Tracking Protection Working Group Teleconference -- 05 Nov 2014

<trackbot> Date: 05 November 2014

<scribe> scribenick: npdoty

agenda http://lists.w3.org/Archives/Public/public-tracking/2014Nov/0011.html

TPE Last Call comments

schunter: first topic is TPE Last Call comments, go through to see what consensus is emerging

issue-262?

<trackbot> issue-262 -- guidance regarding server responses and timing -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/262

<vincent> I have a proposal :)

schunter: long discussion on the mailing list. emerging consensus?
... basically, how to deal with ad auctions, data returned from a winner

<wseltzer> npdoty: summarizing my suggestion

<wseltzer> ... for TPE, we need to look at how to respond to the user

<wseltzer> ... existing response value ?, dynamic

<WileyS> I agree with Nick's suggestion - my comments are more specific to the TCS side of this conversation. Responding with "?" is fair in this scenario.

<wseltzer> ... actual response value could be sent in the TK response header

schunter: [summarizing]

<wseltzer> schunter: ? indiciating it depends on the auction; then auction winner sends back the header of how we'll handle

rvaneijk: clarifying questions. about URL: the full URL is not necessary, truncated form does not need to be retained very long. is that correct?

<WileyS> This is a TCS specific discussion - not a TPE element

<WileyS> Who determine truncation rules? Sometimes the query string is important, sometimes it is not.

rvaneijk: if the query string can be truncated immediately, or if it could be aggregated within a certain time

<moneill2> +q

schunter: sounds like a compliance discussion

<WileyS> Depends on the URL

rvaneijk: is the full URL needed, or just the domain information?

<fielding> I am guessing Rob means the Referer URL?

<rvaneijk> fielding, yes.

vincent: my understanding is that if the bid winner provides the final answer to the DNT request, it won't know everything about the other bid losers who were involved
... for example, if one of them believed it had a web-wide exception it may have tracked the user anyway

schunter: your point is that if the non-winners share or publish data, but only the winner responds, then the user doesn't learn the right thing

vincent: bid losers that don't respect DNT could profile users anyway

<WileyS> Then the Exchange should not respond that it honors DNT

fielding: my preference in changes of TPE would be to use a different tracking status value for the exchange model

<vincent> +1

fielding: to handle any type of situation where the server is relaying to multiple origin servers (an HTTP gateway)
... a common enough model that it probably deserves a response
... client would expect to retain information about both the gateway and the winning bidder
... it would then be easier to discuss compliance as a separate problem, rather than what all dynamic responses need to answer
... rather than making a change at this late date

schunter: general pattern would be the same (TSV and then Tk header later), just a different value

<rvaneijk> no objection from protocol side

<rvaneijk> moneill2, I think all should receive the DNT through the ad exchange

moneill2: if you pass the DNT signal through a gateway to the multiple bidders, hard to send site-specific DNT consent mechanism, or opt-out cookies
... requires broadcasting

<rvaneijk> NT could be passed with the bid request

<rvaneijk> But that is a compliance issue

<fielding> What the user gains is the ability to make pre-flight requests on the gateway's well-known URI and having a response from that gateway that does not prevent dynamic responses later on.

moneill2: there seems to be an ambiguity. don't need web-wide confirm, just needs tighter text description

schunter: sounds like everyone is fine with the two stage response approach
... questions seem to be about the compliance side about passing on the DNT signal to all bidders, or have control over the data sent to the bidders
... but for non-winners, the user does not have awareness or control

<vincent> unique IDs and URL

<rvaneijk> bidders that do not win the bid MUST be prohibited to enhancing profiles for later targeting

<WileyS> +q

moneill2: downstream bidders can only determine consent through our user-granted exception model, which won't be passed down

<Zakim> npdoty, you wanted to ask what does the user learn?

<schunter> Agreement was:

<wseltzer> npdoty: Question about TPE resolution

<schunter> 1. 2phase approach

<fielding> rvaneijk, that would be what receiving DNT:1 requires if the recipient complies; not sure what good that would do if the recipient does not comply.

<wseltzer> ... I agree with the two-stage response, but not sure I see the value of a separate gateway signal

<wseltzer> ... why isn't the existing response enough?

