RE: issue-25 from Mike O'Neill on 2013-07-18 (public-tracking@w3.org from July 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 18 Jul 2013 17:10:19 +0100
To: "'Ronan Heffernan'" <ronansan@gmail.com>
Cc: "'Tracking Protection Working Group WG'" <public-tracking@w3.org>
Message-ID: <087701ce83d1$4d15a230$e740e690$@baycloud.com>
How do you do it now? With a 1x1 gif? How do you get the copy of the ad
network's ad identifiers (Kathy called them campaign_id & creative_id). I
assume they must be in the url parameters if you cannot use JS.

 

Mike

 

 

From: Ronan Heffernan [mailto:ronansan@gmail.com] 
Sent: 18 July 2013 16:37
To: Mike O'Neill
Cc: Tracking Protection Working Group WG
Subject: Re: issue-25

 

We aren't doing the capping; we are reporting on the reach and frequency
(typical audience measurement requirements).  This means that we have to
measure how many times each device was exposed to each creative.  

Part of our assumption that UGE will be useless for us (and for many 3rd
parties) is that JS will not be allowed (there are other reasons).  The
frequency-capping script (from the ad network) might have an IFrame with a
script (not likely, but possible), but our measurement cannot rely on the
existence of yet another third-parties' IFrame.

--ronan
  

 

On Thu, Jul 18, 2013 at 10:49 AM, Mike O'Neill <michael.oneill@baycloud.com>
wrote:

Hi Ronan,

 

Is that your reason for not using the UGE? I did suggest another method (for
consent signalling) using cloning specific named cookies to embedded
third-parties, would that have been better for you?

 

Also, the frequency capping script could be inside a third-party frame,
could you use that?

 

Mike

 

 

 

From: Ronan Heffernan [mailto:ronansan@gmail.com] 
Sent: 18 July 2013 15:38
To: Mike O'Neill
Subject: Re: issue-25

 

LocalStorage (like the DNT UGE mechanism) is useless for most audience
measurement, since we are not allowed to use JS on most websites.  That
limitation also means that the cap-exceeded determination cannot be made
client-side.  The server has to make the determination.  This is going to
require a unique identifier.  

BTW, I *completely* understand the prohibition against such 3rd-party JS.
If I were running an "important" website (as opposed to the trivial ones
that I run in my spare time), I would not allow random strangers to inject
their JS into my site, with the potential of doing all kinds of negative
things to my user experience.

 

--ronan  

 

On Thu, Jul 18, 2013 at 10:29 AM, Mike O'Neill <michael.oneill@baycloud.com>
wrote:

Hi Ronan,

 

I was just addressing the unique visitor requirement mentioned by Kathy,
frequency capping will need other methods but still does not need to rely on
unique identifiers. For example script could maintain a count in
localStorage then signal a count overrun using a session cookie.

 

Mike

 

From: Ronan Heffernan [mailto:ronansan@gmail.com] 
Sent: 18 July 2013 14:39
To: Mike O'Neill
Cc: Tracking Protection Working Group WG
Subject: Re: issue-25

 

Mike,

   That solution might work if "frequency capping" were always set to limit
each user to 1 exposure.  However, that is not the case.  Let's say that the
frequency capping requirement in a contract says that each device should be
showed the same piece of content no more than 7 times in a 9-month period.
Counting how many times that device was offered that content cannot really
be done with the cache mechanism that you suggest.

--ronan

 

On Thu, Jul 18, 2013 at 9:21 AM, Mike O'Neill <michael.oneill@baycloud.com>
wrote:

In the last call there was some discussion on irc about mechanisms to detect
unique visitors to a web page without using a persistent UID (in the context
of audience measurement but it could also be for third-party web analytics).

 

Maybe one way to do that is to filter out UAs that have not visited a page
for less than an arbitrary duration, say 1 week or 1 year. The mechanism
could be to use the existing Last-Modified/If-Modified-Since caching
handshake. The idea is to use this to tell the server the last time this
user agent visited a particular page. The server can then recognise unique
visitors as those that had not visited the page for some arbitrary period.

To avoid flooding the net with catchable content this could be implemented
as a zero content length resource referenced in the delivered HTML (if it is
an HTML resource).

 

The page would have a reference to a "unique visit detection resource"
embedded in it, say in an img or iframe tag.

 

For example on the page /thispage.htm you would have the following invisible
element:

 

<img style="display: none;" src="/visit-detection.gif?url=/thispage.htm" />

 

The response from /visit-detection would be zero length content with a
Last-Modified response header always set to the current time (rounded down
to nearest minute say to stop fingerprinting) and Cache-Control private. The
first time the UA visits there will be no If-Modified-Since header so the
server detects a "unique visitor", the next time there will be an
If-Modified-Since request header which will indicate the last time this
particular UA visited the page. If the difference between that and the
current time is more than the arbitrary period then the server again detects
a "unique visitor". 

 

To detect illicit accesses this may need to be a bit more elaborate, say
using a session cookie containing a hash of the current time using a secret
salt, but there would be no need for a persistent unique identifier. 

 

Would this work? And would it be adequate for the purposes of audience
measurement?

 

Mike
Received on Thursday, 18 July 2013 16:10:56 UTC