Meeting minutes
<wseltzer> https://
<wseltzer> https://
Wendy: Welcome all
Wendy: As people are arriving, take a look at the agenda
… agenda curation and introductions
… presentation and discussion on IAB Tech Lab Drafts
<Brendan_IAB_eyeo> @Wendy - thanks again for the Dashboard, it is a great resource!
Wendy: followed by continued discussion on FLoC origin trial
… and any other business
… for future items, we have discussion on PRAM and SWAN community materials
… heard interest on that
… other things people want to queue up, please share information
… and we will look forward to hearing about it
Agenda-curation, introductions
Wendy: Anything further on agenda curation or introductions?
… anyone new to call who would like to introduce themselves
Michael: hi, Michael from Carbon, first time to introduce myself
IAB Tech Lab Drafts
Wendy: welcome
<wseltzer> https://
Wendy: great, let's turn to IAB Tech Lab drafts on accessibility, accountability, and privacy
… I will turn it over to you if would like to share screen
Presentation Slides: IAB Rearc 1 Year Later
Alex Cone: I am going to use some slides
… first, thanks for the opportunity to speak
… in this forum, particularly to Aram who had the idea and to Wendy for making it happen
… I'm Alex Cone, work at IAB Tech Lab working on privacy and also joining me is Ben Dick who also focuses on privacy and identity
… we have been coming to these meetings for some time; nice to present today
… context before we dive into the four areas
… Aram from Wash Post raised these specs out for public comment
… comment period ends soon, it would be great to use this forum to push for more comments
… I am viewing goal as letting you know what we are all doing
… and what they have released in draft
… and while W3C is more of a browser forum
… we want to specifically invite browsers and folks in this community to give us feedback
… welcome to speak up in this meeting, or submit comments through our specified channel
… Either way is fine
… context today will likely last 30 minutes today
… based on agenda we will have to answer some questions and respond live to feedback
… Let's dive in
… We use the term "Reacr" as a moniker
… we realize that status quo as it relates to 1:1 addressability
… calls for rearchitecting adtech systems
… for adtech, publishers, SSPs, DSPs, agency side
… not just an adtech centered thing
… so that's the Rearc term
… So IAB Tech Lab does standards for advertising
… we are trying to create opportunity for interop, foundations for competition in marketing ecosystem
… Rearc is part of our overall 2021 prioritiies
… we also focus on Supply Chain Transparency and Security, Measurement and Infrastructure
… but Ben and I are focused on privacy and will be focusing on that today
… We all know we are in a rapidly changing situation
[slide]
… publishers seeking to monetize through ads, meet up with marketers who want to maximize their campaigns
… all have used or been recipients or creators of 1:1 identifiers
… which is what you are seeking to address in the web
… you all know everyone is impacted
… we started in Feb2020 and in earnest in April 2020
… we added the buy-side to the mix
… PRAM we view as opportunity to get buy-side, brand voices involved
… in what digital ecosystem looks like going forward
… there is policy group, business use case group
… which Angelina is looking to present
… We ran a process
… to understand the problem; evaluate tech alternatives; bubble up specs and ideas within that scope
… and turn into draft standards
… we have run through phases 1-3
… now we are looking for public comment before finalizing drafts
… what we have learned
… a lot of interests at play
… of course browsers have interests...publishers do, adtech, all commercial entities
… brand, agency-focused tech
… also gov't perspectives
… a lot of competing ideas we see amplified on multiple channels
… not just web, audio etc.