<schunter> 2. Gateway signal ("G") instead of "?"

WileyS: this is a common enough use case, a significant fraction of online ads that are served
... separate signal, as opposed to generic ?
... a common and well-understood dynamic in industry. you can do more by having a specific signal
... regarding Compliance, allow downstream bidders, if they have in their most recent interaction with the user have been provided a user-granted exception

<moneill2> +q

WileyS: if the exchange passes on the DNT: 1, but if the server saw a user-granted exception on their most recent interaction with the user
... can re-confirm the UGE status when they next interact with the user, like when they win the bid
... don't have direct access to the user agent in this case

<fielding> I don't know exactly what will be necessary to convince users that a gateway is trustable with the DNT signal, but I do know that it will be easier for a UA if we distinguish between a gateway to multiple data controllers versus a dynamic response from a single data controller.

schunter: if a party participating in an auction has a user-granted exception, they should be able to track the data

[not-scribing, fielding, but what do you expect a user agent to actually do that's different?]

<schunter> 1. Pass on DNT;1

<rvaneijk> fielding: agree with the point on being able to distinguish.

[besides just making it easier to block ad exchanges?]

<schunter> 2. If you have an UGE, you can use data

<fielding> … And I don't want to change the protocol later just to satisfy that distinction. It is near zero cost to add it right now (the cost being on me to define it).

<schunter> 3. If not, you cant.

<schunter> 4. The winner sends a response.

schunter: sounds plausible that if you have a UGE, then you can track this user

moneill2: ad exchange in this circumstance should reply with a "T"
... either you use the consent mechanism that we have, or you send a user identifier so that they can be matched by the bidder to see if they have consent

<schunter> Remaining open question: How can we enable the bidders to look up a UGE in a privacy friendly way.

moneill2: it's possible to come up with mechanisms that solve this by getting consent

<vincent> agree with moneill2, you're basically sharing the data (URL and UID) with other bidders

moneill2: should interpret G as T, since this is tracking as far as I'm concerned

<vincent> well sharing the data is prohibited...

<WileyS> Bid loser would not store the data at a per user/device level

<WileyS> +q

<fielding> Don't forget that first party advertisers also use exchanges on their own sites and sometimes win their own auctions.

<wseltzer> npdoty: concerned about parties to the exchange system not updating their understandings of user consent

<wseltzer> ... when DNT/UGE changes

<wseltzer> shane: I don't think we'll see UGE at that scale

<rvaneijk> bid losers MUST be prohibited enhancing profiles for later targeting

<wseltzer> ... we should be transparent to the user about what's happening

<wseltzer> ... when bid winner, who had UGE previously, should send back a response saying didn't honor DNT

<wseltzer> ... then user can send back DNT and show the site that he changed his mind

<wseltzer> ... build and plan for common case (infrequent changing of minds)

<wseltzer> schunter: inclined to agree with Shane

schunter: policy-management portal at Yahoo to manage exceptions. sort of assume they stay valid until you hit this portal again
... inclined to agree
... do we have agreement that non-winning bidders must not use this data for tracking purposes?

<moneill2> +q

vincent: already considering an edge case, where a Web-wide exception case -- the site-wide exception is already covered

<kulick> I just wanted to point out that the existence of UID is not considered tracking per the definition of tracking ("Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred."). I heard someone mention that in their opinion that having...

<kulick> ...uids would be tracking.

vincent: ad exchange will broadcast the signal, but a specific ad network identifies that it has a Web-wide exception

<schunter> We seem to have consensus that (a) DNT;1 signal is passed (a) "G" is first responded, then (b) parties with a web-wide UGE can re-use obtained data even if they loose the auction, (c) winners respond with their final answer

vincent: agree we should address the common case, but disagree on what the common case is

<WileyS> Its okay for the ad exchange because its a service provider to the participants in the auction

<moneill2> +q

<schunter> (d) Non-winners without a UGE must not keep the data for tracking purposes.

