- From: Ronan Heffernan <ronansan@gmail.com>
- Date: Thu, 18 Jul 2013 11:37:26 -0400
- To: "Mike O'Neill" <michael.oneill@baycloud.com>
- Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
- Message-ID: <CAHyiW9KPKyT-WgiVYW2t3e7D5Y8D_hp12FQN3T1gcFTdk65MUg@mail.gmail.com>
We aren't doing the capping; we are reporting on the reach and frequency (typical audience measurement requirements). This means that we have to measure how many times each device was exposed to each creative. Part of our assumption that UGE will be useless for us (and for many 3rd parties) is that JS will not be allowed (there are other reasons). The frequency-capping script (from the ad network) might have an IFrame with a script (not likely, but possible), but our measurement cannot rely on the existence of yet another third-parties' IFrame. --ronan On Thu, Jul 18, 2013 at 10:49 AM, Mike O'Neill <michael.oneill@baycloud.com>wrote: > Hi Ronan,**** > > ** ** > > Is that your reason for not using the UGE? I did suggest another method > (for consent signalling) using cloning specific named cookies to embedded > third-parties, would that have been better for you?**** > > ** ** > > Also, the frequency capping script could be inside a third-party frame, > could you use that?**** > > ** ** > > Mike**** > > ** ** > > ** ** > > ** ** > > *From:* Ronan Heffernan [mailto:ronansan@gmail.com] > *Sent:* 18 July 2013 15:38 > *To:* Mike O'Neill > *Subject:* Re: issue-25**** > > ** ** > > LocalStorage (like the DNT UGE mechanism) is useless for most audience > measurement, since we are not allowed to use JS on most websites. That > limitation also means that the cap-exceeded determination cannot be made > client-side. The server has to make the determination. This is going to > require a unique identifier. **** > > BTW, I *completely* understand the prohibition against such 3rd-party JS. > If I were running an "important" website (as opposed to the trivial ones > that I run in my spare time), I would not allow random strangers to inject > their JS into my site, with the potential of doing all kinds of negative > things to my user experience.**** > > ** ** > > --ronan **** > > ** ** > > On Thu, Jul 18, 2013 at 10:29 AM, Mike O'Neill < > michael.oneill@baycloud.com> wrote:**** > > Hi Ronan,**** > > **** > > I was just addressing the unique visitor requirement mentioned by Kathy, > frequency capping will need other methods but still does not need to rely > on unique identifiers. For example script could maintain a count in > localStorage then signal a count overrun using a session cookie.**** > > **** > > Mike**** > > **** > > *From:* Ronan Heffernan [mailto:ronansan@gmail.com] > *Sent:* 18 July 2013 14:39 > *To:* Mike O'Neill > *Cc:* Tracking Protection Working Group WG > *Subject:* Re: issue-25**** > > **** > > Mike,**** > > That solution might work if "frequency capping" were always set to > limit each user to 1 exposure. However, that is not the case. Let's say > that the frequency capping requirement in a contract says that each device > should be showed the same piece of content no more than 7 times in a > 9-month period. Counting how many times that device was offered that > content cannot really be done with the cache mechanism that you suggest.** > ** > > --ronan**** > > **** > > On Thu, Jul 18, 2013 at 9:21 AM, Mike O'Neill <michael.oneill@baycloud.com> > wrote:**** > > In the last call there was some discussion on irc about mechanisms to > detect unique visitors to a web page without using a persistent UID (in the > context of audience measurement but it could also be for third-party web > analytics).**** > > **** > > Maybe one way to do that is to filter out UAs that have not visited a page > for less than an arbitrary duration, say 1 week or 1 year. The mechanism > could be to use the existing Last-Modified/If-Modified-Since caching > handshake. The idea is to use this to tell the server the last time this > user agent visited a particular page. The server can then recognise unique > visitors as those that had not visited the page for some arbitrary period. > **** > > To avoid flooding the net with catchable content this could be implemented > as a zero content length resource referenced in the delivered HTML (if it > is an HTML resource).**** > > **** > > The page would have a reference to a “unique visit detection resource” > embedded in it, say in an img or iframe tag.**** > > **** > > For example on the page /thispage.htm you would have the following > invisible element:**** > > **** > > <img style=”display: none;” src=”/visit-detection.gif?url=/thispage.htm” /> > **** > > **** > > The response from /visit-detection would be zero length content with a > Last-Modified response header always set to the current time (rounded down > to nearest minute say to stop fingerprinting) and Cache-Control private. > The first time the UA visits there will be no If-Modified-Since header so > the server detects a “unique visitor”, the next time there will be an > If-Modified-Since request header which will indicate the last time this > particular UA visited the page. If the difference between that and the > current time is more than the arbitrary period then the server again > detects a “unique visitor”. **** > > **** > > To detect illicit accesses this may need to be a bit more elaborate, say > using a session cookie containing a hash of the current time using a secret > salt, but there would be no need for a persistent unique identifier. **** > > **** > > Would this work? And would it be adequate for the purposes of audience > measurement?**** > > **** > > Mike**** > > **** > > **** > > **** > > **** > > ** ** >
Received on Thursday, 18 July 2013 15:38:15 UTC