W3C home > Mailing lists > Public > public-tracking@w3.org > July 2012

Re: Frequency Capping

From: Peter Cranstone <peter.cranstone@3pmobile.com>
Date: Thu, 12 Jul 2012 16:23:11 +0000
To: Tamir Israel <tisrael@cippic.ca>, Chris Mejia <chris.mejia@iab.net>
CC: "Grimmelmann, James" <James.Grimmelmann@nyls.edu>, "W3C DNT Working Group Mailing List" <public-tracking@w3.org>, Mike Zaneis <mike@iab.net>, "Brendan Riordan-Butterworth" <Brendan@iab.net>
Message-ID: <2A61AB2B87BB9342ABE5E22B2CA93C3ED5F016@mbx022-e1-nj-10.exch022.domain.local>
Interesting debate. I went back through the archives to June 22 and pulled out Roy's definition of tracking, here it is:

tracking

  (c1) Tracking is the collection or use of user data via either a unique
identifier or a correlated set of data points being used to approximate a
unique identifier, in a context other than "first party" as defined in this
document.

  (c2) Tracking is defined as following or identifying a user, user agent,
or device across multiple visits to a site (time) or across multiple sites
(space).

  (r1) Tracking is defined as following or identifying a user, user agent,
or device across multiple visits to a site (time) or across multiple
sites (space). Mechanisms for performing tracking include but are not
limited to:
€ assigning a unique identifier to the user, user agent, or device
   such that it will be conveyed back to the server on future visits;
€ personalizing references or referral information such that they will
   convey the user, user agent, or device identity to other sites;
€ correlating data provided in the request with identifying data
   collected from past requests or obtained from a third party; or,
€ combining data provided in the request with de-identified data
   collected or obtained from past requests in order to re-identify
   that data or otherwise associate it with the user, user agent,
   or device.

  (r2) Tracking is the retaining or sharing of data about a user's Internet
activity in a form that remains linkable to that user, user agent, or device
across multiple Web properties that do not share a common first party (data
controller).

So here's the question. Does the current approach to f-capping infringe on this definition?

As for the DNT:1 signal sent by IE10 – there is simply no way to verify who set it. Here's exactly what a server sees from IE10

HTTP_USER_AGENT=[Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)]

HTTP_USER_AGENT=
[Mozilla/5.0]
[(compatible;]
[MSIE]
[10.0;]
[Windows]
[NT]
[6.2;]
[Win64;]
[x64;]
[Trident/6.0)]

HTTP_FROM=[]

Start of CGI environment variables...

GATEWAY_INTERFACE="CGI/1.1"
HTTP_ACCEPT="text/html, application/xhtml+xml, */*"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="en-US"
HTTP_CONNECTION="Keep-Alive"
HTTP_DNT="1"

So what do you do? You can see that the browser is Mozilla 5.0 compatible – so I fired up Firefox 13.0 and ran the same test. Here's what the server sees.

TTP_USER_AGENT=[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1]

HTTP_USER_AGENT=
[Mozilla/5.0]
[(Macintosh;]
[Intel]
[Mac]
[OS]
[X]
[10.7;]
[rv:13.0)]
[Gecko/20100101]
[Firefox/13.0.1]

HTTP_FROM=[]

Start of CGI environment variables...

GATEWAY_INTERFACE="CGI/1.1"
HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="en-us,en;q=0.5"
HTTP_CONNECTION="keep-alive"
HTTP_DNT="1"

The only way to tell the browsers apart is to parse every GET request that has a DNT value in it and look for the second value. And even then you still have no idea who set the flag.



