- From: Aleecia M. McDonald <aleecia@aleecia.com>
- Date: Wed, 5 Dec 2012 00:04:34 -0800
- To: "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
One W3C approach is not to echo prior comments, so I will omit points already covered in this thread. *** My hope for DNT was to provide an alternative to users other than ad blockers, and an alternative to browsers other than breaking current business models to avoid being blamed for privacy issues. Ideally DNT offers a way for users to still see contextual ads while limiting data collection. Publishers (and others) would still be able to make money from showing contextual ads to those users, albeit potentially less when there were behavioral ads to serve. But less money beats no money, and we have seen users in increasing number blocking ads for privacy. Once users start running ad blockers, they self-report that they are unlikely to turn them off, ever. Presumably once browsers decide to take new steps for privacy, it will be hard to get them to step back. What we have heard is that data collection for contextual ads rivals the data collection for behavioral ads. For fraud prevention, for frequency capping, for counting unique impressions per user per ad displayed, data use for billing for contextual advertising is broad, deep, and unique per user. One central question: is the data collection for the business side of *displaying* contextual ads necessarily identical, or fundamentally close enough, to the data collection for behavioral ads? If so, there may not be a solution space to be found. But I am not convinced of that yet. To me, that is the big problem to address: how do we continue to enable at least some business models for contextual ads while still limiting data collection. We have heard three ideas: - No per-user identifiers. Instead, re-architect systems to uniquely id the ad, and have a count per ad impression. If we could start over and design things from scratch, that would be a good approach. Perhaps new systems should be built this way. Certainly this addresses privacy concerns. But it is a bit rough for current businesses to try to move to, especially quickly. - Double-keyed cookies. A given cookie is scoped to the combination of one third party with one first party. In this way, the back end of existing systems would work as now, with far less to change. And there is no third-party data set spanning a sizable proportion of the places a given user has visited, which does help privacy. However, there are remaining privacy implications and there are some contextual business practices that would not work as they do now. Yet perhaps there is a reasonable tradeoff to be found. - Cookies keyed to a particular ad campaign. Here third parties would be able to log each time a given user saw a given ad, nearly anywhere on the web, but could not link that user data to their other ad campaigns. This is really hard to explain to users, and we are hearing things like the length of time for an ad campaign must be unlimited, and can span several years. I wonder if there is more flexibility than the initial comments suggest, and perhaps not every aspect of current contextual ad campaigns should be expected to remain unchanged under DNT. *** For points of agreement, let me highlight three that seem to confuse outsiders: 1. DNT has three possible states: on, off, or unset. - DNT:1 means the user is requesting privacy. The DNT recommendations set out a baseline of what a site / app must do when honoring DNT:1, but sites may do more for privacy. And sites must follow applicable laws; if doing so violates DNT, the site can still claim DNT compliance. - DNT:0 ... we don't have defined yet. This is going to be particularly important if DNT is to help collect user consent in the EU. But the basic idea is "yes, many (all?) business practices are ok with me." - unset in the US means users have not made a choice for privacy; in the EU it means users have not consented to data collection. In essence, opt-in and opt-out vary by which country the user is in. This is very hard for people to grasp at first. 2. A first party is the party a user intends to interact with. There may be multiple first parties on a page. For example, a Facebook Like button is a third party, unless the user clicks on it, whereupon it is promoted to first party. Similarly, clicking an ad makes it a first party. This is important to remember: All of the permitted uses and discussions of third parties and fraud prevention are about ads viewed, not interacted with. Click fraud is not a problem we need to deal with for third parties. For some reason people forget this (self-included at times) during discussions. 3. Users can consent on a per-party basis. It is ok to send DNT:1 but trust w3.org specifically. [Personally, I think it makes much more sense to let the browsers manage this than have each company roll their own consent system, perhaps with a hook for browsers to display text supplied by the party. But that is not where we've headed, so we are asking for engineering work from all companies that want to request user consent.] *** We thought we had a few places we might negotiate something enough people could live with. To (over-)simplify, privacy advocates wanted the size of a first party to be limited to just brands that users would reasonably expect to be owned by the same entity, and wanted data collection limited to no unique identifiers. Industry advocates wanted the extent of a first party to be based on corporate ownership, and wanted data collection as close to unchanged as possible. Later, privacy advocates were willing to live with very large, largely unchecked first parties, provided third parties did not set unique identifiers. The lack of unique identifiers has not worked for the industry side. It may be time to unwind the stack. Perhaps instead we might look at quite a great deal of uniquely identifiable data collection, but scoped smaller, in terms of sharing across parties, permitted users, and data retention. It may also be time to re-consider giving first parties quite so much leeway, if we are going to imagine unrelated acquisitions are all part of the same first party. Maybe there are solutions to be had in here, changing the mix of "mice" and "elephants" we once spoke about. *** As for what principles should guide our work, we have had three since the very first meeting in Santa Clara. Any solution for DNT must be accepted by three groups: - User agents sending the outgoing DNT signal - Parties receiving the incoming DNT signal - Users who can trust that their DNT preference was meaningfully honored We do not need 100% on any of those, but that is our three-legged stool. We seem to be forgetting the users lately. That could be a costly mistake. Aleecia
Received on Wednesday, 5 December 2012 08:05:32 UTC