SOX Requirements RE: ACTION-216 - Financial Reporting "Exceptions"

I may have missed this but In the FTF in Seattle there was a heated debate
on SOX reporting and data retention requirements.  As I recall Chris and or
Brooks had stated due to reporting and frequency capping, data was required
to be retained for 7 years.   While there were strong opinions, it was clear
none of us  (including myself) were experts .  I thought there was an action
item taken to seek an opinion from the SEC or another agency on what is
required.

 

Has this been addressed?  

 

From: Chris Mejia [mailto:chris.mejia@iab.net] 
Sent: Thursday, July 26, 2012 12:34 PM
To: David Wainberg; Jonathan Mayer
Cc: Dobbs, Brooks; public-tracking@w3.org; Nicholas Doty
Subject: Re: ACTION-216 - Financial Reporting "Exceptions"

 

Brooks- great breakdown, nice work.  Have you examined the other regulatory
obligations to reporting on advertising insertion orders- names SOX
compliance in the US?  We know these tie back to the impression and the user
(without need for PII).  Specific countries in the EU have similar, if not
more stringent regulatory requirements; not sure about other jurisdictions.
Btw- any loosening of these requirements will most certainly lead to opening
the door for increased fraud (and I mean actual fraud).

 

Chris

 

Chris Mejia | Digital Supply Chain Solutions | Ad Technology Group |
Interactive Advertising Bureau - IAB 

 

From: David Wainberg - NAI <david@networkadvertising.org>
Date: Wednesday, July 25, 2012 4:41 PM
To: Jonathan Mayer <jmayer@stanford.edu>
Cc: "Dobbs, Brooks" <Brooks.Dobbs@kbmg.com>, W3C DNT Working Group Mailing
List <public-tracking@w3.org>, "Nicholas \"Nick\" Doty - W3C"
<npdoty@w3.org>
Subject: Re: ACTION-216 - Financial Reporting "Exceptions"
Resent-From: W3C DNT Working Group Mailing List <public-tracking@w3.org>
Resent-Date: Wednesday, July 25, 2012 4:42 PM

 

Instead of 'fraud', I'm going to use 'illegitimate'. Jon, assuming that's
what you meant by 'ad fraud', can you explain how ad reporting and the
prevention of illegitimate activity are very different problems? Advertisers
need to confirm they are not being billed for illegitimate imps or clicks.
This requires a certain level of detailed reporting. On the server end,
detection and prevention of illegitimate activity requires a certain level
of data collection. Aren't these two sides of the same coin? 

On 7/24/12 7:09 PM, Jonathan Mayer wrote:

Brooks,

 

I believe you've conflated ad reporting with ad fraud prevention, two very
different engineering and policy problems.  I'd be glad to discuss the
myriad approaches to fraud prevention without ID cookies.  As for logistics,
my understanding is that many industry participants would prefer to have
such conversations off-list.

 

Jonathan

 

On Tuesday, July 24, 2012 at 2:57 PM, Dobbs, Brooks wrote:

It may be useful to look at your proposal in terms of how well that level of
data collection might ensure quality measurements.  By way of example, if
the search term "Atlanta Insurance Quotes" goes for hypothetically $60/click
could the purchaser of 100 clicks feel confident in $6,000 worth of value if
they didn't see  ~100 different cookies, ~100 different IP addresses and a
meaningful distribution of UAs?  If they only saw 100 time stamps, 5
discreet abbreviated UAs and "North Georgia" under IP address how would you
detect and remove the cost of one user clicking on the ad 5 times
(intentionally or not)?    

 

I think we agree that if we leave a system gameable such that with $N of
effort a person can derive $N+1 dollars of economic utility, we should
expect gaming.  This is a self correcting system because eventually prices
drop until, relatively speaking, it is too expensive to game.  If you take
away the ability to detect gaming, it becomes very cheap to do so and prices
drop accordingly.  As per my comments at the F2F, this is not a behavioral
targeting question, this is a question about the general confidence in all
financial reporting.

 

I use CPC here, but you can make similar cases for CPM or CPA.  Counting is
trivial.  Determining "non-quality" and removing it from billing is more
difficult and has evolved for close to 20 years.

 

-Brooks

 

-- 

Brooks Dobbs, CIPP | Chief Privacy Officer |KBM Group | Part of the
Wunderman Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
brooks.dobbs@kbmg.com



This email - including attachments - may contain confidential information.
If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender
immediately and delete the message.

 

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Tuesday, July 24, 2012 4:57 PM
To: Brooks Dobbs <brooks.dobbs@kbmg.com>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>, Nicholas Doty
<npdoty@w3.org>
Subject: Re: ACTION-216 - Financial Reporting "Exceptions"

 

I would encourage participants following this topic to read a blog post on
privacy-improved advertising measurement that I co-authored with Arvind
Narayanan.

