RE: Issue-32, Sharing of data between entities via cookie syncing / identity brokering

Shane,

Thanks for the feedback. I agree that even if they are involved in a cookie-syncing, the SSP (at least) should still be able to benefit of the third party exceptions. I did not mention it explicitly as this text should be a sub-section of the "third party" section where the exceptions will be listed.
An issue specific to cookie syncing is that the URL contains the cookieID which identifies the User-Agent. It implies, for instance, that we should make sure that aggregated reports will not include the full URL. We should also enforce the fact that SSP and DSP can not mis-understand which third parties are granted an exemption and incorrectly ignore DNT.


To summarize, I understand that I should modify the text to reflect that SSP and DSP benefit of the third-party exceptions. I think I should also highlight that measures should be taken to make sure that:
·        Only the third party which has been granted an exemption can track the User,
·        no identifier/pseudonym remain in the aggregated reports (or any other report related to the cookie sync).

Vincent

________________________________
De : Shane Wiley [mailto:wileys@yahoo-inc.com]
Envoyé : mercredi 21 décembre 2011 15:37
À : TOUBIANA, VINCENT (VINCENT); public-tracking@w3.org
Cc : aleecia@aleecia.com
Objet : RE: Issue-32, Sharing of data between entities via cookie syncing / identity brokering

Vincent,

This is a good start but I believe we'll need the ability to move forward with cookie syncing even if DNT is turned on in those cases where the sync is used only for allowed operational exceptions (such as frequency capping, logging impressions for financial purposes, security, or aggregated reporting).  Cookie syncing has an unfair reputation when it is simply a technical necessity for two systems to communicate about a given web browser with the same ID (in no way linked to personally identifiable information) across diverse platforms.  As long as the map is leveraged only for accepted operational purposes, I don't believe there should be an issue here.  If the DNT signal is turned on for either the DSP or SSP, no profiling should occur for that transaction and no historical profiles should be leveraged for targeting in that case either.

- Shane

From: TOUBIANA, VINCENT (VINCENT) [mailto:Vincent.Toubiana@alcatel-lucent.com]
Sent: Wednesday, December 21, 2011 7:11 AM
To: public-tracking@w3.org
Cc: aleecia@aleecia.com
Subject: Issue-32, Sharing of data between entities via cookie syncing / identity brokering

Proposed language:
"The operator of third-party domain acting as a Supply Side Platform (SSP) receiving [DNT-ON] MAY start a cookie syncing procedure (i.e. transmit its segment ID  to DSP) but MUST NOT retain information related to the communication initiated by the User-Agent or any resulting communication.
A third party acting as a Demand-Side Platform (DSP) receiving [DNT-ON] during a cookie syncing procedure MUST NOT collect, use or retain any information related to that communication."

Background:
In a cookie syncing procedure a Demand-Side Platform (DSP) aim to match a cookieXYZ (corresponding to its domain) to the cookieABC set by the Supply Side Platform (SSP) for the same User-Agent U. Cookie syncing requires that the SSP adds a 1x1 pixel from the DSP domain. The SSP has to pass the string "cookieABC" corresponding to ids domain to the DSP through the URL of this 1x1 pixel. The DSP parses the "cookieABC" in the URL and associates it to the cookieXYZ for its domain. Once the cookies have been matches, the DSP will be able to re-target U on the SSP affiliated sites.

Alternative:
I tried propose a draft that would not break cookie syncing when the DSP has been granted an exemption while the SSP hasn't. If this approach does not work, a simpler solution is to prohibit cookie syncing when the third party receives DNT:ON.