- From: Rob van Eijk <rob@blaeu.com>
- Date: Tue, 08 May 2012 23:24:52 +0200
- To: rob@blaeu.com
- CC: Mike Zaneis <mike@iab.net>, Kimon Zorbas <vp@iabeurope.eu>, Jonathan Mayer <jmayer@stanford.edu>, "ifette@google.com" <ifette@google.com>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, Nicholas Doty <npdoty@w3.org>, Matthias Schunter <mts-std@schunter.org>
- Message-ID: <4FA98F24.5070102@blaeu.com>
Correction: Thinking mod_usertrack through for an ad-network... (for this module is the modified one) On 8-5-2012 23:14, Rob van Eijk wrote: > All, > > Thinking mod_cookietrack through for an ad-network. For the sake of > the thought experiment, let's assume all 3rd parties involved use > mod_cookietrack: > > 1. On a first visit, a user visits a site, which uses 3rd parties to > server an ad through an ad-chain with real time bidding. > 2. if DNT=1, and no exceptions have been granted by the user, no > cookies with unique identifiers are set by 3rd parties and as a > result, only a non-personalized ad is the result. > 3. If, for example on auto-refresh of the ad after a few seconds, a > personalization of the ad is initiated, then the exception API is > called, to ask for a firstparty/known-parties exception. At that > point, most of the parties involved with the ad-network flow are > known. For those known parties an exception can be asked. After > granting the exception cookies with unique identifiers can be set by > the 3rd parties with an exception. > "first-party": [ > "example_A", > "example_B", > "example_A" > ] > 4. Only the part of the ad-chain where real time bidding for the ad is > involved will result in an unknown number of 3rd parties. Parties can > bid for 'a' user not tied to a unique identifier, not 'the' user. > 5. The party with the highest bid can server the ad, but without > setting a unique identifier. If this party want to find out more about > the user to whom the personalized ad was served, and needs a unique > identifier to do so, the party can call for a site or web-wide exception. > > => Maybe putting all the weight on the javascript API to solve the > site/* problem is too much to solve the problem. Maybe we need to > include normative text for the server-side. Something like: > > <normative text> > 3rd parties operating in a 1st party context MUST not set cookies with > unique identifiers on a first visit of a user. Instead the SHOULD ask > for an exception. > </normative text> > > > Rob > > On 8-5-2012 21:44, Rob van Eijk wrote: >> Kimon, >> >> Let me make a pro-aktive step here. Recently we touched upon >> mod_cookietrack >> (http://lists.w3.org/Archives/Public/public-tracking/2012May/0040.html). >> One of the things that struck me, is that with a small modification >> of mod_usertrack, the author was able to tackle an interesting point: >> (https://github.com/jib/mod_cookietrack/blob/master/DOCUMENTATION) >> >> "mod_usertrack does not set the cookie on the incoming request, only >> on the outgoing request. This means your application doesn't know >> what UUID to use for the first visit of a user." >> >> Is this server-side behavior in any way useful for the >> explicit-explicit exception pairs? >> >> Rob >> >> On 8-5-2012 21:17, Mike Zaneis wrote: >>> I'm sorry but I object to this line of advocacy and cajoling by the >>> Article 29 Work Group. The W3C Working Group's mission is not to >>> create an EU compliance Mechanism, if that happens to occur as part >>> of our work then so be it, but it is nowhere in our charter and we >>> should not be continually pressured to work towards that end. >>> >>> Mike Zaneis >>> SVP& General Counsel, IAB >>> (202) 253-1466 >>> >>> On May 8, 2012, at 2:35 PM, "Rob van Eijk"<rob@blaeu.com> wrote: >>> >>>> Well, >>>> >>>> At least one thing is for sure: tracking cookies need prior consent >>>> of the user. There is no uncertainty about that. There is some >>>> debate on a possibly very limited list of functional cookies. >>>> >>>> One of the latest public documents on the status of the >>>> implementation is here ( disclaimer: I haven't checked it in detail): >>>> http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePrivacy_Directive-Apr2012.pdf >>>> >>>> >>>> There is a catch-22 here, because law makers are looking closely to >>>> the outcome of W3C DNT process. Some find it very hopefull, some >>>> think it will not lead to compliance. >>>> >>>> So I encourage the group to try to get the TPE out of the impasse. >>>> Please tell me, if DNT is not going to have any additional value in >>>> comparison to the current opt-out systems. Because if DNT will not >>>> be able to offer a rich granular dialog 'under the hood' of the >>>> browser, DNT is not going to have the outcome many of us have been >>>> hoping for. >>>> >>>> Rob >>>> >>>> On 8-5-2012 0:42, Kimon Zorbas wrote: >>>>> That leaves us all (except for some lawyers) with frustration and >>>>> uncertainty how the law will be enforced. >> >>
Received on Tuesday, 8 May 2012 21:25:54 UTC