Re: Frequency Capping

Hi Tamir,

With all due respect, the framework you're offering below is sort of a false
choice. I could certainly provide an analogous false choice: "Are the
advocates and regulators willing to recognize that business need to make
money or not?" However, I would imagine that many in this group would take
issue with that type of characterization. The issues we're all grappling
with just aren't that simple.

Fact is - Industry HAS explored this option: a few members of this working
group have built and/or purchased alternative solutions for frequency
capping and for whatever reason, they haven't worked at scale. Many in the
OBA industry are continuing to explore this and other privacy enhancing
options. Perhaps industry hasn't explored them to the level that you and
others may want, but its not really fair to imply that they haven't been
explored. 

But if you are going to ask companies to invest money on something, I think
its fair to evaluate both the costs and the relative merits of the problem
that we're looking to solve. If the answer is "some in this WG are
inherently uncomfortable with the very idea of having ANY pseudonymous ID in
a cookie" then we may an issue. As Roy (and others) have repeatedly stated,
ID cookies are
used by other features that won't be turned off by DNT.


Cheers,

Alan Chapell
Chapell & Associates
917 318 8440


From:  Tamir Israel <tisrael@cippic.ca>
Date:  Friday, July 13, 2012 2:07 PM
To:  Mike Zaneis <mike@iab.net>
Cc:  JC Cannon <jccannon@microsoft.com>, Shane Wiley <wileys@yahoo-inc.com>,
"Roy T. Fielding" <fielding@gbiv.com>, Peter Eckersley
<peter.eckersley@gmail.com>, W3C DNT Working Group Mailing List
<public-tracking@w3.org>
Subject:  Re: Frequency Capping
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Fri, 13 Jul 2012 18:08:07 +0000

    
 Mike,
 
 If there is a solution to F-capping that does not require unique
identification of users than this will dramatically cut down the amount of
'tracking' that can occur under DNT-1 state. As opposed to some other
possible permitted uses, an F-capping exception will permit unique
identification of every single individual regardless of DNT state.
 
 Look, there's really only 1 question here: is industry willing to at least
explore alternative technical solutions that allow f-capping w/out unique
identification of users?
 
 If the answer is no, that is very disappointing. If the answer is yes, than
I refer you back to:
http://lists.w3.org/Archives/Public/public-tracking/2012Jul/0075.html
 
