Re: explicit-explicit exception pairs from Rob van Eijk on 2012-05-08 (public-tracking@w3.org from May 2012)

From: Rob van Eijk <rob@blaeu.com>
Date: Tue, 08 May 2012 23:24:52 +0200
To: rob@blaeu.com
CC: Mike Zaneis <mike@iab.net>, Kimon Zorbas <vp@iabeurope.eu>, Jonathan Mayer <jmayer@stanford.edu>, "ifette@google.com" <ifette@google.com>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, Nicholas Doty <npdoty@w3.org>, Matthias Schunter <mts-std@schunter.org>
Message-ID: <4FA98F24.5070102@blaeu.com>

Correction: Thinking mod_usertrack through for an ad-network... (for 
this module is the modified one)

On 8-5-2012 23:14, Rob van Eijk wrote:
> All,
>
> Thinking mod_cookietrack through for an ad-network. For the sake of 
> the thought experiment, let's assume all 3rd parties involved use 
> mod_cookietrack:
>
> 1. On a first visit, a user visits a site, which uses 3rd parties to 
> server an ad through an ad-chain with real time bidding.
> 2. if DNT=1, and no exceptions have been granted by the user, no 
> cookies with unique identifiers are set by 3rd parties and as a 
> result, only a non-personalized ad is the result.
> 3. If, for example on auto-refresh of the ad after a few seconds, a 
> personalization of the ad is initiated, then the exception API is 
> called, to ask for a firstparty/known-parties exception. At that 
> point, most of the parties involved with the ad-network flow are 
> known. For those known parties an exception can be asked. After 
> granting the exception cookies with unique identifiers can be set by 
> the 3rd parties with an exception.
> "first-party": [
>      "example_A",
>      "example_B",
>      "example_A"
>    ]
> 4. Only the part of the ad-chain where real time bidding for the ad is 
> involved will result in an unknown number of 3rd parties. Parties can 
> bid for 'a' user not tied to a unique identifier, not 'the' user.
> 5. The party with the highest bid can server the ad, but without 
> setting a unique identifier. If this party want to find out more about 
> the user to whom the personalized ad was served, and needs a unique 
> identifier to do so, the party can call for a site or web-wide exception.
>
> => Maybe putting all the weight on the javascript API to solve the 
> site/* problem is too much to solve the problem. Maybe we need to 
> include normative text for the server-side. Something like:
>
> <normative text>
> 3rd parties operating in a 1st party context MUST not set cookies with 
> unique identifiers on a first visit of a user. Instead the SHOULD ask 
> for an exception.
> </normative text>
>
>
> Rob
>
> On 8-5-2012 21:44, Rob van Eijk wrote:
>> Kimon,
>>
>> Let me make a pro-aktive step here. Recently we touched upon 
>> mod_cookietrack 
>> (http://lists.w3.org/Archives/Public/public-tracking/2012May/0040.html). 
>> One of the things that struck me, is that with a small modification 
>> of mod_usertrack, the author was able to tackle an interesting point: 
>> (https://github.com/jib/mod_cookietrack/blob/master/DOCUMENTATION)
>>
>> "mod_usertrack does not set the cookie on the incoming request, only 
>> on the outgoing request. This means your application doesn't know  
>> what UUID to use for the first visit of a user."
>>
>> Is this server-side behavior in any way useful for the 
>> explicit-explicit exception pairs?
>>
>> Rob
>>
>> On 8-5-2012 21:17, Mike Zaneis wrote:
>>> I'm sorry but I object to this line of advocacy and cajoling by the 
>>> Article 29 Work Group. The W3C Working Group's mission is not to 
>>> create an EU compliance Mechanism, if that happens to occur as part 
>>> of our work then so be it, but it is nowhere in our charter and we 
>>> should not be continually pressured to work towards that end.
>>>
>>> Mike Zaneis
>>> SVP&  General Counsel, IAB
>>> (202) 253-1466
>>>
>>> On May 8, 2012, at 2:35 PM, "Rob van Eijk"<rob@blaeu.com>  wrote:
>>>
>>>> Well,
>>>>
>>>> At least one thing is for sure: tracking cookies need prior consent 
>>>> of the user. There is no uncertainty about that. There is some 
>>>> debate on a possibly very limited list of functional cookies.
>>>>
>>>> One of the latest public documents on the status of the 
>>>> implementation is here ( disclaimer: I haven't checked it in detail):
>>>> http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePrivacy_Directive-Apr2012.pdf 
>>>>
>>>>
>>>> There is a catch-22 here, because law makers are looking closely to 
>>>> the outcome of W3C DNT process. Some find it very hopefull, some 
>>>> think it will not lead to compliance.
>>>>
>>>> So I encourage the group to try to get the TPE out of the impasse. 
>>>> Please tell me, if DNT is not going to have any additional value in 
>>>> comparison to the current opt-out systems. Because if DNT will not 
>>>> be able to offer a rich granular dialog 'under the hood' of the 
>>>> browser, DNT is not going to have the outcome many of us have been 
>>>> hoping for.
>>>>
>>>> Rob
>>>>
>>>> On 8-5-2012 0:42, Kimon Zorbas wrote:
>>>>> That leaves us all (except for some lawyers) with frustration and 
>>>>> uncertainty how the law will be enforced.
>>
>>

Received on Tuesday, 8 May 2012 21:25:54 UTC