- From: Rob van Eijk <rob@blaeu.com>
- Date: Tue, 08 May 2012 23:38:40 +0200
- To: Shane Wiley <wileys@yahoo-inc.com>
- CC: Mike Zaneis <mike@iab.net>, Kimon Zorbas <vp@iabeurope.eu>, Jonathan Mayer <jmayer@stanford.edu>, "ifette@google.com" <ifette@google.com>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, Nicholas Doty <npdoty@w3.org>, Matthias Schunter <mts-std@schunter.org>
- Message-ID: <4FA99260.4030704@blaeu.com>
That triggers a question: please be so kind to explain to me why the OBA opt-out system does not break this thought experiment. What I see in my experiments is that more and more parties removing the cookies with unique identifiers while setting an opt-out cookie instead with a generic value like 'OPT-OUT'. I saw confirmation of my experiments in the Wall Street Journal data transparency weekend crawling Alexa 500 websites. Rob On 8-5-2012 23:21, Shane Wiley wrote: > > #2 breaks most of the ad ecosystem (security/fraud, financial/audit, > frequency capping, basic analytics, etc.) -- unique, anonymous/non-PII > cookies are needed for basic business operations. > > - Shane > > *From:*Rob van Eijk [mailto:rob@blaeu.com] > *Sent:* Tuesday, May 08, 2012 2:15 PM > *To:* rob@blaeu.com > *Cc:* Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com; > Rigo Wenning; public-tracking@w3.org; Nicholas Doty; Matthias Schunter > *Subject:* Re: explicit-explicit exception pairs > > All, > > Thinking mod_cookietrack through for an ad-network. For the sake of > the thought experiment, let's assume all 3rd parties involved use > mod_cookietrack: > > 1. On a first visit, a user visits a site, which uses 3rd parties to > server an ad through an ad-chain with real time bidding. > 2. if DNT=1, and no exceptions have been granted by the user, no > cookies with unique identifiers are set by 3rd parties and as a > result, only a non-personalized ad is the result. > 3. If, for example on auto-refresh of the ad after a few seconds, a > personalization of the ad is initiated, then the exception API is > called, to ask for a firstparty/known-parties exception. At that > point, most of the parties involved with the ad-network flow are > known. For those known parties an exception can be asked. After > granting the exception cookies with unique identifiers can be set by > the 3rd parties with an exception. > > "first-party": [ > "example_A", > "example_B", > "example_A" > ] > > 4. Only the part of the ad-chain where real time bidding for the ad is > involved will result in an unknown number of 3rd parties. Parties can > bid for 'a' user not tied to a unique identifier, not 'the' user. > 5. The party with the highest bid can server the ad, but without > setting a unique identifier. If this party want to find out more about > the user to whom the personalized ad was served, and needs a unique > identifier to do so, the party can call for a site or web-wide exception. > > => Maybe putting all the weight on the javascript API to solve the > site/* problem is too much to solve the problem. Maybe we need to > include normative text for the server-side. Something like: > > <normative text> > 3rd parties operating in a 1st party context MUST not set cookies with > unique identifiers on a first visit of a user. Instead the SHOULD ask > for an exception. > </normative text> > > > Rob > > On 8-5-2012 21:44, Rob van Eijk wrote: > > Kimon, > > Let me make a pro-aktive step here. Recently we touched upon > mod_cookietrack > (http://lists.w3.org/Archives/Public/public-tracking/2012May/0040.html). > One of the things that struck me, is that with a small modification of > mod_usertrack, the author was able to tackle an interesting point: > (https://github.com/jib/mod_cookietrack/blob/master/DOCUMENTATION) > > "mod_usertrack does not set the cookie on the incoming request, only > on the outgoing request. This means your application doesn't know > what UUID to use for the first visit of a user." > > Is this server-side behavior in any way useful for the > explicit-explicit exception pairs? > > Rob > > On 8-5-2012 21:17, Mike Zaneis wrote: > > I'm sorry but I object to this line of advocacy and cajoling by the > Article 29 Work Group. The W3C Working Group's mission is not to > create an EU compliance Mechanism, if that happens to occur as part of > our work then so be it, but it is nowhere in our charter and we should > not be continually pressured to work towards that end. > > Mike Zaneis > SVP& General Counsel, IAB > (202) 253-1466 > > On May 8, 2012, at 2:35 PM, "Rob van Eijk"<rob@blaeu.com> > <mailto:rob@blaeu.com> wrote: > > > Well, > > At least one thing is for sure: tracking cookies need prior consent of > the user. There is no uncertainty about that. There is some debate on > a possibly very limited list of functional cookies. > > One of the latest public documents on the status of the implementation > is here ( disclaimer: I haven't checked it in detail): > http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePrivacy_Directive-Apr2012.pdf > > > There is a catch-22 here, because law makers are looking closely to > the outcome of W3C DNT process. Some find it very hopefull, some think > it will not lead to compliance. > > So I encourage the group to try to get the TPE out of the impasse. > Please tell me, if DNT is not going to have any additional value in > comparison to the current opt-out systems. Because if DNT will not be > able to offer a rich granular dialog 'under the hood' of the browser, > DNT is not going to have the outcome many of us have been hoping for. > > Rob > > On 8-5-2012 0:42, Kimon Zorbas wrote: > > That leaves us all (except for some lawyers) with frustration and > uncertainty how the law will be enforced. >
Received on Tuesday, 8 May 2012 21:39:29 UTC