RE: explicit-explicit exception pairs from Jules Polonetsky on 2012-05-08 (public-tracking@w3.org from May 2012)

From: Jules Polonetsky <julespol@futureofprivacy.org>
Date: Tue, 8 May 2012 18:57:03 -0400
To: "'Shane Wiley'" <wileys@yahoo-inc.com>, <rob@blaeu.com>
Cc: "'Mike Zaneis'" <mike@iab.net>, "'Kimon Zorbas'" <vp@iabeurope.eu>, "'Jonathan Mayer'" <jmayer@stanford.edu>, <ifette@google.com>, "'Rigo Wenning'" <rigo@w3.org>, <public-tracking@w3.org>, "'Nicholas Doty'" <npdoty@w3.org>, "'Matthias Schunter'" <mts-std@schunter.org>
Message-ID: <018201cd2d6d$e2dad5d0$a8908170$@futureofprivacy.org>
My experience has been that removing/overwriting the cookie does break
measurement for most companies..but so does the fact that cookies get lost,
corrupted, or tossed when a browser hits its max cookie capacity, or when
the user is using Safari..my estimate from one large ad network is 30% of
users seen by that ad network do not have a cookie from that network for one
reason or another..user deleted it, blocked it, anti-spyware removed it.  

 

Anyone relying on measurement does work to adjust for this or to recognize
this.  But measuring 70% of users is pretty good, and enables very precise
analysis of performance for small segments.users exposed to the blue ad
version 2 on weekends while at work mid-day were most likely to end up
purchasing when they visited the site 3 weeks later.  Assuming a very large
number of DNT users, and a broad definition of DNT, web site analytics or ad
measurement will be more like traditional media - sampling a small
percentage of users and panels.

 

For why that is a problem for the lowly banner ad:

http://www.huffingtonpost.com/jules-polonetsky/why-they-track-us_b_1475027.h
tml

 

 

 

 

 

From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
Sent: Tuesday, May 08, 2012 5:44 PM
To: rob@blaeu.com
Cc: Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com; Rigo
Wenning; public-tracking@w3.org; Nicholas Doty; Matthias Schunter
Subject: RE: explicit-explicit exception pairs

 

Rob,

 

I would ask them.  They could be using digital fingerprints as a proxy
(worse consumer privacy outcome in my personal opinion) or they could be
absorbing the revenue hit due to the opt-out rate not being significant
enough to material affect day to day business operations.  Does the A29WP
support digital fingerprints over cookies?  If you take Mozilla's current
DNT projections at 6% into account, the latter approach will no longer be
survivable for most, if not all, ad networks.

 

- Shane  

 

From: Rob van Eijk [mailto:rob@blaeu.com] 
Sent: Tuesday, May 08, 2012 2:39 PM
To: Shane Wiley
Cc: Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com; Rigo
Wenning; public-tracking@w3.org; Nicholas Doty; Matthias Schunter
Subject: Re: explicit-explicit exception pairs

 

That triggers a question: please be so kind to explain to me why the OBA
opt-out system does not break this thought experiment. What I see in my
experiments is that more and more parties removing the cookies with unique
identifiers while setting an opt-out cookie instead with a generic value
like 'OPT-OUT'. 

I saw confirmation of my experiments in the Wall Street Journal data
transparency weekend crawling Alexa 500 websites.

Rob

On 8-5-2012 23:21, Shane Wiley wrote: 

#2 breaks most of the ad ecosystem (security/fraud, financial/audit,
frequency capping, basic analytics, etc.) - unique, anonymous/non-PII
cookies are needed for basic business operations.

