- From: Peter Cranstone <peter.cranstone@3pmobile.com>
- Date: Sat, 27 Jul 2013 15:43:33 +0000
- To: Chris Mejia <chris.mejia@iab.net>, Rigo Wenning <rigo@w3.org>, Shane Wiley <wileys@yahoo-inc.com>
- CC: "public-tracking@w3.org" <public-tracking@w3.org>
Chris, Your comments regarding a meaningless signal also apply equally to the DAA's mechanism. Someone mentioned that it takes only 13 lines of code to add a DNT header. Well it only takes 1 line to game the AdChoices approach (All you have to do is know the final 'set-cookie' sequence that constitutes the 'opt-out' for any participating member of the DAA program.) Also it only takes one line of code to 'evaporate' the ads. From: http://my.opera.com/community/forums/topic.dml?id=1539842 Article Title: Blocking AdChoices on Yahoo! UK Homepage div.CAN_ad, div.fpad { display: none !important; } That's it. Combine that with the other 1 line of code it takes to set the Yahoo 'opt-out' cookie on anyone's browserŠ and not only are you totally 'opted out'Š even if any 'AdChoice' based ads slip through they will never appear in your browser. And YESŠ those 'TWO lines of code' could just as easily be 'injected' into the conversation by a ROUTER as with any standard Browser add-on. Exactly the same way as 'Industry' says DNT 'false signals' are being done right now ( still unproven ). There are already (free) sites out there that will automatically supply your Browser with ALL of the required DAA member organization 'opt-out' cookiesŠ all in one fell swoopŠ automatically and WITHOUT 'user verification'. Here is just ONE of those 'automatically opt-out of all AdChoices' sitesŠ Site: GoYaBi - The First One-Click Global AdChoices Opt-Out for All Browsers ( Including Mobile Browsers ). http://m.goyabi.com/how.php So lets confront reality as it is, and not what we want it to be. There is no foolproof system/design, so my advice would be to tone down the 'semantic meaningless signal rhetoric' and move forward with what you have. The alternative is for the Ad industry to 'put up' (show a complete solution that solves all the problems) or accept what is already on the table. Rigo just tried to say that - and while I disagree with him on most things, I have to respect him for that. Peter On 7/26/13 5:19 PM, "Chris Mejia" <chris.mejia@iab.net> wrote: >Peter, > >There is no agreement that the default setting for DNT = 0. In fact, I >believe most TPWG folks have agreed that default should = unset. >Additionally, I have not seen a browser company or other UA offer DNT = 0 >as a choice for users. There is no agreed upon DNT specification today, >so let's not make assumptions about what we *think* (or hope) the spec >will be in the end-- it's been a moving target all along. Furthermore, I >have never agreed (in the 1.5-years that I have been intimately involved >with this TPWG) that 3rd parties should be responsible for "policing" the >validity of the DNT settings via user agents, rogue or otherwise. I've >pointed out all along, that false signals are the Achilles heel to DNT, >and until that problem is solved, DNT will likely remain a (practically >speaking) meaningless signal. > >I cannot speak for DAA, nor do I believe DAA as an organization made that >proposal. However, my read of the industry consensus proposal you cited >below is that it represents what companies would be willing to do for DNT >users, despite uncertainty around the validity of how DNT signals are set >(in other words, it's what they can agree to do, working in the constraint >that the signal is polluted-- and still significant costs are born with >the enablement of that proposal). And hey, I don't think it's >particularly productive to shoot down well intentioned efforts to save >DNT-- to make it meaningful to users in the context of reality. > >All of the issues you cited around the draft DNT spec seem valid-- so why >again should 3rd parties be responsible for sorting out a confusing and >faulty spec and bearing the costs of testing it every time they see a new >UA sending the signal? Why should 3rd parties, the mom & pop websites >they represent, and the users who will be adversely affected by rising >costs (and diminishing content) of sorting this all out on the back end, >be responsible for a well intentioned, but ill-concieved specification? > >Perhaps I wasn't clear before: I'm personally for a reasonable and >workable DNT spec, based on individual user choice. I wouldn't have spent >1.5-years working on this to see it go nowhere-- in fact, I only agreed to >work on this for industry, in