- From: Jules Polonetsky <julespol@futureofprivacy.org>
- Date: Tue, 8 May 2012 18:57:03 -0400
- To: "'Shane Wiley'" <wileys@yahoo-inc.com>, <rob@blaeu.com>
- Cc: "'Mike Zaneis'" <mike@iab.net>, "'Kimon Zorbas'" <vp@iabeurope.eu>, "'Jonathan Mayer'" <jmayer@stanford.edu>, <ifette@google.com>, "'Rigo Wenning'" <rigo@w3.org>, <public-tracking@w3.org>, "'Nicholas Doty'" <npdoty@w3.org>, "'Matthias Schunter'" <mts-std@schunter.org>
- Message-ID: <018201cd2d6d$e2dad5d0$a8908170$@futureofprivacy.org>
My experience has been that removing/overwriting the cookie does break measurement for most companies..but so does the fact that cookies get lost, corrupted, or tossed when a browser hits its max cookie capacity, or when the user is using Safari..my estimate from one large ad network is 30% of users seen by that ad network do not have a cookie from that network for one reason or another..user deleted it, blocked it, anti-spyware removed it. Anyone relying on measurement does work to adjust for this or to recognize this. But measuring 70% of users is pretty good, and enables very precise analysis of performance for small segments.users exposed to the blue ad version 2 on weekends while at work mid-day were most likely to end up purchasing when they visited the site 3 weeks later. Assuming a very large number of DNT users, and a broad definition of DNT, web site analytics or ad measurement will be more like traditional media - sampling a small percentage of users and panels. For why that is a problem for the lowly banner ad: http://www.huffingtonpost.com/jules-polonetsky/why-they-track-us_b_1475027.h tml From: Shane Wiley [mailto:wileys@yahoo-inc.com] Sent: Tuesday, May 08, 2012 5:44 PM To: rob@blaeu.com Cc: Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com; Rigo Wenning; public-tracking@w3.org; Nicholas Doty; Matthias Schunter Subject: RE: explicit-explicit exception pairs Rob, I would ask them. They could be using digital fingerprints as a proxy (worse consumer privacy outcome in my personal opinion) or they could be absorbing the revenue hit due to the opt-out rate not being significant enough to material affect day to day business operations. Does the A29WP support digital fingerprints over cookies? If you take Mozilla's current DNT projections at 6% into account, the latter approach will no longer be survivable for most, if not all, ad networks. - Shane From: Rob van Eijk [mailto:rob@blaeu.com] Sent: Tuesday, May 08, 2012 2:39 PM To: Shane Wiley Cc: Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com; Rigo Wenning; public-tracking@w3.org; Nicholas Doty; Matthias Schunter Subject: Re: explicit-explicit exception pairs That triggers a question: please be so kind to explain to me why the OBA opt-out system does not break this thought experiment. What I see in my experiments is that more and more parties removing the cookies with unique identifiers while setting an opt-out cookie instead with a generic value like 'OPT-OUT'. I saw confirmation of my experiments in the Wall Street Journal data transparency weekend crawling Alexa 500 websites. Rob On 8-5-2012 23:21, Shane Wiley wrote: #2 breaks most of the ad ecosystem (security/fraud, financial/audit, frequency capping, basic analytics, etc.) - unique, anonymous/non-PII cookies are needed for basic business operations. - Shane From: Rob van Eijk [mailto:rob@blaeu.com] Sent: Tuesday, May 08, 2012 2:15 PM To: rob@blaeu.com Cc: Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com; Rigo Wenning; public-tracking@w3.org; Nicholas Doty; Matthias Schunter Subject: Re: explicit-explicit exception pairs All, Thinking mod_cookietrack through for an ad-network. For the sake of the thought experiment, let's assume all 3rd parties involved use mod_cookietrack: 1. On a first visit, a user visits a site, which uses 3rd parties to server an ad through an ad-chain with real time bidding. 2. if DNT=1, and no exceptions have been granted by the user, no cookies with unique identifiers are set by 3rd parties and as a result, only a non-personalized ad is the result. 3. If, for example on auto-refresh of the ad after a few seconds, a personalization of the ad is initiated, then the exception API is called, to ask for a firstparty/known-parties exception. At that point, most of the parties involved with the ad-network flow are known. For those known parties an exception can be asked. After granting the exception cookies with unique identifiers can be set by the 3rd parties with an exception. "first-party": [ "example_A", "example_B", "example_A" ] 4. Only the part of the ad-chain where real time bidding for the ad is involved will result in an unknown number of 3rd parties. Parties can bid for 'a' user not tied to a unique identifier, not 'the' user. 5. The party with the highest bid can server the ad, but without setting a unique identifier. If this party want to find out more about the user to whom the personalized ad was served, and needs a unique identifier to do so, the party can call for a site or web-wide exception. => Maybe putting all the weight on the javascript API to solve the site/* problem is too much to solve the problem. Maybe we need to include normative text for the server-side. Something like: <normative text> 3rd parties operating in a 1st party context MUST not set cookies with unique identifiers on a first visit of a user. Instead the SHOULD ask for an exception. </normative text> Rob On 8-5-2012 21:44, Rob van Eijk wrote: Kimon, Let me make a pro-aktive step here. Recently we touched upon mod_cookietrack (http://lists.w3.org/Archives/Public/public-tracking/2012May/0040.html). One of the things that struck me, is that with a small modification of mod_usertrack, the author was able to tackle an interesting point: (https://github.com/jib/mod_cookietrack/blob/master/DOCUMENTATION) "mod_usertrack does not set the cookie on the incoming request, only on the outgoing request. This means your application doesn't know what UUID to use for the first visit of a user." Is this server-side behavior in any way useful for the explicit-explicit exception pairs? Rob On 8-5-2012 21:17, Mike Zaneis wrote: I'm sorry but I object to this line of advocacy and cajoling by the Article 29 Work Group. The W3C Working Group's mission is not to create an EU compliance Mechanism, if that happens to occur as part of our work then so be it, but it is nowhere in our charter and we should not be continually pressured to work towards that end. Mike Zaneis SVP& General Counsel, IAB (202) 253-1466 On May 8, 2012, at 2:35 PM, "Rob van Eijk" <mailto:rob@blaeu.com> <rob@blaeu.com> wrote: Well, At least one thing is for sure: tracking cookies need prior consent of the user. There is no uncertainty about that. There is some debate on a possibly very limited list of functional cookies. One of the latest public documents on the status of the implementation is here ( disclaimer: I haven't checked it in detail): http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePriv acy_Directive-Apr2012.pdf There is a catch-22 here, because law makers are looking closely to the outcome of W3C DNT process. Some find it very hopefull, some think it will not lead to compliance. So I encourage the group to try to get the TPE out of the impasse. Please tell me, if DNT is not going to have any additional value in comparison to the current opt-out systems. Because if DNT will not be able to offer a rich granular dialog 'under the hood' of the browser, DNT is not going to have the outcome many of us have been hoping for. Rob On 8-5-2012 0:42, Kimon Zorbas wrote: That leaves us all (except for some lawyers) with frustration and uncertainty how the law will be enforced.
Received on Tuesday, 8 May 2012 22:57:45 UTC