Re: ISSUE-111 - Exceptions are broken from Sean Harvey on 2012-03-08 (public-tracking@w3.org from March 2012)

From: Sean Harvey <sharvey@google.com>
Date: Thu, 8 Mar 2012 17:09:27 -0500
To: Nicholas Doty <npdoty@w3.org>
Cc: Kevin Smith <kevsmith@adobe.com>, "TOUBIANA, VINCENT (VINCENT)" <Vincent.Toubiana@alcatel-lucent.com>, "Roy T. Fielding" <fielding@gbiv.com>, Shane Wiley <wileys@yahoo-inc.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <CAFy-vufRLRXthF2mRmgPShVF5Bhvh0nrjh3k9CkRiGSuy-TCSA@mail.gmail.com>

Thanks Nick. Please do tell me if you think I'm not thinking clearly about
this. But regardless of whether it is being handled by the browser, you
would still need separate cookies per "site" if the exception is
site-specific.

Example use case: I am third party ad server AdDoty (yes there are brand
names this and more stupid in our industry) and I have a site specific
exemption from both Yahoo and AOL. How do I differentiate this data on the
server side, regardless of whether or not the browser is "handling it"?





On Thu, Mar 8, 2012 at 5:06 PM, Nicholas Doty <npdoty@w3.org> wrote:

> On Mar 8, 2012, at 11:45 AM, Sean Harvey wrote:
>
> > at a high level this would be new functionality in the ecosystem. there
> is no such thing as a site-specific exemption or site-specific cookie for
> an ad servers, etc. coming from a third party domain.
> >
> > i also agree that this is probably not practically implementable by
> anyone -- one potential implementation would involve domain-specific
> cookies in a sub-domain of the third party, but this would mean potentially
> thousands of cookies on the client browser where previously only one
> existed. Which does not sound like an ideal outcome.
>
> Sorry, I'm not sure I understand here. As proposed, the user-agent-managed
> site-specific exception would be handled by the browser (choosing when to
> send DNT:0) rather than asking the ad server or other third-parties to
> create separate cookies to manage that state for each first-party site.
> Right now when an ad network receives a request from a browser that has an
> opt-out cookie for that network, it has to use a different behavior (not
> showing a targeted ad) no matter what the first-party site is, right? Can
> these site-specific exception headers prompt per-request behavior in the
> same way that an opt-out cookie does?
>
> Or is the concern that site-specific exceptions would require siloing of
> data and that requires different cookies for each first-party site?
>
> My take on Vincent and Kevin's question: Do first-party publishers get any
> indication from the user or the third-party that the user has an opt-out
> cookie installed and is potentially generating less revenue for the
> publisher?
>
> Thanks,
> Nick




-- 
Sean Harvey
Business Product Manager
Google, Inc.
212-381-5330
sharvey@google.com

Received on Thursday, 8 March 2012 22:09:55 UTC