Peter
_________________________
Peter J. Cranstone
CEO.  3PMobile
Boulder, CO  USA



From: Tamir Israel <tisrael@cippic.ca<mailto:tisrael@cippic.ca>>
Date: Thursday, July 12, 2012 10:02 AM
To: Chris Mejia <chris.mejia@iab.net<mailto:chris.mejia@iab.net>>
Cc: "Grimmelmann, James" <James.Grimmelmann@nyls.edu<mailto:James.Grimmelmann@nyls.edu>>, W3C DNT Working Group Mailing List <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Mike Zaneis <mike@iab.net<mailto:mike@iab.net>>, Brendan Riordan-Butterworth <Brendan@iab.net<mailto:Brendan@iab.net>>
Subject: Re: Frequency Capping
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Thursday, July 12, 2012 10:03 AM

Hi Chris -- thank you kindly.

I (and a few others) have repeatedly stated what you are saying here:

On 7/12/2012 11:39 AM, Chris Mejia wrote:
Under the currently proposed binary DNT mechanism, there is no way for publishers/ad-networks/advertisers/etc. to know if the consumer made the setting themselves.  So if an IE10 user turns off the default DNT, then later turns it on, there is no way to distinguish that user from others who have not manipulated the default setting.  There is also no way to audit this setting of the mechanism.  As such, those companies who chose to "honor" this voluntary DNT spec, will likely have to honor all DNT requests, no matter how they were set.  OR conversely, not honor any DNT signals, pointing to a clear market inconsistency in how DNT is set, with no technical mechanism available to determine the validity of consumer preference.

I still think this is the case, but the working group has not reached consensus on this point and many members have argued that servers can ignore any and all of IE10's signals simply because they deem it to be 'non-compliant' and, more importantly, a number have said they intend to do so when implementing DNT. Again, I strongly disagree with that notion, but there you have it.

CM:  I think you missed a step.  Step 1 should be to identify an actual problem to solve for.  Until you have identified that actual harm has been done to consumers through this practice, we are only solving for theoretical potential threats.  Once you quantify and thus qualify the potential harm, based on real documented experience, THEN I think everyone can asses if we need to solve for the potential.

Just because I heard someone say that they sighted a unicorn, doesn't mean that I should rush out to build a unicorn farm.  Before I go to all the trouble and expense of building my unicorn farm, I will probably take the very balanced and reasonable steps of validating the actual existence of unicorns.  Call me crazy if you like.


Chris -- the privacy harm I am referring to is the fact that my online activities are being tracked. You may disagree with the magnitude of such a privacy harm, but some may disagree and, in contexts where I have had no interaction with the multitudes of companies that are doing the tracking, I would want the right to opt-out of this type of tracking (at least with respect to a select number of companies, based on trust, etc.).

Are you denying that current frequency capping techniques entail the placement of unique user identifiers on user's computers, as well as third party access to these identifiers across diverse sites?

Best,
Tamir


On 7/12/2012 11:39 AM, Chris Mejia wrote:
Hi Tamir,

Thanks for your detailed reply.  My comments are below, inline with yours.


Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group | Interactive Advertising Bureau - IAB

From: Tamir Israel <tisrael@cippic.ca<mailto:tisrael@cippic.ca>>
Date: Wed, 11 Jul 2012 23:34:06 -0400
To: Chris Mejia - IAB <chris.mejia@iab.net<mailto:chris.mejia@iab.net>>
Cc: "Grimmelmann, James" <James.Grimmelmann@nyls.edu<mailto:James.Grimmelmann@nyls.edu>>, W3C DNT Working Group Mailing List <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Mike Zaneis - IAB <mike@iab.net<mailto:mike@iab.net>>, Brendan Riordan-Butterworth - IAB <brendan@iab.net<mailto:brendan@iab.net>>
Subject: Re: Frequency Capping

On 7/11/2012 7:12 PM, Chris Mejia wrote:
With Microsoft already shipping IE10 with DNT:1 defaulted to "on", there will soon be 30+ percent of users broadcasting the DNT:1 signal.