 Best,
 Tamir
 
 On 7/13/2012 1:32 PM, Mike Zaneis wrote:
>   
> Tamir,
>  
> 
>  
>  
> At the very first meeting last September this group addressed the fact that
> under any standard coming out of the W3C that there would still be some
> "tracking" even with DNT turned on. Newer participants will either have to get
> comfortable with that fact or the group will have to go back to the beginning.
>  
>  Mike Zaneis 
> SVP & General Counsel, IAB
>  
> (202) 253-1466
>  
>  
> 
>  On Jul 13, 2012, at 12:33 PM, "Tamir Israel" <tisrael@cippic.ca> wrote:
>  
>  
>  
>>  
>> On 7/13/2012 12:20 PM, JC Cannon wrote:
>>>   
>>>  
>>> 
>>> It is not practical to expect many consumers to go through and manage a list
>>> of third-party sites. Even the small number of educated users won¹t
>>> understand all the third parties on a site. Consumers have to feel that when
>>> they visit a third-party site that their privacy will be protected and if
>>> not, that they have some recourse to address any harm.
>>>  
>>>  
>>  
>>  That too : )
>>  
>>  
>>>  
>>>  
>>> 
>>>  
>>>  
>>>  
>>> Moreover, I feel we should be addressing whether or not frequency capping is
>>> a permitted use and not spending time trying to design it in this working
>>> group.
>>>  
>>>  
>>  
>>  JC -- I personally don't think it should be a permitted use, primarily
>> because it allows for the possibility of 'tracking' in scenarios where a user
>> has expressed their desire not to be tracked. Some others have expressed
>> strongly their impression that some form of F-capping is necessary even in a
>> DNT-1 state. The hope is that there is a technical solution to resolve this
>> impasse.
>>  
>>  Best,
>>  Tamir
>>  
>>  
>>>  
>>>  
>>> 
>>>  
>>>  
>>>  
>>> JC
>>>  
>>>  
>>>  
>>>  
>>>  
>>> 
>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>  Sent: Friday, July 13, 2012 9:01 AM
>>>  To: Shane Wiley
>>>  Cc: Roy T. Fielding; Peter Eckersley; W3C DNT Working Group Mailing List
>>>  Subject: Re: Frequency Capping
>>>  
>>>  
>>>  
>>>  
>>>  
>>> Shane,
>>>  
>>>  Your brick and mortar example to me highlights very precisely the problem
>>> here. The fact that Walmart chooses to carry Raisin Bran in addition to
>>> Lucky Charms (no accounting for taste : P) does not initiate any type of
>>> interaction between me and Raisin Bran. Just between me and Walmart and, if
>>> I'm hungry as I walk past the cereal section, me and Lucky Charms.
>>>  
>>>  My expression of 'do not track me' should be able to encompass this type of
>>> model.
>>>  
>>>  So, I should be able to say: I don't want to be tracked by anyone, but I'll
>>> grant an exception to yahoo and adobe (because I trust them), but not to
>>> 'financial-credit-profile-builder' (because I don't trust them). Making a
>>> list of third parties easily discoverable won't quite get us there because
>>> it targets the first party, whereas the potential bad behaviour and
>>> incentives need to be applied to the third parties. Therefore: a.) there is
>>> no way for me to communicate to the first party that my problem isn't with
>>> 98% of the third parties they're using to monetize, but only with x and y;
>>> and b.) there will not be any competitive pressures on particular servers to
>>> behave well (maintain anonymous cookie ID, for example).
>>>  
>>>  Best,
>>>  Tamir
>>>  
>>>  On 7/12/2012 4:19 PM, Shane Wiley wrote:
>>>  
>>> Tamir,
>>>  
>>>  
>>>  
>>> You've interacted with those 3rd parties as a part of your interaction with
>>> the 1st party -- as that 1st party has partnered with those 3rd parties to
>>> provide its services to you (monetization, analytics, content, widgets,
>>> etc.).  If a 1st party is transparent about those 3rd parties it works with
>>> (and/or highly discoverable through already existing web browser tools), is
>>> it fair to say you still have a choice at that point to decide to continue
>>> to interact with that 1st party?  If you disagree with a 3rd party's ability
>>> to maintain an anonymous cookie ID in relationship to the services its
>>> providing to the 1st party, you do not need to interact with that 1st party.
>>> The choice is yours.
>>>  
>>>  
>>>  
>>> If there were true "harms" involved, then you may look at this through a
>>> slight different lens, but that has yet to be established.
>>>  
>>>  
>>>  
>>> To use a brick-n-mortar example, you do not have a right to require Wal-Mart
>>> carry a specific brand of cereal you may really like (your desire vs. their
>>> business obligation).  If you're unhappy with Wal-Mart due to this choice,
>>> you can decide to not shop at Wal-Mart.
>>>  
>>>  
>>>  
>>> - Shane
>>>  
>>>  
>>>  
>>> -----Original Message-----
>>>  
>>> From: Tamir Israel [mailto:tisrael@cippic.ca]
>>>  
>>> Sent: Thursday, July 12, 2012 12:56 PM
>>>  
>>> To: Roy T. Fielding
>>>  
>>> Cc: Peter Eckersley; W3C DNT Working Group Mailing List
>>>  
>>> Subject: Re: Frequency Capping
>>>  
>>>  
>>>  
>>> On 7/12/2012 3:12 PM, Roy T. Fielding wrote:
>>>  
>>>>  
>>>> Yes, and it has been rejected many times because the ID cookies are
>>>>  
>>>> used by other features that won't be turned off by DNT.
>>>>  
>>>  
>>>  
>>>  
>>> Not so. I have never interacted and have no relationship with third
>>>  
>>> party server X. Why does it need to be able to identify me in any way?
>>>  
>>>  
>>>  
>>>  
>>  
>>  
>