- From: David (Standards) Singer <singer@apple.com>
- Date: Thu, 11 Sep 2014 11:41:19 -0700
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: Justin Brookman <jbrookman@cdt.org>, Jeffrey Chester <jeff@democraticmedia.org>, public-tracking@w3.org
On Sep 11, 2014, at 9:45 , Mike O'Neill <michael.oneill@baycloud.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In vast majority of cases IP addresses need extra bits e.g. canvas fingerprinting to identify a particular device on a NAT router, and even then the external IP changes after a few days so is useless for commercial tracking. > > That is why it is all cookie based and will be for the foreseeable. IPv6 might be different if everybody uses MAC based autoconf but hopefully that won't happen. > > Tracking is done with cookies and it is relatively easy to detect persistent high-entropy ones. It does not matter what the cookie is called. > > This is the weakness of the tunnel vision approach, which otherwise has the advantage of elegance. To solve that we are going to have to say something about UIDs. I am sorry, DNT basically says “don’t remember information in your database that tracks me”. Tunnel Vision has a different definition of what ‘tracks me’ is than others, but I don’t see any link to cookies. Tunnel vision has two ‘issues’: if you are a privacy advocate, you might not like that it allows sites to remember the fact they have interacted with you; if you are an industry advocate, you might not like the very clear line is draws (you identify the user with a context not your own, you’re in violation, very simple). I guess the first is troubling you, but it’s nothing to do with cookies per se. > > Mike > > >> -----Original Message----- >> From: David (Standards) Singer [mailto:singer@apple.com] >> Sent: 11 September 2014 17:33 >> To: Mike O'Neill >> Cc: Justin Brookman; Jeffrey Chester; public-tracking@w3.org >> Subject: Re: Remove profiling prohibition for frequency capping (ISSUE-236) >> >> >> On Sep 11, 2014, at 9:25 , Mike O'Neill <michael.oneill@baycloud.com> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> You are not off base, but it shows up the transparency/machine visibility issue. >> If a third-party uses a cookie (or gets a 1st party cookies placed and uses that) to >> recognise the user in multiple transactions for in-context frequency counting >> how can the UA/extension/regulator/user tell if tracking is going on? They >> would have to rely on trust that "administrative procedures" or tunnel vision >> glasses were being used. >> >> Mike >> >> the achilles’ heel of DNT is that we can often not tell from the outside if tracking >> is going on or not. We’re making an ask about a database that, if all goes well, >> we never get to see. Now, that “if all goes well” is why we make the ask, >> because sometimes it goes very badly (cite notorious cases of repressive >> governments, leaks, and so on). >> >> If the site chooses to use fingerprint technology rather than cookies, e.g. uses >> my IP address and OS and Browser info, and keys a whole database off that >> about me, I am none the wiser. Pushing back against cookies is, I think, >> sometimes counter-productive: at least I can see cookies flowing, and if one is >> set labelled ‘user-id’ my eyebrows might go up if DNT is on. >> >> >> >>> >>> Mike >>> >>>> -----Original Message----- >>>> From: David (Standards) Singer [mailto:singer@apple.com] >>>> Sent: 11 September 2014 17:12 >>>> To: Justin Brookman >>>> Cc: Jeffrey Chester; public-tracking@w3.org (public-tracking@w3.org) >>>> Subject: Re: Remove profiling prohibition for frequency capping (ISSUE-236) >>>> >>>> Unless I misunderstand the definition of tracking, we might not need a >> permitted >>>> use at all. It just works. >>>> >>>> If an ad site remembers what ads IT has served to ME only, it’s not tracking >> me >>>> across contexts. This is something I pointed