Oh, that. Well, I don't think IE10 DNT-1 by default actually translates into a 30% DNT-1. Assuming for the moment that IE10 does achieve a 30% user base, the reality is that these users will be prompted left right and center by servers to move to DNT-0 or grant exceptions. I imagine many will, as I've seen the creativity and innovation the ad industry is able to leverage when setting out to convince users to click on buttons : P

CM: 30% was a forward looking number (refer to the separate thread on this topic where I support the number).  I believe that industry publishers are not generally interested in creating a "land-mine field" of pop-ups on the Internet to "battle" a poorly implemented DNT:1 mechanism.  This battle, if it were enacted, would happen on publisher websites and would represent a terrible user experience that would likely be attributed to the publisher, thus creating poor consumer to publisher brand will.

In any case, in setting DNT-1 on by default, IE10 is non-compliant with the standard (so I don't see how you could pin that one on the W3C) and, moreover, at the moment it appears the working group is leaning towards a standard that permits servers to ignore any DNT-1 signal they feel is non-compliant.

CM:  To be clear, I have not pinned Microsoft's implementation of DNT on the W3C.  Conversely, I support and applaud all working group efforts to denounce such default settings of DNT.  In my opinion, the setting of DNT by default is a fatal flaw for the success of the currently proposed mechanism and program. As many smart folks on this forum have already pointed out, it's probably not practical in practice to simply ignore some DNT signals and not others, based on assumptions that certain users associated with particular non-compliant user agents did not make their settings consciously and/or were not armed with relevant information to make an informed decision.  Under the currently proposed binary DNT mechanism, there is no way for publishers/ad-networks/advertisers/etc. to know if the consumer made the setting themselves.  So if an IE10 user turns off the default DNT, then later turns it on, there is no way to distinguish that user from others who have not manipulated the default setting.  There is also no way to audit this setting of the mechanism.  As such, those companies who chose to "honor" this voluntary DNT spec, will likely have to honor all DNT requests, no matter how they were set.  OR conversely, not honor any DNT signals, pointing to a clear market inconsistency in how DNT is set, with no technical mechanism available to determine the validity of consumer preference.

To summarize, many companies may choose not to honor this voluntary DNT specification at all, based on the systemic fatal flaw outlined above.  I don't see that as a particularly good outcome, but I understand and appreciate why companies may be forced to make such an unfortunate choice:  in the US, if a company states they will honor the DNT spec/signal, they are potentially opening themselves up to regulatory enforcement (i.e. FTC, State AGs, etc.) and private litigation for cases brought by or in the name of users that feel their DNT request was not adequately honored.  Simply ignoring some DNT signals (no matter the rationale), under the currently proposed mechanism, likely leads to this legal exposure.

Going back to the F-caps, since we're talking about third parties a specific user has had little interaction with, I do not think it is unreasonable for a user who sends out a signal -- 'do not track me' -- to presume that this means they will not be tracked. Allowing user identification for the purpose of F-caps means allowing tracking or, alternatively, makes it impossible to ensure non-tracking at the user end.

It could be that some might feel the marginal benefit of adopting a method of F-capping that does not require tracking is not meritorious. But making this assessment is a two step process. The first step is to outline the most feasible means of achieving the objective. Step two is to weigh the costs of that objective against any perceived benefit. We can't really do step 2 properly without doing step 1 first. If step 1 is impossible, it would be good to hear why some of the methods that have already been proposed are impossible or to what extent they're inadequate.

CM:  I think you missed a step.  Step 1 should be to identify an actual problem to solve for.  Until you have identified that actual harm has been done to consumers through this practice, we are only solving for theoretical potential threats.  Once you quantify and thus qualify the potential harm, based on real documented experience, THEN I think everyone can asses if we need to solve for the potential.

Just because I heard someone say that they sighted a unicorn, doesn't mean that I should rush out to build a unicorn farm.  Before I go to all the trouble and expense of building my unicorn farm, I will probably take the very balanced and reasonable steps of validating the actual existence of unicorns.  Call me crazy if you like.

Best,
Tamir

Received on Thursday, 12 July 2012 16:23:47 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:53 UTC