 

http://webpolicy.org/2012/07/24/tracking-not-required-advertising-measuremen
t/

https://github.com/jonathanmayer/Tracking-Not-Required/tree/master/conversio
n-measurement

 

I haven't heard any stakeholder suggest that advertising companies shouldn't
be able to measure their ads.  Disagreement arises over *how* advertising
companies measure their ads-and, in particular, whether ID cookies should be
allowed.

 

Jonathan

 

On Monday, July 23, 2012 at 3:29 PM, Dobbs, Brooks wrote:

I was apparently assigned the unenviable task of summarizing the need for
financial reporting exceptions.  Please find below a condensed examination
of the issue and a broad exception that data used exclusively for financial
reporting ought to be out of scope for DNT.

 

I am cognizant that this is a very broad exception, but I think the basis
for discussion is laid out below.   In looking at this I am specifically
aware of the danger of creating exceptions which may favor one sales basis
over another or indeed one entity over another.

 

---------------------

 

Internet based advertising is typically sold based on one of, or a
combination of, three bases: 1) CPM - where the billable event is an
individual ad serve (though prices are generally quoted in terms of
thousands), 2) CPC - where the billable event is an individual click or
interaction with the ad unit or 3) CPA - where the billable event is an
action or post click activity subsequent and attributable to some
interaction with the ad unit.  The dollar value of each billable event
generally rises through the above progression and while prices for each vary
with other factors, including ad targeting, the specific revenues measured
per event are often in the order of the following:  CPM events in the
fraction of cents per event, CPC events in the whole dollar per event and
CPA events in the 10s of dollars or potentially higher per event.

 

It goes without saying that it is only the ability for the purchaser to
maintain confidence in the quality of the billable event that allows for the
value exchange to work, and, as per event prices rise, so does the need for
unique events to be associated with supporting data which allows for
increased repudiation.  This said, even were the value of unique billable
events is relatively low (CPM), the sum of their values may not be low
requiring commensurate examination of the underlying quality of each
billable event.  

 

A closer look at each form of advertising and the need for quality assurance
is below:

 

- CPM billing contracts may vary, but for the fundamental confidence in the
system to be maintained the purchasing advertiser needs to ensure the
quality of their ad buy by examining all event level data pointswhich could
reasonably allow them to conclude charges where not made to, e.g.: non-human
activity or to delivery at times, in places or in contexts outside of agreed
upon terms.

 

- CPC billing is based on the purchaser's confidence that the quality of the
click is sufficient to warrant the relatively high per event expenditure.
To validate this the advertiser needs data showing the event was, for
instance: not resultant of a non-human activity and not initiated by a party
with ulterior financial motivation.

 

- CPA billing is often based on the advertiser sharing part of its realized
revenue with the supplier of such advertising opportunity.  Unlike CPM and
CPC, CPA requires data collection at minimum at two times and two addresses.
At the relatively high per event cost of CPA advertising, the advertiser
must feel confident not only that the sale was linkable to a previous ad
view through the collection of both post ad serve and ad serve event level
data, but further the ability to maintain that offlinecollection of revenues
(or lack thereof) can be referenced back to the billing/payment system.

 

Each of these systems currently utilizes a wide range of event level data to
ensure billable quality.  In the US alone, 2011 confidence in these models
allowed over 31 billion dollars in advertising and subsequent ad supported
services to be provided.   Of note here is that confidence in quality of
billable events is distinct from issues of fraud, as most events in need of
billing correction do not rise to the level of legal fraud, e.g. a
technologist spidering a site and "calling" all resultant CPM ads is not
"fraud" on the part of either the technologist or the unknowing website, but
is still an event which may be contractually prohibited from billing.  For
this reason, exceptions tied to "fraud prevention" are too narrow to
maintain confidence in the ecosystem.

 

Owing to the diversity in techniques used to determinequality, any
restriction on the collection and/or use of data which is reasonably stored
or processed solely for ensuring the quality of terms of a contract or other
agreement as between buyer and seller should not be considered "tracking"
and should be out of scope of requirements of a Do Not Track guideline.
Data collected and used under a financial reporting exception, which would
otherwise be impacted by this specification, may not be used for any other
purpose not covered by this or another exception.  

 

 

-- 

Brooks Dobbs, CIPP | Chief Privacy Officer |KBM Group| Part of the Wunderman
Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
brooks.dobbs@kbmg.com



This email - including attachments - may contain confidential information.
If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender
immediately and delete the message.