good faith of finding a workable solution. >Please don't read anything else into my comments to Rigo in this thread. >My response to him was, the solution needs to be REASONABLE, WORKABLE, and >based on INFORMED USER CHOICE. Of course, if we can't agree to being >reasonable, the spec isn't workable, and it's not based on informed user >choice, then I believe it's faulty. If that ends up being the case in the >end, it will likely fail, but not because of me. > >You also must have missed the part where I encouraged W3C to test user >agents in order to validate the setting of DNT signals. Serious proposal. > Why not? > >Regarding user granted exceptions (UGEs), my personal opinion is that they >represent a biased mechanism that primarily benefits big name parties over >relatively unknown smaller entities. Users who know (and trust) the big >known players are much more likely to grant those big players exceptions >for their work in the 3rd party context. But what about the relatively >unknown 3rd party ad networks that monetize thousands of smaller web >publishers through audience aggregation across unaffiliated sites, in an >effort to compete with the big known players-- all in honest fashion? If >you don't understand the competition issue this creates, ping me offline >and I'll be happy to go into more detail. But I don't think this is an >equitable solution. > >Finally, it pains me that people believe privacy should be a "competitive >differentiator". It's not. Providing reasonable privacy safeguards is >something we do for all users (today), simply because it's the right thing >to do. If a company is "competing on privacy," God help them-- no one >browses the web looking for privacy solutions-- the vast majority of >people browsing the web are looking for quality content on the Web-- >content is how publishers compete. Despite this market reality, we >provide reasonable and effective privacy protections, again, because it's >just the right thing to do for our users-- and because we are good >corporate citizens. We also provide reasonable security and fraud >protection to users, not because we "compete" on these tenants, but >because it's the right thing to do. If you think I'm wrong about user >desires, go look for the words "V-chip" on television set ads today. And >don't get me wrong, privacy is important, very important-- and that's why >I want a good DNT spec. > >Chris > > > > >On 7/26/13 3:11 PM, "Peter Cranstone" <peter.cranstone@3pmobile.com> >wrote: > >>Chris, >> >>You may be jumping the gun just a touch here. The default setting for DNT >>is '0'. The implication is that if it is turned on that a user must have >>done it, and that's what you have to go with until you can get an >>exception. You've had that in front of you for over 2 years now. It's >>hardly the time to say that we didn't understand it - when it's the core >>design you've all been discussing for so long. Sure there are hacks - but >>for 95% of the population they wouldn't know how to pull those off. >> >>Secondly as I watch the DAA come up with their approach to >>http://news.cnet.com/8301-1023_3-57595191-93/do-not-track-opt-out-icon-co >>m >>i >>ng-to-mobile-browsers/ I have to shake my head. Exactly how does the DAA >>expect to validate in 100% of the cases that the user clicked on the >>icon? >>I actually tried it on my desktop browser. First of all I had to enable >>3rd party cookies and then it found 155 people tracking me which after I >>opted out resulted in a technical failure where it could not update the >>database. Result was consumer frustration and a distinct lack of trust >>with advertisers. Secondly they expect to release a mobile version next >>year. Great - exactly how do they expect to plug in to a mobile browser >>when no one else can. Secondly, if I set the app to send a DNT signal how >>will you know if I did it or I installed an app in front of the outgoing >>request to add a DNT signal. >> >>Rarely do I find myself agreeing with Rigo - but in this case I do. The >>only approach that is workable is a standard, otherwise there will be a >>fragmented marketplace with confusion and lack of trust. DNT is not going >>back in the box. It's shipped and with todays announcement by Pinterest >>http://bits.blogs.nytimes.com/2013/07/26/pinterest-allows-users-to-opt-ou >>t >>- >>of-being-tracked/ the content providers are climbing on board. >> >>Privacy is going to be a competitive differentiator going forward and >>everyone is now supporting DNT as a very simple Opt-Out mechanism. The >>UGE >>is