RE: explicit-explicit exception pairs

Rob,

I would ask them.  They could be using digital fingerprints as a proxy (worse consumer privacy outcome in my personal opinion) or they could be absorbing the revenue hit due to the opt-out rate not being significant enough to material affect day to day business operations.  Does the A29WP support digital fingerprints over cookies?  If you take Mozilla's current DNT projections at 6% into account, the latter approach will no longer be survivable for most, if not all, ad networks.

- Shane

From: Rob van Eijk [mailto:rob@blaeu.com]
Sent: Tuesday, May 08, 2012 2:39 PM
To: Shane Wiley
Cc: Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com; Rigo Wenning; public-tracking@w3.org; Nicholas Doty; Matthias Schunter
Subject: Re: explicit-explicit exception pairs

That triggers a question: please be so kind to explain to me why the OBA opt-out system does not break this thought experiment. What I see in my experiments is that more and more parties removing the cookies with unique identifiers while setting an opt-out cookie instead with a generic value like 'OPT-OUT'.

I saw confirmation of my experiments in the Wall Street Journal data transparency weekend crawling Alexa 500 websites.

Rob

On 8-5-2012 23:21, Shane Wiley wrote:
#2 breaks most of the ad ecosystem (security/fraud, financial/audit, frequency capping, basic analytics, etc.) - unique, anonymous/non-PII cookies are needed for basic business operations.

- Shane

From: Rob van Eijk [mailto:rob@blaeu.com]
Sent: Tuesday, May 08, 2012 2:15 PM
To: rob@blaeu.com<mailto:rob@blaeu.com>
Cc: Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com<mailto:ifette@google.com>; Rigo Wenning; public-tracking@w3.org<mailto:public-tracking@w3.org>; Nicholas Doty; Matthias Schunter
Subject: Re: explicit-explicit exception pairs

All,

Thinking mod_cookietrack through for an ad-network. For the sake of the thought experiment, let's assume all 3rd parties involved use mod_cookietrack:

1. On a first visit, a user visits a site, which uses 3rd parties to server an ad through an ad-chain with real time bidding.
2. if DNT=1, and no exceptions have been granted by the user, no cookies with unique identifiers are set by 3rd parties and as a result, only a non-personalized ad is the result.
3. If, for example on auto-refresh of the ad after a few seconds, a personalization of the ad is initiated, then the exception API is called, to ask for a firstparty/known-parties exception. At that point, most of the parties involved with the ad-network flow are known. For those known parties an exception can be asked. After granting the exception cookies with unique identifiers can be set by the 3rd parties with an exception.



"first-party": [

    "example_A",

    "example_B",

    "example_A"

  ]
4. Only the part of the ad-chain where real time bidding for the ad is involved will result in an unknown number of 3rd parties. Parties can bid for 'a' user not tied to a unique identifier, not 'the' user.
5. The party with the highest bid can server the ad, but without setting a unique identifier. If this party want to find out more about the user to whom the personalized ad was served, and needs a unique identifier to do so, the party can call for a site or web-wide exception.

=> Maybe putting all the weight on the javascript API to solve the site/* problem is too much to solve the problem. Maybe we need to include normative text for the server-side. Something like:

<normative text>
3rd parties operating in a 1st party context MUST not set cookies with unique identifiers on a first visit of a user. Instead the SHOULD ask for an exception.
</normative text>


Rob

On 8-5-2012 21:44, Rob van Eijk wrote:
Kimon,

Let me make a pro-aktive step here. Recently we touched upon mod_cookietrack (http://lists.w3.org/Archives/Public/public-tracking/2012May/0040.html). One of the things that struck me, is that with a small modification of mod_usertrack, the author was able to tackle an interesting point: (https://github.com/jib/mod_cookietrack/blob/master/DOCUMENTATION)

"mod_usertrack does not set the cookie on the incoming request, only on the outgoing request. This means your application doesn't know  what UUID to use for the first visit of a user."

Is this server-side behavior in any way useful for the explicit-explicit exception pairs?

Rob

On 8-5-2012 21:17, Mike Zaneis wrote:


I'm sorry but I object to this line of advocacy and cajoling by the Article 29 Work Group. The W3C Working Group's mission is not to create an EU compliance Mechanism, if that happens to occur as part of our work then so be it, but it is nowhere in our charter and we should not be continually pressured to work towards that end.

Mike Zaneis
SVP&  General Counsel, IAB
(202) 253-1466

On May 8, 2012, at 2:35 PM, "Rob van Eijk"<rob@blaeu.com><mailto:rob@blaeu.com>  wrote:



Well,

At least one thing is for sure: tracking cookies need prior consent of the user. There is no uncertainty about that. There is some debate on a possibly very limited list of functional cookies.

One of the latest public documents on the status of the implementation is here ( disclaimer: I haven't checked it in detail):
http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePrivacy_Directive-Apr2012.pdf

There is a catch-22 here, because law makers are looking closely to the outcome of W3C DNT process. Some find it very hopefull, some think it will not lead to compliance.

So I encourage the group to try to get the TPE out of the impasse. Please tell me, if DNT is not going to have any additional value in comparison to the current opt-out systems. Because if DNT will not be able to offer a rich granular dialog 'under the hood' of the browser, DNT is not going to have the outcome many of us have been hoping for.

Rob

On 8-5-2012 0:42, Kimon Zorbas wrote:


That leaves us all (except for some lawyers) with frustration and uncertainty how the law will be enforced.