Re: ISSUE-111 - Exceptions are broken from Lauren Gelman on 2012-03-08 (public-tracking@w3.org from March 2012)

From: Lauren Gelman <gelman@blurryedge.com>
Date: Thu, 8 Mar 2012 14:17:31 -0800
To: Sean Harvey <sharvey@google.com>
Cc: Nicholas Doty <npdoty@w3.org>, Kevin Smith <kevsmith@adobe.com>, "TOUBIANA, VINCENT (VINCENT)" <Vincent.Toubiana@alcatel-lucent.com>, "Roy T. Fielding" <fielding@gbiv.com>, Shane Wiley <wileys@yahoo-inc.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <A08C160D-1574-4DFA-8342-A136E781C4D3@blurryedge.com>

If you have a site-specifc exception, I thought the data no longer needed to be silo'd or "differentiated on the server side"?

On Mar 8, 2012, at 2:09 PM, Sean Harvey wrote:

> Thanks Nick. Please do tell me if you think I'm not thinking clearly about this. But regardless of whether it is being handled by the browser, you would still need separate cookies per "site" if the exception is site-specific. 
> 
> Example use case: I am third party ad server AdDoty (yes there are brand names this and more stupid in our industry) and I have a site specific exemption from both Yahoo and AOL. How do I differentiate this data on the server side, regardless of whether or not the browser is "handling it"?
> 
> 
> 
> 
> 
> On Thu, Mar 8, 2012 at 5:06 PM, Nicholas Doty <npdoty@w3.org> wrote:
> On Mar 8, 2012, at 11:45 AM, Sean Harvey wrote:
> 
> > at a high level this would be new functionality in the ecosystem. there is no such thing as a site-specific exemption or site-specific cookie for an ad servers, etc. coming from a third party domain.
> >
> > i also agree that this is probably not practically implementable by anyone -- one potential implementation would involve domain-specific cookies in a sub-domain of the third party, but this would mean potentially thousands of cookies on the client browser where previously only one existed. Which does not sound like an ideal outcome.
> 
> Sorry, I'm not sure I understand here. As proposed, the user-agent-managed site-specific exception would be handled by the browser (choosing when to send DNT:0) rather than asking the ad server or other third-parties to create separate cookies to manage that state for each first-party site. Right now when an ad network receives a request from a browser that has an opt-out cookie for that network, it has to use a different behavior (not showing a targeted ad) no matter what the first-party site is, right? Can these site-specific exception headers prompt per-request behavior in the same way that an opt-out cookie does?
> 
> Or is the concern that site-specific exceptions would require siloing of data and that requires different cookies for each first-party site?
> 
> My take on Vincent and Kevin's question: Do first-party publishers get any indication from the user or the third-party that the user has an opt-out cookie installed and is potentially generating less revenue for the publisher?
> 
> Thanks,
> Nick
> 
> 
> 
> -- 
> Sean Harvey
> Business Product Manager
> Google, Inc. 
> 212-381-5330
> sharvey@google.com

Lauren Gelman
BlurryEdge Strategies
415-627-8512
gelman@blurryedge.com
http://blurryedge.com

Received on Thursday, 8 March 2012 22:18:02 UTC