RE: ISSUE-111 - Exceptions are broken

Kevin,

I think I understand the problem and I'd like to come with a solution, so I'm curious to know if that's specific to DNT exceptions. 
>From what I understand, the exactly same problem exists with Opt-Out cookies: 1st parties have no way to know if the 3rd parties will receive an Opt-Out cookie. 
Does someone know how this is actually handled by 1st parties?

Vincent
________________________________________
From: Kevin Smith [kevsmith@adobe.com]
Sent: Wednesday, March 07, 2012 7:02 PM
To: Roy T. Fielding; Shane Wiley
Cc: Tracking Protection Working Group WG
Subject: RE: ISSUE-111 - Exceptions are broken

In planning a response to this thread, I think I may have run into a snag which breaks exceptions completely, both using an * and listing sites individually.  I hope I am overlooking something or that the group has already worked through this and I missed it.

THE PROBLEM

The fundamental concepts behind DNT are that the user can choose whether or not a site can track them and the site can choose what content to show to a user that it cannot fully monetize.  As far as I can tell, exceptions will not work at all because it does not allow for either of these to happen.  Consider the following path shown in the attached image where the publisher's ad server redirects to an SSP which redirects to an Ad Exchange which redirects to the Advertiser's Ad Server.  In this case there is a 1st party, and 4 3rd parties (and believe me, this is a fairly simple ad path - the possibilities are nearly limitless).

The problem is that an exception would apply to the 1st party site and the 3rd party that is included directly on that 1st party site (in this case Publisher's Ad Server).  If the exception does not extend to the remainder of the chain, then the exception is worse than worthless because the 1st party cannot actually monetize the visitor the way it thinks it can.  It will think it can serve a targeted ad, but it will actually serve a house ad or random ad.  It will make its decision on inaccurate information

EXAMPLE

* With DNT:0, the ad request moves through the chain shown and returns a targeted ad for which the publisher is paid $x.
* With DNT:1, the ad cannot be a targeted ad so the publisher's ad server chooses to go to a completely different ad network and shows a completely random ad for which the publisher is paid $y.
* $y is much smaller than $x (obviously the publisher makes more money when it shows a targeted ad than when it shows a random ad)
* Now, let's assume that this user has granted an exception for the 1st party site and the 3rd party ad server.  The 1st party site receives a DNT:0 and the ad server receive a DNT:0 and the site is going to assume it can make $x and will show the content which corresponds to this decision.  However, once the request hits the 2nd stop in the chain (the ssp in this case), those services receive DNT:1, the process is short circuited, and a random ad, or even a house ad, ends up being shown.
* The publisher thought it was making $x, but it made $y and gave its content away for much cheaper than it expected.

So to recap the problem, using any of the exception models we have discussed so far, there is no way to ask the user whether they are willing to grant an exception to the entire chain (especially since the chain may be completely dynamic and change on a per request basis).  Even with an *, meaning that the exception applies to all 3rd parties on the 1st party site, that exception would still not be applied because the 1st party never makes a request to most services on the chain (the ssp is requested from the ad server, not the 1st party).  So, unless the browser automatically carries on the exception header, I cannot think of any way to get the exception to cover the entire advertising chain which means it will not work.  So, exceptions are broken.  What am I missing?

-kevin

Received on Thursday, 8 March 2012 11:01:49 UTC