critical as it will allow users to build a more trusted relationship >>with content providers based on access to their data. Currently there are >>probably half a billion browsers that support DNT and just Mozilla users >>send over 4 trillion signals a month (currently not being heard). >> >>I'd say it's a foregone conclusion that DNT is here to stay. Because as >>Aleecia says - you're not going to like the alternative which in itself >>will also require a technology solution. Right now the DAA's approach >>only >>has 2 million users and is basically still in alpha. It will be tough to >>gain much momentum when all the browser OEMs are already supporting a >>competing approach. >> >>But you never know. >> >> >> >> >>Peter >> >> >> >>On 7/26/13 3:40 PM, "Chris Mejia" <chris.mejia@iab.net> wrote: >> >>>Rigo, you stated: "If W3C would stop having a process and discussions >>>about a process and either throw out the industry, the consumer or the >>>privacy experts, respectively, we could advance within weeks." >>> >>>I hope you are not suggesting that the way to reach consensus is to >>>simply >>>kick out your paying members and invited experts, then do the work on >>>your >>>own? That doesn't sound right to me... Working group members, in both >>>camps, have brought valid concerns around process and are seeking >>>clarity >>>and accountability from the co-chairs and staff-- I don't think it's >>>constructive to effectively respond with "put up or shut up" (I'm >>>paraphrasing, of course, but that's what I took from your reply to >>>Shane). >>> >>>Shane wrote: "DNT can be set easily by any technology with access to the >>>page request header outside of user control" and you responded "...your >>>assertion is just wrong." >>> >>>Shane is actually right, the DNT header CAN be easily set by any tech >>>with >>>access to the page request header, outside of user control (e.g. private >>>or corporate routers can do this) -- it IS a valid technical concern >>>that >>>we currently have no way to validate how DNT was set-- whether it was an >>>informed user choice or not. Check it out with any tech expert, Shane >>>is >>>right. Until this is solved, it's virtually impossible to distinguish >>>true signals through the noise of bad signals, and that's a problem for >>>DNT. >>> >>>Shane wrote: "we'll likely have a high percentage of DNT=1 traffic on >>>the >>>internet" and you responded "Does that mean you fear that the opt-out >>>system could actually work?" >>> >>>Please define "could actually work". If you mean high DNT rates = >>>works, >>>then your prejudice is clear. In this case, I guess you'd argue that >>>low >>>DNT rates = broken. What if only individual human users could enable >>>DNT >>>based on sound education regarding it's enablement, and they decided not >>>to. Would that define a broken state/mechanism to you, simply because >>>people chose not to send DNT? Or would you say those are broken users? >>>I >>>for one advocate for USER EDUCATION and INDIVIDUAL USER CHOICE-- don't >>>you? Btw, per the rest of your argument, there is absolutely nothing >>>today stoping German publishers from "opting-back-in" users who employ >>>ad >>>blockers; likewise, there is absolutely nothing preventing the same >>>publishers from only serving their content to those users who do not use >>>ad blockers. DNT doesn't solve this problem, so let's not conflate >>>issues. >>> >>>Your wrote "the issue is the unrest in the marketplace." >>> >>>I don't see any evidence of widespread "unrest" in the marketplace; >>>quite >>>the contrary, as evidenced by growing web statistics. Take online >>>purchasing as an indicator of market health; the year over year growth >>>of >>>online purchasing is staggering-- I don't believe anyone will argue >>>otherwise. So, if there were so much "unrest" in the online marketplace >>>as you propose, would you expect that consumers would still choose to >>>make >>>their purchases more and more online? I wouldn't-- it's not logical. >>>Our >>>industry has invested heavily in brokering trust with our users and this >>>is clearly evidenced in the numbers-- we don't need DNT to "fix" >>>anything-- broadly speaking, user trust already exists despite your best >>>efforts to convince the marketplace otherwise. Now of course there are >>>some individuals (a relatively small number, comparatively speaking) >>>that >>>don't trust. Our industry, and browsers alike, have gladly provided >>>those >>>INDIVIDUAL USERS the mechanism to opt out-- no problem, we respect an >>>INDIVIDUAL's right to