 

- Shane

 

From: Rob van Eijk [mailto:rob@blaeu.com] 
Sent: Tuesday, May 08, 2012 2:15 PM
To: rob@blaeu.com
Cc: Mike Zaneis; Kimon Zorbas; Jonathan Mayer; ifette@google.com; Rigo
Wenning; public-tracking@w3.org; Nicholas Doty; Matthias Schunter
Subject: Re: explicit-explicit exception pairs

 

All,

Thinking mod_cookietrack through for an ad-network. For the sake of the
thought experiment, let's assume all 3rd parties involved use
mod_cookietrack:

1. On a first visit, a user visits a site, which uses 3rd parties to server
an ad through an ad-chain with real time bidding. 
2. if DNT=1, and no exceptions have been granted by the user, no cookies
with unique identifiers are set by 3rd parties and as a result, only a
non-personalized ad is the result. 
3. If, for example on auto-refresh of the ad after a few seconds, a
personalization of the ad is initiated, then the exception API is called, to
ask for a firstparty/known-parties exception. At that point, most of the
parties involved with the ad-network flow are known. For those known parties
an exception can be asked. After granting the exception cookies with unique
identifiers can be set by the 3rd parties with an exception.



"first-party": [
    "example_A",
    "example_B",
    "example_A"
  ]

4. Only the part of the ad-chain where real time bidding for the ad is
involved will result in an unknown number of 3rd parties. Parties can bid
for 'a' user not tied to a unique identifier, not 'the' user.
5. The party with the highest bid can server the ad, but without setting a
unique identifier. If this party want to find out more about the user to
whom the personalized ad was served, and needs a unique identifier to do so,
the party can call for a site or web-wide exception.
 
=> Maybe putting all the weight on the javascript API to solve the site/*
problem is too much to solve the problem. Maybe we need to include normative
text for the server-side. Something like:

<normative text>
3rd parties operating in a 1st party context MUST not set cookies with
unique identifiers on a first visit of a user. Instead the SHOULD ask for an
exception. 
</normative text>


Rob

On 8-5-2012 21:44, Rob van Eijk wrote: 

Kimon, 

Let me make a pro-aktive step here. Recently we touched upon mod_cookietrack
(http://lists.w3.org/Archives/Public/public-tracking/2012May/0040.html). One
of the things that struck me, is that with a small modification of
mod_usertrack, the author was able to tackle an interesting point:
(https://github.com/jib/mod_cookietrack/blob/master/DOCUMENTATION) 

"mod_usertrack does not set the cookie on the incoming request, only on the
outgoing request. This means your application doesn't know  what UUID to use
for the first visit of a user." 

Is this server-side behavior in any way useful for the explicit-explicit
exception pairs? 

Rob 

On 8-5-2012 21:17, Mike Zaneis wrote: 



I'm sorry but I object to this line of advocacy and cajoling by the Article
29 Work Group. The W3C Working Group's mission is not to create an EU
compliance Mechanism, if that happens to occur as part of our work then so
be it, but it is nowhere in our charter and we should not be continually
pressured to work towards that end. 

Mike Zaneis 
SVP&  General Counsel, IAB 
(202) 253-1466 

On May 8, 2012, at 2:35 PM, "Rob van Eijk" <mailto:rob@blaeu.com>
<rob@blaeu.com>  wrote: 




Well, 

At least one thing is for sure: tracking cookies need prior consent of the
user. There is no uncertainty about that. There is some debate on a possibly
very limited list of functional cookies. 

One of the latest public documents on the status of the implementation is
here ( disclaimer: I haven't checked it in detail): 
http://www.twobirds.com/English/News/Articles/Documents/Implementation_ePriv
acy_Directive-Apr2012.pdf 

There is a catch-22 here, because law makers are looking closely to the
outcome of W3C DNT process. Some find it very hopefull, some think it will
not lead to compliance. 

So I encourage the group to try to get the TPE out of the impasse. Please
tell me, if DNT is not going to have any additional value in comparison to
the current opt-out systems. Because if DNT will not be able to offer a rich
granular dialog 'under the hood' of the browser, DNT is not going to have
the outcome many of us have been hoping for. 

Rob 

On 8-5-2012 0:42, Kimon Zorbas wrote: 



That leaves us all (except for some lawyers) with frustration and
uncertainty how the law will be enforced.
Received on Tuesday, 8 May 2012 22:57:45 UTC