combination with IAB/NAI standardized
> purpose codes). Would you agree adding a purpose (array) to the TSR is
> useful?
>
> 2. Storing the end-users choice in the browser opens up the same-origin
> discussion. To which extent can we avoid ending up in the same situation as
> CORS, i.e., a whitelist approach to contain the need for cross origin
> access?.
>
> Rob
>
> -----Original message-----
> *From:* Aleecia M. McDonald
> *Sent:* Friday, October 13 2017, 11:14 pm
> *To:* Shane M Wiley
> *Cc:* public-tracking@w3.org (public-tracking@w3.org) (
> public-tracking@w3.org)
> *Subject:* Re: Next 2 calls canceled (Oct 09 and Oct 16)
>
> Ah! I think I am finally starting to understand. Thanks for your patience,
> Shane.
>
> Not to make this harder, but presumably you need more than 1 to n, since
> there could be multiple ecosystems that want to do similar mappings. It
> would be deeply unfortunate to have Publisher A get consent to purpose 1 in
> context Breakfast Tracking, while an advertiser *thinks* they have consent
> to purpose 1 in the Ad Ecosystem, but no, it was purpose 1 in the Breakfast
> Tracking ecosystem.
>
> Arrays seem fundamentally problematic. I do not have better ideas yet.
>
> I hesitate to put this forward, but perhaps an array that is documented as
> [0] through [19] are reserved for use by IAB/NAI/AAAA/whomever will own the
> coordination task. This is suboptimal. Perhaps we need prefixes or multiple
> well-named arrays, though there are obvious brittle problems there. We
> could use a registry of some type but I doubt W3C is interested in unending
> work to support such things.
>
> (Ignoring fingerprinting risk for now; ignoring that we may fail to ship
> any spec by making major changes this late; can weigh those when we have a
> solid idea of how to move forward)
>
> Aleecia
>
> On Oct 13, 2017, at 1:20 PM, Shane M Wiley <wileys@oath.com> wrote:
>
> David,
>
> The way this is likely going to work in the real-world, with or without
> DNT, is that the publisher will be capturing the consent (by purpose) for
> each ad tech vendor they work with.  Imagine a consent dialogue that lists
> 5 ad tech partners with 2 to 3 purposes below each partner that the user
> must consent (thus far the mocks I've seen are not very pretty).
>
> Note - I'll avoid the pre-checked box debate here as there could be a
> secondary unchecked box that confirms the user's choice prior to allowing
> them to hit the "I Consent" button.
> Note 2 - I'll avoid the all-or-nothing discussion here (having that with
> Rob on the same thread).
> Note 3 - I'll also avoid the pay-wall or tracking-wall debates (as those
> are on-going in the ePR legislative process).
>
> The publisher will capture this consent and then need to convey it to
> those 3rd parties in some manner.  DNT is a nice solution as the browser
> does this for the ad tech vendor (publisher -> browser -> ad tech vendor).
> Similarly, the publisher could daisy chain through their 3rd party ad tech
> vendor's domains (iFramed) so they each set a cookie with the appropriately
> passed parameters for what level of consent has been provided.  If the
> consent is "web-wide" the publisher would need to follow a similar approach
> anyway (site-wide does not require the iFrame daisy chain).  The publisher
> will of course record this themselves as any changes (new partners, new
> purposes) will require they interact with the user again to gain consent
> for the new elements.  Net-net: EU users will be seeing A LOT of consent
> dialogues going forward.
>
> In the publisher to ad tech vendor setup they will need to agree to the
> purposes for which the ad tech vendor is seeking to gain consent to prior
> to launching the consent experience with users on the publisher's site.  Ad
> Tech Vendors may agree to a single set of possible purposes such that
> numbering is common across industry (1 = interest based ads, 2 =
> cross-device mapping, 3 = probabilistic mapping, N...).  In either case the
> publisher and the ad tech vendor have to agree to this up front so they are
> accurately conveying the appropriate consent for each purpose for that
> vendor.
>
> - Shane
>
> On Fri, Oct 13, 2017 at 9:39 AM, David Singer <singer@apple.com> wrote:
>
>>
>>
>> > On Oct 13, 2017, at 17:48 , Shane M Wiley <wileys@oath.com> wrote:
>> >
>> > David,
>> >
>> > The missing element in your assessment is that the user MUST be able to
>> consent (or not) to the options individually.  We're not able to make it an
>> "all-or-nothing" proposition legally.  If that was possible we wouldn't
>> need to have this conversation as then a single signal would cover our
>> needs.
>>
>> OK. Kinda weird. The site may not do the quid-pro-quo (e.g. free access)
>> unless you consent to it all.  So ‘granular consent’ as I wrote below, and
>> possibly ‘changing purposes over time’ are both issues.
>>
>> It’s easy for the site to talk back to itself; cookies, or even as I
>> suggested using the DNT-extension. That covers the web-wide exception, and
>> the site itself for site-specific.
>>
>> How do you think a site should convey to the ads and its 3rd-parties, for
>> site-specific exceptions, which purposes they have consent for?
>>
>> “This user agreed to a non-vegetarian meal” “This user agreed to wearing
>> synthetic fibers during the night-time” and so on?