out when I first floated ‘tunnel >>>> vision’ — that neither first nor third parties need special language to handle >> their >>>> interactions directly with me. >>>> >>>> In fact, the first/third distinction is not needed in tunnel vision, as I see it. I >> think >>>> Roy may have been saying the same thing. >>>> >>>> Now, the site may be able to remember “I served this dishwasher ad to Dave >>>> thrice up to now, ’tis sufficient”, but it cannot remember “it was on >> Sears.com >>>> that I first served that ad, and on HomeDepot.com the second, but lo! or the >>>> third I cannot recall who asked it of me”. That’s remembering data across >>>> contexts. >>>> >>>> Or am I off base? >>>> >>>> On Sep 11, 2014, at 7:15 , Justin Brookman <jbrookman@cdt.org> wrote: >>>> >>>>> We are not reopening a discussion on whether there will be a permitted use >>>> for frequency capping. That has been stable in the TCS for years. Anyone who >>>> wanted to remove such a permitted use could have opened an issue on this at >>>> any time up to October of last year; no one did. >>>>> >>>>> This issue raised by Jack is an editorial one. The frequency capping rules are >>>> already subject to the Data Minimization and No Personalization language in >>>> Sections 3.3.1.3 and 3.3.1.4; Jack has made the argument that the last >> sentence >>>> in the frequency capping paragraph is thus superfluous. >>>>> >>>>> Companies retaining data for frequency capping alone can only collect and >> use >>>> the data minimally necessary for that purpose, and cannot use that data for >>>> secondary purposes. There is no basis for retaining web browsing history for >>>> frequency capping (unless a cap is tied to showing a number of ads on a >>>> particular site), and companies will not be able to target ads based on the >> nature >>>> of frequently shown ads. However, keep in mind that companies are likely to >>>> retain web browsing history despite a DNT:1 setting for other purposes, >>>> including attribution and fraud prevention. Of the permitted uses, I would >> think >>>> frequency capping would be the least concerning to advocates. >>>>> >>>>> On Sep 11, 2014, at 9:58 AM, Jeffrey Chester <jeff@democraticmedia.org> >>>> wrote: >>>>> >>>>>> Thanks for reminding me that in-flight and associated ad changes are >> labeled >>>> as OBA/data driven targeting. I believe this debate is a useful one, because >>>> frequency capping needs to be vetted taking into consideration EU and other >>>> data protection policies. >>>>>> >>>>>> >>>>>> Jeffrey Chester >>>>>> Center for Digital Democracy >>>>>> 1621 Connecticut Ave, NW, Suite 550 >>>>>> Washington, DC 20009 >>>>>> www.democraticmedia.org >>>>>> www.digitalads.org >>>>>> 202-986-2220 >>>>>> >>>>>> On Sep 11, 2014, at 6:53 AM, Shane M Wiley <wileys@yahoo-inc.com> >>>> wrote: >>>>>> >>>>>>> Jeff, >>>>>>> >>>>>>> We agreed as a group that any "in flight" changes were deemed >> behavioral >>>> targeting, not frequency capping, so we already removed that use case from >>>> consideration (such as sequential ads) at the Oct 2013 Sunnyvale meeting. >> The >>>> use case here is the most simple one imaginable -- not showing the same user >>>> the same ad more than X times in a Y given time frame - nothing more. >>>>>>> >>>>>>> - Shane >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Jeffrey Chester [mailto:jeff@democraticmedia.org] >>>>>>> Sent: Thursday, September 11, 2014 3:50 AM >>>>>>> To: Shane M Wiley >>>>>>> Cc: Walter van Holst; public-tracking@w3.org >>>>>>> Subject: Re: Remove profiling prohibition for frequency capping (ISSUE- >> 236) >>>>>>> >>>>>>> Walter is correct. In addition, Frequency capping is now also connected >> to >>>> real-time "in-flight" changes to targeted personalized campaigns. In-flight is >> ad >>>> biz term for such ad technique changes done during a campaign, which can >> also >>>> involve "creative versioning," that