… placing multiple bets
… looking at the four specs
… One, privacy and data protection by default are the new normal
… that is due to people concerns
… being more aware of what is happening with data behind the scenes, or not understanding
… gov't focus
… platforms that have representation in these groups
… responding to the circumstances of our industry and coming up with own designs
… so if we don't address these issues, won't be useful
… spectrum of user control
… from I don't want apps vs ok for any personalization
… a spectrum; all of these things need to be on it
… accountability and auditability are fundamental
… adtech has been a bit of a black box
… critical going forward to be sustainable
… fourth, a bit self-promoting, open standards are critical
… every single device, platform, if somewhat different
… with your data protection and privacy experience
… like Google home mini is different from MacOS on laptop; broadband company may have different settings
… if that continues to fragment
… maybe data protection is better, but how users understand how things work, how data is controlled
… so open standards are critical
… this slide is the four solutions framework
… not just our own thinking, a lot of our members helping us think about frameworks
… you are all included
… any browsers adopting privacy sandbox
… Everyone is talking about first-party data
… by itself, there are two forms, advertiser data and publisher's data to be simplistic
… Publishers we have known for a long time
… have offered up direct sold, programmatic deals
… that is now new
… what's new is now on the buy side
… the buy side can still link through a third party cookie or IDFA or Google @
… that is going away at scale
… we are thinking about solutions in that bucket
… to let publishers still run
… and monetize what they know about their audience
… but in a way that doesn't let advertisers know
… you all know browser OS linked to audiences
… there is some linkage, things like FLEDGE to talk about an interest group
… and link the fact is the same browser on both sides
… but not known to end parties, just to browsers
… think that is bucket people should know about
… if we want across the board
… to meet new standards and new bars
… on privacy, data protection and accountability
… we have to acknowledge there are companies competing with each other
… that includes Google
… that will still continue
… if that is to be sustainable, that needs really strong standards and best practices and accountability
… you have to demonstrate your accountability to a user
… So the standards themselves
… first the privacy bucket and accountability bucket I will talk about
… and then pass off to Ben on addressability
… Privacy, address backend
… encoding transparency and control signals more broadly than we do today
… we have track record working with business, commercial policy orgs
… to develop privacy signaling mechanisms
… not just EEA and California, but also Brazil, Canada, Australia emerging regs
… for browser community we want you at table to read these things
… when standards are ubiquitous, this is interesting
… idea is a single standard that can adapt different regional norms on transparency and control
… and allow for convergence on these things
… One cool thing on this one
… by the way, all of these are available at IABTechlab.com/rearc
… we are committed to transparency control, privacy signaling mechanisms, that are cryptographically signed
… if we build this infrastructure
… people need to know where the signal is coming from
… that is global privacy platform
… it's a 16 page doc
… we wanted some early feedback
… the second one is something we are calling accountability platform that focuses on linked and unlinked first party audiences
… has to stand test of time
… we have to demonstrate conformity on what is being signaled through supply chain
… open up what is actually going on; are they processing data
… this is called a platform
… and getting more granular on types of uses that might be allowed
… and be transparent with users
… and demonstrate if you conformed to this specific use allowed or not allwoed
… all participants would follow this auditable data structure
… please read the docs
… it's translation level focus
… using a pair-wise architecture
… through supply chain, even if a first-party ID and not shared with service provider
… demonstrate you are confirming to...privacy signal says ok to send it
… receive can also be a sender if they share forward
… have entities report on one another allows for a comparison of what reality might have been
… some sampling
… please go read how we have this designed and make your judgment from there
… we want to do this in real-time
… but sample is every 24 hours
… based on way to make cross-comparisons on ways to make @ on supply chain interactions
… for W3C and browser community of interest
… this data would not include personal data
… would be made available in an open way
… to whoever wants it to make own judgments about ecosystem players
… Ben, are you on theline?