<vincent> if it behaves on behalf of one of the bidders, it should sent T in its behalf

<fielding> Note that "G" would only appear in the tracking status resource for the exchange -- it would not be in the header field response, which only contains the dynamic response from bid winner

moneill2: the only way for the downstream bidders to determine whether they have a UGE requires sharing a user identifier, which is tracking

<WileyS> Its behaving as a Service Provider for mulitiple participants so "G" is better here

moneill2: spec says user identifiers shouldn't be used unless there is no other option, and consent is our option

<WileyS> DNT DOES NOT halt sharing of IDs for ad transactions

schunter: not sure I understand. only way to do it is to forward identifiers

WileyS: confusion on identifiers. (repost from kulick above) passing an identifier as part of an advertising transaction is a permitted use, so I don't see an issue there

<vincent> sharing of UID AND URL would be prohibited

WileyS: service provider acting on behalf of multiple parties. if the different ad networks had been elements on the page already, would have received those ids. permitted uses around security, frequency capping, financial

schunter: unique ID is sprayed over the Web, but no one receiving it is using it for outside the permitted uses

<vincent> TCS: When a third party to a given user action receives a DNT:1 signal in a related network interaction: that party MUST NOT collect, share, or use data related to that interaction;

<WileyS> Losing bidder so only be able to retain de-identified/aggregate data - nothing user/device specific

<wseltzer> npdoty: it would be concerning if non-winning bidder retained info without any communications to user

<kulick> but they wont be tracked by non-bid winners

<wseltzer> ... gateway needs to take responsibility for combining responses if service-provider to multiple parties

not-scribing, WileyS, kulick -- that's my understanding as well, but I think schunter's text was suggesting that multiple parties would track, and the user would never receive that feedback

<rvaneijk> additional normative requirement for the ad exchange: data minimisation (truncate the query string of the referrer URL immediately)

<moneill2> +q

<WileyS> Nick - I'm okay with stating the bid-loser can not retain user/device specific data

<wseltzer> schunter: strategic behavior possible from those who've obtained UGE, if they put in low bids just to get info on multiple auctions they lose

<wseltzer> ... yet never communicate back to users

<wseltzer> vincent: It's not just the UserID, but also URLs in the bid request that are problematic

<schunter> Two alternatives seem to emerge:

<schunter> 1. The (a)-(d) case

<WileyS> The 3rd party is not sharing - the Service Provider (representing the 3rd party) is passing it to themselves (where a service provider = the party they are representing).

<wseltzer> rvaneijk: second Vincent. can we add some normative requirements on conveyance of full URL?

<schunter> 2. A case where only the winner can keep data (using or ot using a UGE)

<wseltzer> ... I think only domain should be necessary

<WileyS> URL truncation - you are incorrect. What data do you have to defend your position?

<scribe> scribenick: npdoty

<WileyS> Opinions aren't has helpful in areas where companies spend millions of dollars to defend their businesses.

<schunter> If we find a way to provide transparency (who has tracked you), then the option (a)-(d) may be more accetable.

<rvaneijk> WIleyS: had discussions with some long tail companies.

<vincent> WileyS, the service provider can not represent multiple entities at a given time. The one it represents is sharing data if you prefer, but that's still sharing

moneill2: comment to WileyS about the confirming UGE. when a user has consent with a large number of bidders, it would add to latency to add to a cookie all the sites with UGEs

<WileyS> Vincent - yes they can.

<WileyS> Vincent - your stating they can't doesn't change that.

moneill2: ad exchange could have a subset of sites for which it polls for a user-granted exception
... will send to mailing list

schunter: options are either my (a)-(d) where background tracking can go on. or where data can't be retained by bid losers (as if only the winner interacted with you)

<WileyS> Matthias - agree with that approach.

WileyS: agree with the latter approach. bid losers wouldn't retain information even if they felt they had a UGE, because they wouldn't have a chance to communicate back to the user
... chance to explain to the user. as a bid winner, if you didn't want to consent, can fix that as soon as talked to the user agent

<schunter> Consensus: Non-winners must not retain individualised data; Winner can use UGE (to keep tracking data) and is able to provide transparancy by response header.

<fielding> How is winner going to convey that they assumed UGE (as opposed to consent)?

