- From: Lauren Gelman <gelman@blurryedge.com>
- Date: Mon, 6 Feb 2012 21:17:58 -0800
- To: Roy T. Fielding <fielding@gbiv.com>
- Cc: David Singer <singer@apple.com>, John Simpson <john@consumerwatchdog.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Can you give me an example of a 3rd party site that needs referer info for billing/audit/fraud? Referrer data is used to tell me where a user is coming from. If I'm Macys and a DNT:1 user arrives on my site because they clicked on an ad on NYT.com then I am a first party. I get to know referrer info and can credit NYT with the click. What is the use case where I'm a third party and I need to know where a user is coming from. If I'm a Macys ad just sitting on NYT, and a DNT:1 user visits the site, why would referrer info [where the person was prior to arriving at NYT] be passed to me? If I am an ad server, why do I need that info to do an audit? They can't sell an ad into that spot based on where the user came from for a DNT:1 user, right? > We are already limiting data collection to the site operator > and data processors contracted by that site, but "site" in > that case includes third-party services. I am not sure what this means. I thought "the site" and "third party services" were distinct entities (however they end up being defined). On Feb 2, 2012, at 7:16 PM, Roy T. Fielding wrote: > On Feb 2, 2012, at 4:24 PM, Lauren Gelman wrote: > >> Can you limit the sites who would be required to keep it for audit purposes to only first parties or their service providers? > > I don't think we can anticipate what sites are required to > keep data for auditing purposes, especially since many of > the third-party sites are auditors. Why does it matter, > assuming they aren't allowed to share the data or use it > operationally (to target or modify responses)? > > I think it is more effective to place limits on retention > in user-identifiable form, since auditors generally do not > want to retain the raw data anyway unless it has been detected > as likely fraudulent. Another possibility is to only > allow pair-wise retention of referral data, meaning that any > user-identifiable data in the record is hashed with something > unique to the referring site, or stored separately per site, > such that it is difficult to correlate them. And note that > this would only be for sites that *need* to retain this > information for billing/auditing/fraud control -- it is not > a general exception. > > We are already limiting data collection to the site operator > and data processors contracted by that site, but "site" in > that case includes third-party services. I am assuming that > companies like > > http://www.linkshare.com/ > > are at least capable of siloing data per contract (destination site). > I do not know if they do so already. I doubt that a first party > would ever willingly share referral data with anyone else, aside > from aggregate forms (like in marketing reports). > > ....Roy > Lauren Gelman BlurryEdge Strategies 415-627-8512 gelman@blurryedge.com http://blurryedge.com
Received on Wednesday, 8 February 2012 19:05:52 UTC