Re: explicit-explicit exception pairs from Rob van Eijk on 2012-05-08 (public-tracking@w3.org from May 2012)

From: Rob van Eijk <rob@blaeu.com>
Date: Tue, 08 May 2012 23:38:40 +0200
To: Shane Wiley <wileys@yahoo-inc.com>
CC: Mike Zaneis <mike@iab.net>, Kimon Zorbas <vp@iabeurope.eu>, Jonathan Mayer <jmayer@stanford.edu>, "ifette@google.com" <ifette@google.com>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, Nicholas Doty <npdoty@w3.org>, Matthias Schunter <mts-std@schunter.org>
Message-ID: <4FA99260.4030704@blaeu.com>
That triggers a question: please be so kind to explain to me why the OBA 
opt-out system does not break this thought experiment. What I see in my 
experiments is that more and more parties removing the cookies with 
unique identifiers while setting an opt-out cookie instead with a 
generic value like 'OPT-OUT'.

I saw confirmation of my experiments in the Wall Street Journal data 
transparency weekend crawling Alexa 500 websites.

Rob

On 8-5-2012 23:21, Shane Wiley wrote:
>
> #2 breaks most of the ad ecosystem (security/fraud, financial/audit, 
> frequency capping, basic analytics, etc.) -- unique, anonymous/non-PII 
> cookies are needed for basic business operations.
>
> - Shane
>
> *From:*Rob van Eijk [mailto:rob@blaeu.com]
> *Sent:* Tuesday, May 08, 2012 2:15 PM
> *To:* rob@blaeu.com
> *Cc:* Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com; 
> Rigo Wenning; public-tracking@w3.org; Nicholas Doty; Matthias Schunter
> *Subject:* Re: explicit-explicit exception pairs
>
> All,
>
> Thinking mod_cookietrack through for an ad-network. For the sake of 
> the thought experiment, let's assume all 3rd parties involved use 
> mod_cookietrack:
>
> 1. On a first visit, a user visits a site, which uses 3rd parties to 
> server an ad through an ad-chain with real time bidding.
> 2. if DNT=1, and no exceptions have been granted by the user, no 
> cookies with unique identifiers are set by 3rd parties and as a 
> result, only a non-personalized ad is the result.
> 3. If, for example on auto-refresh of the ad after a few seconds, a 
> personalization of the ad is initiated, then the exception API is 
> called, to ask for a firstparty/known-parties exception. At that 
> point, most of the parties involved with the ad-network flow are 
> known. For those known parties an exception can be asked. After 
> granting the exception cookies with unique identifiers can be set by 
> the 3rd parties with an exception.
>
> "first-party": [
>      "example_A",
>      "example_B",
>      "example_A"
>    ]
>
> 4. Only the part of the ad-chain where real time bidding for the ad is 
> involved will result in an unknown number of 3rd parties. Parties can 
> bid for 'a' user not tied to a unique identifier, not 'the' user.
> 5. The party with the highest bid can server the ad, but without 
> setting a unique identifier. If this party want to find out more about 
> the user to whom the personalized ad was served, and needs a unique 
> identifier to do so, the party can call for a site or web-wide exception.
>
> => Maybe putting all the weight on the javascript API to solve the 
> site/* problem is too much to solve the problem. Maybe we need to 
> include normative text for the server-side. Something like:
>
> <normative text>
> 3rd parties operating in a 1st party context MUST not set cookies with 
> unique identifiers on a first visit of a user. Instead the SHOULD ask 
> for an exception.
> </normative text>
>
>
> Rob
>
> On 8-5-2012 21:44, Rob van Eijk wrote:
>
> Kimon,
>
> Let me make a pro-aktive step here. Recently we touched upon 
> mod_cookietrack 
> (http://lists.w3.org/Archives/Public/public-tracking/2012May/0040.html). 
> One of the things that struck me, is that with a small modification of 
> mod_usertrack, the author was able to tackle an interesting point: 
> (https://github.com/jib/mod_cookietrack/blob/master/DOCUMENTATION)
>
> "mod_usertrack does not set the cookie on the incoming request, only 
> on the outgoing request. This means your application doesn't know  
> what UUID to use for the first visit of a user."
>
> Is this server-side behavior in any way useful for the 
> explicit-explicit exception pairs?
>
> Rob
>
> On 8-5-2012 21:17, Mike Zaneis wrote:
>
> I'm sorry but I object to this line of advocacy and cajoling by the 
> Article 29 Work Group. The W3C Working Group's mission is not to 
> create an EU compliance Mechanism, if that happens to occur as part of 
> our work then so be it, but it is nowhere in our charter and we should 
> not be continually pressured to work towards that end.
>
> Mike Zaneis
> SVP&  General Counsel, IAB
> (202) 253-1466
>
> On May 8, 2012, at 2:35 PM, "Rob van Eijk"<rob@blaeu.com> 
> <mailto:rob@blaeu.com>  wrote:
>
>
> Well,
>
> At least one thing is for sure: tracking cookies need prior consent of 
> the user. There is no uncertainty about that. There is some debate on 
> a possibly very limited list of functional cookies.
>
> One of the latest public documents on the status of the implementation 
> is here ( disclaimer: I haven't checked it in detail):
> http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePrivacy_Directive-Apr2012.pdf 
>
>
> There is a catch-22 here, because law makers are looking closely to 
> the outcome of W3C DNT process. Some find it very hopefull, some think 
> it will not lead to compliance.
>
> So I encourage the group to try to get the TPE out of the impasse. 
> Please tell me, if DNT is not going to have any additional value in 
> comparison to the current opt-out systems. Because if DNT will not be 
> able to offer a rich granular dialog 'under the hood' of the browser, 
> DNT is not going to have the outcome many of us have been hoping for.
>
> Rob
>
> On 8-5-2012 0:42, Kimon Zorbas wrote:
>
> That leaves us all (except for some lawyers) with frustration and 
> uncertainty how the law will be enforced.
>
Received on Tuesday, 8 May 2012 21:39:29 UTC