WileyS: bid losers would keep aggregate or deidentified information to remember that they lost, but nothing user or device specific or profiling

<WileyS> Roy - I was thinking "C" here as well

fielding: if the bid-winner communicates that they have User-Granted Exception, how do they respond? "C" is used for having consent

schunter: I think "C"

rvaneijk: use case of an ad exchange that has bidders that respect DNT and bidders that don't respect DNT
... would prefer outcome that only allows bidding parties that do adhere to DNT standard

<WileyS> Rob - that will push the entire ecosystem to not support DNT

schunter: ad exchange has to be responsible for enforcing requirements

<fielding> that would introduce a chicken and egg problem to deployment

<WileyS> Rob - you are wrong - please speak to companies on this matter

rvaneijk: lack of adoption doesn't speak to the actual problem of accountability
... otherwise doesn't express much meaning

<WileyS> +Q

<vincent> agree with rvaneijk. Plus we should support privacy friendly alternatives that would be able to differenciate themselves

schunter: concern is that if the user uses DNT and the ad exchange supports it, then the user won't be aware of the data collection

<wseltzer> npdoty: 2 levels of concern: if bidders in ad exchange doesn't support DNT and doesn't support rules of auction, keeping data

<schunter> Compromise: The ad exchange is responsible to ensure that no identifying data is kept by the non-winners (by contractual means or by DNT compliance or by not forwarding IDs)

WileyS: similar
... the real-world dynamics are about how businesses work. there's a timeframe where the exchange can only turn on DNT support once every bidder already supports it
... unlikely to kick out bidders who don't support DNT
... would push away from industry support of DNT
... for transparency purposes, indicate that it's a mixed state. "G" could indicate that it includes both parties that support and parties that don't support DNT

<moneill2> Wiley, the ad exchange just replies with T unless it knows all the bidders support DNT

WileyS: if there were direct communication with the user agent, the user agent could be configured to not send requests to those servers
... if you felt that was appropriate, you could still do that with the "G" response. user agents could stop transactions on "G" because of that uncertainty
... it would be a long wait

schunter: in that case "G" would be the same as "T" about potential tracking
... even if the winner eventually says that they don't track

WileyS: more likely that ad exchanges may just not respond to DNT signals
... until you have widespread support, you'd just be silent
... but I think it would be better to get exchanges and many bidders to support, which could then entice others
... but I don't think we should start that way

schunter: need to move on
... write down a consensus version, regarding non-winners not storing information
... and remaining question about ad exchange accountability or enforcement
... who can take an action item to write this down?

<WileyS> I'm on vacation starting this evening - please pick someone else

schunter: important to write down that we agreed that non-winners are not to keep data. just a question of how to enforce it

rvaneijk: understand Shane's point about different levels of ad exchange support

schunter: can you write down this part we agree on?

rvaneijk: think there should be a middle path, should have more discussion

<schunter> Consensus: (1) Ad exchange responds with "G", (2) winner returns header and may use UGE, (3) non-winners must not keep data

vincent: still think there are differences

not-scribing, fielding, are you going to write up a "G" proposal?

schunter: rvaneijk, can you summarize the consensus before the next call?

<WileyS> I'll be on vacation for a bit so please don't take my silence on the discussion as agreement :-)

<fielding> BTW, I will be at the IETF in Honolulu next week, so may or may not have time to write.

rvaneijk: don't want an action item at this time

schunter: consensus on those three points.

<schunter> Open question: How to handle bidders who may not satify our requirement not to keep data.

<fielding> action on fielding to draft a G response for exchanges

<trackbot> Error finding 'on'. You can review and register nicknames at <http://www.w3.org/2011/tracking-protection/track/users>.

issue-266?

<trackbot> issue-266 -- automatic expiration of a tracking preference exception via API parameter -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/266

schunter: dsinger not here, can postpone discussion

<fielding> action fielding to draft a G response for exchanges

<trackbot> Created ACTION-463 - to draft a g response for exchanges [on Roy Fielding - due 2014-11-12].

not-scribing, was just going to say that we should make sure we have the proposal from moneill2

<fielding> slackers

schunter: made some progress on this issue, but push the rest to the next call

<WileyS> Thank you Matthias!

schunter: currently finishing the audience measurement cfo, should send around in the next week
... anything else?

<vincent> thanks nick

[adjourned]

- DRAFT -

Tracking Protection Working Group Teleconference

05 Nov 2014

Attendees

Contents

TPE Last Call comments

Summary of Action Items

Scribe.perl diagnostic output