is new campaign dynamic elements that >>>> reflect how a person is responding. Capping connected to these and similar >>>> changes to a users experience should not be permitted under DNT:1 >>>>>>> >>>>>>> Jeff >>>>>>> >>>>>>> Jeff Chester >>>>>>> Center for Digital Democracy >>>>>>> Washington DC >>>>>>> www.democraticmedia.org >>>>>>> Jeff@democraticmedia.org >>>>>>> >>>>>>>> On Sep 11, 2014, at 6:38 AM, Shane M Wiley <wileys@yahoo-inc.com> >>>> wrote: >>>>>>>> >>>>>>>> Walter, >>>>>>>> >>>>>>>> Then we disagree on the merits here. Removing frequency-capping will >>>> have fairly negative repercussions on users seeing the same ads over-and- >> over- >>>> and-over driving them to turn off DNT. The group on both sides agreed to >> this >>>> carve-out long ago due to the perverse disincentives created in this scenario >> (I >>>> believe only 2 or 3 people out of ~70 ever had an issue here). Your technical >>>> solution is simply unworkable. Looking forward to the Call for Objections. >>>>>>>> >>>>>>>> - Shane >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Walter van Holst [mailto:walter.van.holst@xs4all.nl] >>>>>>>> Sent: Thursday, September 11, 2014 3:30 AM >>>>>>>> To: public-tracking@w3.org >>>>>>>> Subject: RE: Remove profiling prohibition for frequency capping >>>>>>>> (ISSUE-236) >>>>>>>> >>>>>>>>> On 2014-09-11 12:18, Shane M Wiley wrote: >>>>>>>>> >>>>>>>>> We've always agreed the frequency-capping would be a permitted use >> in >>>>>>>>> situations where a DNT=1 is received. Are you suggesting we now >>>>>>>>> remove that permitted use or are you simply commenting on this >>>>>>>>> specific language? >>>>>>>> >>>>>>>> I am perfectly fine with frequency-capping, as long as it doesn't >>>>>>>> require profiling at an individual level. It cannot result in >>>>>>>> collection of data by a third-party if the UA is setting a DNT:1 flag. >>>>>>>> The mere fact that this particular purpose of tracking is beneficial >>>>>>>> both to the user and the advertiser does not justify in itself an >>>>>>>> override of a >>>>>>>> DNT:1 preference. And I can think of several methods to prevent >>>> saturation of a particular user with a particular ad, for example progressively >>>> dropping least-significant bits of IP-addresses to mask out groups of users >> that >>>> an ad should not be shown to. >>>>>>>> >>>>>>>> I do not recall a broad consensus about this particular permitted use. >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Walter >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> David Singer >>>> Manager, Software Standards, Apple Inc. >>>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.13 (MingW32) >>> Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ >>> Charset: utf-8 >>> >>> >> iQEcBAEBAgAGBQJUEczlAAoJEHMxUy4uXm2JAj8H/iS1ghWCQ4m+THOdwLFK6m >> Yo >>> 4ChiHzhokfWid9nBxWaOXYDSUMCrIatrT0ug+ilCJUPDr8kTVcdPdsqEYQjlvm0h >>> 6MJ4qB9hbCMbr/DOSdr0eXIFjfrzw3tcaMpaqT6uVzYIrxebwJC5vh5bN5AxIjWv >>> 9YayL1BBjpVITiCLMFxQ9IqWmYbiOvfgwlmj42jh3TG8lNUXJgy2Lx2WyW4Eb9yg >>> >> lXFWuDMgutg+Z+2DgNTAhQsw2quIGYK47TdUx86ydPZFHsxOtuZ2/6mPEObioeV >> Y >>> >> c3V5bcXYLueEwxE0DMvak3nzWXu82fIy7atANAGdYoIWmW5IKsuBY7PZjG38TOI >> = >>> =b/zN >>> -----END PGP SIGNATURE----- >>> >> >> David Singer >> Manager, Software Standards, Apple Inc. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ > Charset: utf-8 > > iQEcBAEBAgAGBQJUEdG0AAoJEHMxUy4uXm2JcaQIAJgGJ7Z5kByssTpkcq/dU2d9 > qQ7xcwY9tJ0Ls9WWNP7W6jdpugOvFU7xqj8nF7EEhUmbpBE0peUoRjT1ZlEKP34q > oN2mDZeYBBo4XoLcUnTYhgj5vs5SfEsrga+dSZY7VFQbOEbDTz+tmvcE6l7u3cKb > TdmPbd8RUxQe8bDp7WMY642iKAN1QGyoOBsJo5/yw9Go478zxy9RN2xUzGL1VQs2 > NJ748Gj99Te+yKarp8KazJhcWZbRE6zG6x3cOAABhDVplfTcqHYhpNkNxt+OBGFS > WgZe7ss3JbgUKaIeZVIcs4eJtenuPNsyz6EvdZYSOYrPmzH3cdRvRPAEBS52Xt4= > =uS0R > -----END PGP SIGNATURE----- > David Singer Manager, Software Standards, Apple Inc.
Received on Thursday, 11 September 2014 18:41:49 UTC