W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

RE: ISSUE-111 - Exceptions are broken

From: Kevin Smith <kevsmith@adobe.com>
Date: Thu, 8 Mar 2012 13:16:27 -0800
To: Sean Harvey <sharvey@google.com>
CC: "TOUBIANA, VINCENT (VINCENT)" <Vincent.Toubiana@alcatel-lucent.com>, "Roy T. Fielding" <fielding@gbiv.com>, Shane Wiley <wileys@yahoo-inc.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <6E120BECD1FFF142BC26B61F4D994CF3064CCAB914@nambx07.corp.adobe.com>

So, you are saying that for specific 3rd parties such as Amazon or a social network, with which the users are very familiar, a sort of global 3rd party exception might make sense.  I think there is an issue for that (Issue 113)  but it's not currently in the doc.  I think most of us agree that would make sense.  I think the question was really whether or not the browser should manage that scenario.

However, that is an exception for the 3rd party, not an exception that convinces a 1st party to show you content because you are going to allow them to fully monetize you.  Can you see a way that the advertising request chain can work using exceptions as they have been defined in our doc?  Btw - I am also going to consult with some folks internally who are closer to the advertising side of things to see if they can come up with anything.


From: Sean Harvey [mailto:sharvey@google.com]
Sent: Thursday, March 08, 2012 12:45 PM
To: Kevin Smith
Cc: TOUBIANA, VINCENT (VINCENT); Roy T. Fielding; Shane Wiley; Tracking Protection Working Group WG
Subject: Re: ISSUE-111 - Exceptions are broken

at a high level this would be new functionality in the ecosystem. there is no such thing as a site-specific exemption or site-specific cookie for an ad servers, etc. coming from a third party domain.

i also agree that this is probably not practically implementable by anyone -- one potential implementation would involve domain-specific cookies in a sub-domain of the third party, but this would mean potentially thousands of cookies on the client browser where previously only one existed. Which does not sound like an ideal outcome.

And I am also not clear as to the current status of the header spec with respect to the third party's ability to distinguish a blanket DNT clearance from a site-specific exemption that would allow for the setting of these subdomain cookies, perhaps someone else on the committee can comment as to where we are with that.

in any event at first glance i would guess that ad servers & other third parties will not be implementing these exemptions even when they encounter them, if they remain as currently formulated.

To my mind a more effective form of exemption would be a third party specific exemption, for a specific third party. As a hypothetical example, if I as a consumer have a trust relationship with a well known company like Amazon I might allow Amazon specifically to market to me offsite based on the information i have shared with it. And in that case I might allow a specific exemption for Amazon to recognize my browser when offsite. That sounds more realistic from a consumer's standpoint (e.g. an exemption a consumer might want) and more realistic from an implementation standpoint as well.

On Thu, Mar 8, 2012 at 12:51 PM, Kevin Smith <kevsmith@adobe.com<mailto:kevsmith@adobe.com>> wrote:

That is an excellent point.  It probably would not be quite as problematic since many elements in the advertising chain have the ability to choose between multiple next steps, so if one was blocked, it would probably use an alternate path.  In the DNT example however, all would be blocked.  Still, it is definitely a similar problem.  Can anyone shed some light on this?


-----Original Message-----
From: TOUBIANA, VINCENT (VINCENT) [mailto:Vincent.Toubiana@alcatel-lucent.com<mailto:Vincent.Toubiana@alcatel-lucent.com>]
Sent: Thursday, March 08, 2012 3:56 AM
To: Kevin Smith; Roy T. Fielding; Shane Wiley
Cc: Tracking Protection Working Group WG
Subject: RE: ISSUE-111 - Exceptions are broken


I think I understand the problem and I'd like to come with a solution, so I'm curious to know if that's specific to DNT exceptions.
>From what I understand, the exactly same problem exists with Opt-Out cookies: 1st parties have no way to know if the 3rd parties will receive an Opt-Out cookie.
Does someone know how this is actually handled by 1st parties?

From: Kevin Smith [kevsmith@adobe.com<mailto:kevsmith@adobe.com>]
Sent: Wednesday, March 07, 2012 7:02 PM
To: Roy T. Fielding; Shane Wiley
Cc: Tracking Protection Working Group WG
Subject: RE: ISSUE-111 - Exceptions are broken

In planning a response to this thread, I think I may have run into a snag which breaks exceptions completely, both using an * and listing sites individually.  I hope I am overlooking something or that the group has already worked through this and I missed it.


The fundamental concepts behind DNT are that the user can choose whether or not a site can track them and the site can choose what content to show to a user that it cannot fully monetize.  As far as I can tell, exceptions will not work at all because it does not allow for either of these to happen.  Consider the following path shown in the attached image where the publisher's ad server redirects to an SSP which redirects to an Ad Exchange which redirects to the Advertiser's Ad Server.  In this case there is a 1st party, and 4 3rd parties (and believe me, this is a fairly simple ad path - the possibilities are nearly limitless).

The problem is that an exception would apply to the 1st party site and the 3rd party that is included directly on that 1st party site (in this case Publisher's Ad Server).  If the exception does not extend to the remainder of the chain, then the exception is worse than worthless because the 1st party cannot actually monetize the visitor the way it thinks it can.  It will think it can serve a targeted ad, but it will actually serve a house ad or random ad.  It will make its decision on inaccurate information


* With DNT:0, the ad request moves through the chain shown and returns a targeted ad for which the publisher is paid $x.
* With DNT:1, the ad cannot be a targeted ad so the publisher's ad server chooses to go to a completely different ad network and shows a completely random ad for which the publisher is paid $y.
* $y is much smaller than $x (obviously the publisher makes more money when it shows a targeted ad than when it shows a random ad)
* Now, let's assume that this user has granted an exception for the 1st party site and the 3rd party ad server.  The 1st party site receives a DNT:0 and the ad server receive a DNT:0 and the site is going to assume it can make $x and will show the content which corresponds to this decision.  However, once the request hits the 2nd stop in the chain (the ssp in this case), those services receive DNT:1, the process is short circuited, and a random ad, or even a house ad, ends up being shown.
* The publisher thought it was making $x, but it made $y and gave its content away for much cheaper than it expected.

So to recap the problem, using any of the exception models we have discussed so far, there is no way to ask the user whether they are willing to grant an exception to the entire chain (especially since the chain may be completely dynamic and change on a per request basis).  Even with an *, meaning that the exception applies to all 3rd parties on the 1st party site, that exception would still not be applied because the 1st party never makes a request to most services on the chain (the ssp is requested from the ad server, not the 1st party).  So, unless the browser automatically carries on the exception header, I cannot think of any way to get the exception to cover the entire advertising chain which means it will not work.  So, exceptions are broken.  What am I missing?


Sean Harvey
Business Product Manager
Google, Inc.
Received on Thursday, 8 March 2012 21:17:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:36 UTC