RE: Indirect DNT Processing (Proposed)

The UID element is incorrect.  This is needed for even basic processing of ad delivery and is protected by Permitted Uses.

- Shane

-----Original Message-----
From: Mike O'Neill [] 
Sent: Thursday, October 23, 2014 3:19 AM
To: 'TOUBIANA Vincent'; Shane M Wiley; 'Tracking Protection Working Group'
Subject: RE: Indirect DNT Processing (Proposed)

Hash: SHA1

Creating a special alleviation or permitted use for ad exchanges will  be difficult and is anyway unnecessary. This use case only arises when consent is obtained by one or more downstream ad servers because if none of them have consent the ad exchange just does not share the UID.

When a downstream ad server explains to the user what the consent is for, they can also ask for consent for their service providers. They should have a data processor (service provider)  agreement in place with the ad exchange so that it has no independent right to use the data (in this case the UID).

Then the issue becomes the technical one of allocating DNT:0 (or OOBC) consent by the user to the ad exchanges. This is similar to the “same-party” use case where we ended up with the cookie-like domain rules, which only solved part of the problem anyway.

As we discussed back then, there are already mechanisms in place that can do this e.g. by supporting multiple other-origin iframes on the consent acquisition page.  It would be much simpler (and more transparent) ultimately if we handled it in the UGE API but this would be hard to reach agreement on in a reasonable time(we would have to break some of the same-origin restrictions on web-wide consent, and there are other problems), so maybe should be left to DNT2.0. There are already techniques like multiple iframes that could be used anyway, though not transparently.


From: TOUBIANA Vincent []
Sent: 23 October 2014 10:29
To: Shane M Wiley; Tracking Protection Working Group
Subject: RE: Indirect DNT Processing (Proposed)


I have a clarifying question. In the precise case of RTB, when DNT is set, is it possible to only include in the Bid Request information about the user (i.e. the user id) but not about the current network transaction (i.e. no information related to the visited website)? That would allow website to check that they have a UGE before bidding, information about the visited website would then be only transmitted to the winning bidder.

This option would still allow RTB to take place while preventing information about a network transaction to be shared with third parties.


De : Shane M Wiley [] Envoyé : mercredi 15 octobre 2014 17:33 À : 'Tracking Protection Working Group'
Objet : Indirect DNT Processing (Proposed)


I was asked to develop language for consideration of how to manage DNT signals within Real-Time Bidding (RTB) environments such as an Ad Exchange.  I’ve up-leveled the concept to “Indirect DNT Processing” to cover scenarios where a user’s signal may move from a direct client interaction to one between servers (server-to-server).

For Servers in direct communication with the User Agent that then communicate further with other parties within the same transaction but outside direct communication with the User Agent, those Servers MUST convey the current DNT flag relayed to their domain to those other parties.  In cases where other parties have recent knowledge of their own domain’s DNT flag or UGE MAY process the request leveraging that information but MUST respond appropriately in the status response that they have done so – which, in turn, MUST then be conveyed by the Server to the User Agent.

This is intended to facilitate indirect communications through a transitive passing of permission to allow for DNT processing to occur even when a processor doesn’t have direct access to the User Agent.  If the processor has direct information about their own domain’s DNT setting with the User Agent, such as their last direct interaction with the User Agent, they may want to consider this in their transaction handling.

Question – While from a policy perspective the passage of the STATUS RESPONSE value makes sense I’m not sure if this works as cleanly with the current TPE handling of those statuses.  Should we add a new flag/field to state a response is being conveyed from another party as to not confuse the User Agent into thinking the response is coming from the server in which it is in direct communication?

- - Shane
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.3.26.5094 -

Charset: utf-8


Received on Thursday, 23 October 2014 18:22:01 UTC