>>
>>
>>
>> >
>> > - Shane
>> >
>> > On Thu, Oct 12, 2017 at 11:33 PM, David Singer <singer@mac.com> wrote:
>> >
>> >
>> > > On Oct 13, 2017, at 0:20 , Shane M Wiley <wileys@oath.com> wrote:
>> > >
>> > > I believe this is an over simplification of the issue.  If we want
>> DNT to meet the most basic needs of even small publishers that means they
>> will need to support at least one ad tech partner (assuming the goal of the
>> group is still to meet the original target of the standard).  Even the most
>> basic ad tech partner will participate in at least two distinct purposes
>> which lawyers are expressing need to be consented to separately:
>> interest-based advertising and cross-device mapping (all ad ecosystem
>> participants support these two common approaches in the EU marketplace
>> today).  If the DNT standard is unable to support even the most basic
>> consent scenario then there will likely be zero adoption - at least for the
>> most common use case and original target of the standard.  There may still
>> be hyper edge cases where a singular purpose consent will cover all needed
>> business cases.
>> >
>> > Shane
>> >
>> > I think I am confused.
>> >
>> > When consent is requested, the site manages the UI. It can certainly
>> ask:
>> >
>> > I need to be able to track you so that
>> > * I serve you the breakfast that corresponds to your weird food fads
>> > * I and my third parties can gather data about you that I will sell to
>> a foreign intelligence service, to cover my medical bills
>> >
>> > So, the dual purposes can be clearly expressed in the request.
>> >
>> > Likewise they can be expressed in the tracking status resource; we
>> could certainly have a list of purposes added here:
>> >
>> > object {
>> >     string tracking;                 // TSV
>> >     array { string; } compliance?;   // hrefs
>> >     string qualifiers?;              // compliance flags
>> >     array { string; } controller?;   // hrefs
>> >     array { string; } same-party?;   // domains
>> >     array { string; } audit?;        // hrefs
>> >     string policy?;                  // href
>> >     string config?;                  // href
>> > }*;
>> >
>> > So, as I see it, for an unchanging picture we seem to be covered, no?
>> >
>> > The tricky parts come in at least two ways:
>> > * if the site offers granular consent, for each purpose separately, it
>> needs to know who consented to which purpose.
>> > * if the site’s needs and hence purposes for tracking change over time,
>> it needs to remember “this user gave consent before I added purpose-Q,
>> whereas that user gave consent also to purpose-Q”
>> >
>> > Are these what we are struggling with?
>> >
>> >
>> > >
>> > > - Shane
>> > >
>> > > On Thu, Oct 12, 2017 at 2:47 PM, Aleecia M. McDonald <
>> aleecia@aleecia.com> wrote:
>> > >
>> > > > On Oct 12, 2017, at 11:16 AM, Shane M Wiley <wileys@oath.com>
>> wrote:
>> > > >
>> > > […]
>> > > > In either case, we'll need a purpose array for the ad industry to
>> be able to leverage DNT as a lawful consent compliance approach in the EU
>> (at least that's what EU lawyers are telling me).
>> > > […]
>> > >
>> > > This sounds like an array of common purposes that also contains a
>> purpose of other.
>> > >
>> > > I imagine a common set of purposes congruent with EU regs, and then
>> “other” managed entirely by the publisher, which defines what it means,
>> conveys it meaningfully to users, and records not only consent but what was
>> consented to. I would expect any given publisher using “other” to change
>> what it means over time (e.g. after an acquisition or new product launch,
>> etc.) which is why a timestamp is going to matter.
>> > >
>> > > In an ideal world, Art 29 WP could issue guidance that turns the
>> common set of purposes into something fairly self-serve. Perhaps there will
>> be sample text akin to Safe Harbor guidance.
>> > >
>> > > For the complexities of Other, well, see your local DPA to have a
>> discussion about that.
>> > >
>> > > Small sites should be able to do just fine with the common set. Large
>> companies can get all the complexity they need from Other, which might need
>> to be further defined as OtherA, OtherB, OtherC, on the backend, but that
>> too is up to the publisher to manage.
>> > >
>> > > Early on we had the idea that straight-forward publishers should be
>> able to implement DNT easily and those with complex practices would have a
>> more complex implementation. I think we can still fulfill that goal.
>> > >
>> > > (I echo Rob’s concern about further delay and the ironies inherent in
>> this discussion.)
>> > >
>> > >         Aleecia
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > - Shane
>> > >
>> > > Shane Wiley
>> > > VP, Privacy
>> > > Oath: A Verizon Company
>> >
>> > Dave Singer
>> >
>> > singer@mac.com
>> >
>> >
>> >
>> >
>> > --
>> > - Shane
>> >
>> > Shane Wiley
>> > VP, Privacy
>> > Oath: A Verizon Company
>>
>> David Singer
>> Manager, Software Standards, Apple Inc.
>>
>>
>
>
> --
> - Shane
>
> Shane Wiley
> VP, Privacy
> Oath: A Verizon Company
>
>
>


-- 
- Shane

Shane Wiley
VP, Privacy
Oath: A Verizon Company