- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Thu, 18 Jul 2013 17:10:19 +0100
- To: "'Ronan Heffernan'" <ronansan@gmail.com>
- Cc: "'Tracking Protection Working Group WG'" <public-tracking@w3.org>
- Message-ID: <087701ce83d1$4d15a230$e740e690$@baycloud.com>
How do you do it now? With a 1x1 gif? How do you get the copy of the ad network's ad identifiers (Kathy called them campaign_id & creative_id). I assume they must be in the url parameters if you cannot use JS. Mike From: Ronan Heffernan [mailto:ronansan@gmail.com] Sent: 18 July 2013 16:37 To: Mike O'Neill Cc: Tracking Protection Working Group WG Subject: Re: issue-25 We aren't doing the capping; we are reporting on the reach and frequency (typical audience measurement requirements). This means that we have to measure how many times each device was exposed to each creative. Part of our assumption that UGE will be useless for us (and for many 3rd parties) is that JS will not be allowed (there are other reasons). The frequency-capping script (from the ad network) might have an IFrame with a script (not likely, but possible), but our measurement cannot rely on the existence of yet another third-parties' IFrame. --ronan On Thu, Jul 18, 2013 at 10:49 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: Hi Ronan, Is that your reason for not using the UGE? I did suggest another method (for consent signalling) using cloning specific named cookies to embedded third-parties, would that have been better for you? Also, the frequency capping script could be inside a third-party frame, could you use that? Mike From: Ronan Heffernan [mailto:ronansan@gmail.com] Sent: 18 July 2013 15:38 To: Mike O'Neill Subject: Re: issue-25 LocalStorage (like the DNT UGE mechanism) is useless for most audience measurement, since we are not allowed to use JS on most websites. That limitation also means that the cap-exceeded determination cannot be made client-side. The server has to make the determination. This is going to require a unique identifier. BTW, I *completely* understand the prohibition against such 3rd-party JS. If I were running an "important" website (as opposed to the trivial ones that I run in my spare time), I would not allow random strangers to inject their JS into my site, with the potential of doing all kinds of negative things to my user experience. --ronan On Thu, Jul 18, 2013 at 10:29 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: Hi Ronan, I was just addressing the unique visitor requirement mentioned by Kathy, frequency capping will need other methods but still does not need to rely on unique identifiers. For example script could maintain a count in localStorage then signal a count overrun using a session cookie. Mike From: Ronan Heffernan [mailto:ronansan@gmail.com] Sent: 18 July 2013 14:39 To: Mike O'Neill Cc: Tracking Protection Working Group WG Subject: Re: issue-25 Mike, That solution might work if "frequency capping" were always set to limit each user to 1 exposure. However, that is not the case. Let's say that the frequency capping requirement in a contract says that each device should be showed the same piece of content no more than 7 times in a 9-month period. Counting how many times that device was offered that content cannot really be done with the cache mechanism that you suggest. --ronan On Thu, Jul 18, 2013 at 9:21 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: In the last call there was some discussion on irc about mechanisms to detect unique visitors to a web page without using a persistent UID (in the context of audience measurement but it could also be for third-party web analytics). Maybe one way to do that is to filter out UAs that have not visited a page for less than an arbitrary duration, say 1 week or 1 year. The mechanism could be to use the existing Last-Modified/If-Modified-Since caching handshake. The idea is to use this to tell the server the last time this user agent visited a particular page. The server can then recognise unique visitors as those that had not visited the page for some arbitrary period. To avoid flooding the net with catchable content this could be implemented as a zero content length resource referenced in the delivered HTML (if it is an HTML resource). The page would have a reference to a "unique visit detection resource" embedded in it, say in an img or iframe tag. For example on the page /thispage.htm you would have the following invisible element: <img style="display: none;" src="/visit-detection.gif?url=/thispage.htm" /> The response from /visit-detection would be zero length content with a Last-Modified response header always set to the current time (rounded down to nearest minute say to stop fingerprinting) and Cache-Control private. The first time the UA visits there will be no If-Modified-Since header so the server detects a "unique visitor", the next time there will be an If-Modified-Since request header which will indicate the last time this particular UA visited the page. If the difference between that and the current time is more than the arbitrary period then the server again detects a "unique visitor". To detect illicit accesses this may need to be a bit more elaborate, say using a session cookie containing a hash of the current time using a secret salt, but there would be no need for a persistent unique identifier. Would this work? And would it be adequate for the purposes of audience measurement? Mike
Received on Thursday, 18 July 2013 16:10:56 UTC