CHOOSE. >>> >>>Shane wrote "This means sites will need to ask users if they set the DNT >>>signal and/or ask for a UGE for a large majority of visitors" and you >>>responded "You don't. You just test the user agent... And you need a >>>lawyer to tell you what to do? Come on!" >>> >>>You may be on to something here Rigo. If the W3C TPWG can not come up >>>with a real technical solution to this problem (something that works in >>>real-time, on a 100% of server calls), I propose that the W3C take on >>>the >>>infrastructure and costs associated with providing a "DNT user agent >>>vetting registry service". The TPWG can set requirements for user >>>agents, >>>then YOU (W3C) test the user agents, posting the results to a globally >>>accessible registry. Companies can then poll this registry (daily) for >>>updates, and will only honor DNT when it's been determined that a user >>>agent has met the required criteria for setting DNT: an informed user >>>choice. User agents that want to send DNT should apply for >>>certification >>>from the W3C, and if they meet the requirements, be added to the >>>registry. >>> In providing this service, you should agree to an industry & consumer >>>advocate oversight committee to monitor your work, as well as regular >>>independent 3rd party audit/accreditation of your service (may I suggest >>>MRC-- they are good at this). Easy, right? And you need a technologist >>>to tell you what to do? Come on :) >>> >>>Shane wrote "This is an "opt-in" paradigm - which we agreed in the >>>beginning was inappropriate (DNT=<null>, user makes an explicit choice)" >>>and you responded "Who is responsible for DNT:1 spitting routers? W3C?" >>> >>>Yes, W3C is responsible, it's your spec. See "DNT user agent vetting >>>registry service" (above) for next steps on cleaning up the marketplace >>>mess that's been created. >>> >>>You wrote "If you can't distinguish between a browser and a router, I >>>wonder about the quality of all that tracking anyway." >>> >>>Rigo, this is why you are a lawyer, and not a technologist. Technically >>>speaking, we are not talking about distinguishing between browsers and >>>routers, we are are talking about distinguishing between validly set DNT >>>signals and ones that aren't. You'd need to understand how HTTP header >>>injection works to fully appreciate the technical problem. The best >>>technologists on both sides of this debate have not been able to >>>reconcile >>>this issue. Neither have the lawyers. >>> >>>You wrote "I do not believe, given the dynamics of the Web and the >>>Internet, that we can predict the percentage of DNT headers for the next >>>3 >>>years; let alone the percentage of valid DNT headers." >>> >>>True, no one has working crystal ball technology that I'm aware of, but >>>we >>>do know that despite there being no agreed upon specification in the >>>marketplace, user agents are sending DNT header signals today. No >>>matter >>>how many signals are sent, if you want DNT signals to be meaningful to >>>users, industry adoption is key. Please stop asserting that our >>>technical >>>and business concerns are trivial or ill informed-- they are not. Most >>>of >>>your replies below are not helping us get closer to a workable DNT >>>solution-- you are only further exacerbating our concerns. >>> >>>Chris >>> >>> >>> >>> >>>On 7/25/13 12:40 AM, "Rigo Wenning" <rigo@w3.org> wrote: >>> >>>>On Thursday 25 July 2013 04:39:35 Shane Wiley wrote: >>>>> Rigo, >>>>> >>>>> I feel like we're talking past one another. >>>> >>>>We are not. The DAA tells the world that "the World Wide Consortium >>>>sputters and spits trying to negotiate a Do Not Track standard to >>>>protect consumer privacy online, the digital advertising business is >>>>forging ahead with expanding its self-regulation program to mobile >>>>devices." >>>>http://www.adweek.com/news/technology/ad-industry-expands-privacy-self- >>>>r >>>>e >>>>g >>>>ulation-mobile-151386 >>>> >>>>This is unfair. If W3C would stop having a process and discussions >>>>about >>>>a process and either throw out the industry, the consumer or the >>>>privacy >>>>experts, respectively, we could advance within weeks. No more sputters >>>>and spits. >>>> >>>>> >>>>> 1. DNT can be set easily by any technology with access to the page >>>>> request header outside of user control >>>> >>>>The french call that "dialogue de sourds", the dialog of the deaf. If >>>>you can test the presence of an UGE mechanism, your assertion is just >>>>wrong. Repeating it doesn't make it become true. >>>> >>>>> 2. This means we'll likely >>>>> have a high percentage of DNT=1 traffic on the internet (some say as >>>>> high as 80%) >>>> >>>>Does that mean you fear that the opt-out system could actually work? >>>>And >>>>that you are deeply concerned that users could opt-back in? If we >>>>stall, >>>>you can time-travel into the next 5 years and talk to the people from >>>>German IT-publisher Heise: They lost large parts of their revenue due >>>>to >>>>blocking tools. It will be 80% of blocking tools instead of >>>>DNT-Headers. >>>>They would LOVE to have a way to opt their audience back in. IMHO, if >>>>the industry ignores the golden bridge of DNT, they will have to cross >>>>the rocky valley a few years later. As I said, the issue is the unrest >>>>in the marketplace, that people will buy whatever promises them more >>>>privacy, even a DNT-spitting router. To your point: you may see 80% of >>>>DNT:1 headers, but how many of them will be valid according to the W3C >>>>Specifications? >>>> >>>>> 3. This means sites will need to ask users if they set >>>>> the DNT signal and/or ask for a UGE for a large majority of visitors >>>> >>>>As I explained: You don't. You just test the user agent. We both know >>>>that DNT has two technological enemies: 1/ Cookies + implied consent >>>>and >>>>2/ DNT:1 spitting routers and dumb extensions. Now the united internet >>>>expertise in this group can't distinguish between those and a valid >>>>browser? And you need a lawyer to tell you what to do? Come on! >>>> >>>>> 4. This is an "opt-in" paradigm - which we agreed in the beginning >>>>> was inappropriate (DNT=<null>, user makes an explicit choice) >>>> >>>>Who is responsible for DNT:1 spitting routers? W3C? Is this conformant >>>>to the current state of our specifications? Nobody in this group wants >>>>DNT:1 spitting routers. That's why we have ISSUE-151. >>>>> >>>>> To adopt DNT under the Swire/W3C Staff Proposal (aka June Draft), >>>>> industry would be agreeing to shift to an opt-in model vs. agreeing >>>>> to support a more hardened opt-out choice for users that is stored in >>>>> the web browser safely away from cookie clearing activities (which >>>>> remove opt-out cookies today unless the user has installed an opt-out >>>>> preservation tool). This is a significant shift and will not likely >>>>> be supported by industry. Hence the reason we're pushing back so >>>>> hard on the current situation. >>>> >>>>Your assertion of an opt-in model is a myth and a perceived danger, not >>>>a real shift in the Specification. The routers are shifting, not the >>>>Specification. This is just the first sign of market unrest. If you >>>>can't distinguish between a browser and a router, I wonder about the >>>>quality of all that tracking anyway. Are we discussing giant dumps of >>>>rubbish quality data? If so, consumers and privacy experts may relax a >>>>bit. For the moment, they assume that you can do profiles and things >>>>and >>>>distinguish between users and their devices etc. >>>>> >>>>> I believe I'm being as fair, open, and honest about the core issue. >>>> >>>>And I do not question that. We even agree that there is an issue. And >>>>we >>>>have a number for that issue. I tell you that your conclusions and >>>>suggestions will lead to a totally nullified DNT, not worth our time. >>>>And I encourage you to consider a reasonable solution to the problem, >>>>not a short-circuiting of the system with an industry-opt-out behind. >>>> >>>>> Hopefully we can work together to look for solutions to this >>>>> unfortunate outcome (unfortunate for industry as I can imagine some >>>>> on the advocate side would be very happy with an opt-in world). >>>> >>>>Again, opt-in/out is a myth. DNT installs a control, a switch. This is >>>>much more than opt-in/out. BTW, I do not believe, given the dynamics of >>>>the Web and the Internet, that we can predict the percentage of DNT >>>>headers for the next 3 years; let alone the percentage of valid DNT >>>>headers. >>>> >>>>Finally, the only ways a company can be forced to honor a DNT:1 header >>>>is: >>>>1/ By our feedback making a promise it does >>>>2/ By a self-regulation like DAA or Truste or Europrise >>>>3/ By law >>>> >>>>I would be totally surprised by a law that would force you to accept >>>>"any" DNT:1 header. >>>> >>>>So lets work on distinguishing the good from the bad headers. We had >>>>very good discussions in Sunnyvale with the browser makers. They are >>>>also interested in a solution. There must be a way. >>>> >>>> --Rigo >>>> >>>> >>> >>> >> >
Received on Saturday, 27 July 2013 15:44:02 UTC