… Ben, let's run through your stuff
… Take time you need and we'll answer questions
<jrosewell> Regulation continues to evolve - https://
<jrosewell> Links to these documents are available here : https://
Ben: hopefully we have 20 more minutes for questions after a 5-10 min overview
… As Alex mentioned, there are two addressability bets that back into the core ad architecture that Alex described
… rely on those to provide strong technical accountability
… important to reiterate
… we want to think about this as a portfolio approach
… we don't see a single solution to be dominanat
… portfolio of complementary scenarios
… to scale addressability in a privacy centric way
… while adhering to measurement and other needs
… and get to core industry needs
… and consumer privacy and data protection is at the core
… and we want to suggest things that minimizes disruption and accelerates backwards compatability
… first bucket thought was a no brainer
… is how to think about seller defined audiences
… diff signalling mechanisms
… developing a concept of an audience
… and use existing standards to support that use case
… what we are aiming to do is support audience targeting and signaling in a privacy way
… and minimize privacy risks with a cohort ID
… detail and questions in the doc that we'd like feedback on
… We have been collaborating with prebid for technical hooks
… and we are finalizing a proof of concept design
… to show we can convey these signals end to end to inform rest of standards work
… mentioned a few times
… we look to publishers and others
… to take back the value proposition with audiences
… and provide meaningful tools for buyside
… lean into need to accommodate the publisher narrative
… and echo Google need for publisher audiences
… Next bucket, shifting gears
… is focused on scenarios where user is providing availability of identifier that can be used as basis for trading
… examples to sign into publisher site more broadly
… there has been a gap to date to standardize a minimum bar for privacy protection
… the thing has to be encrypted
… and minimize poss of reidentification based on systems
… so trying to establish a minimum bar
… Again, this is a baseline
… to set a min bar
… and not preclude commercial entities from going above and beyond this
… a middle bullet point that standards should address a broad range of technical methods
… TradeDesk team has been transparent about wanting to submit code for broader review
… some work is associated to UID2 but want to be agnostic across the board
… see this as a nec gap to be established
… devil will be in the details
… hopefully most of you have read these docs
… since you have been thinking about these things for a while
… there are designated channels for feedback, so please share your thoughts
Alex: That is a lot of content
… don't envy all the things you are trying to cover
… Wendy, do we have time for questions?
Wendy: yes, please
… I see others with questions
Alex: Before we start, I am not in the irc right now
… I am not reading what is happening, so please read out your question
James: Alex, comment on the global privacy platform
… as a programmer, nice to develop against an interface
… nice to see that doc bring together this complicated landscape
… review period is quite short, 8th of April
… any possibility to extend, or another round?
Alex: we set it short because it's not as detailed as other specs in the portfolio
<wseltzer> https://
Alex: want to see if we are headed in right direction
… we meet weekly; as do most of these groups
… for April 8th
… we're not shutting down the aliases
… for comment, but we need a line in the sand
… even today have received comments
… we will keep April 8th line in the sand
… will it go through another round: yes
… will be more like other docs that are closer to being finalized
… so we'll run another round
Wendy: I put myself in queue
… W3C agrees on the value of standards and interop
… pleased to see your focus on that
… good to have this channel of participation and cross-collaboration
… encourage people to send comment on the IAB Tech Lab docs
… and if there are things you are hearing in the feedback in discussion that feed into proposals we are hearing on the W3C side
… we look forward to hearing as well
Alex: To seed conversation here
… if we can get Global Privacy Platform as a transport mechanism and get widely adopted
… opp for browsers to adopt is really real
… in working groups, people hope browsers will be entity
… to digest that info
… in that realm
… this wasn't just what IAB Tech Labs is doing
… we would really love to have that cross-pollination
… that is real; why we show up
… we would love to be more aligned on how these things can connect
… how you can hook into our hooks and your hooks
Ben_Savage: Alex, thanks for the presentation
… I noticed a strong emphasis on individual identifiers in IAB Tech Labs proposals
… and on user-provided PII...
… do you have proposals that don't rely on either of those user level or user provider PII
Alex: I 'll go first
… let's take global privacy and accountability platform
… screen meant to apply to both scenarios
… agree it's applied to user level like PII like email
… trying to cast as wide a net as possible
… if we don't, who does
… a bunch of companies trying to compete in this space
… including companies who are also trying to produce new web standards
… we cannot ignore this space
… if we want competition to be sustained that is not in privacy sandbox
… if we can help that not be a s***-show
… speaks to device-level identifiers
… otherwise not sustainable
… and could be worse that what we had before
… technical mechanics
… browser do what they do...whole idea of FLoC does user ID, just not passing to anyone else
… privacy -enhancing technologies rely on some degree on some entity knowing there is a user
… I think there is a really broad opp for us to come together
<jrosewell> Anonymous identifiers are very important to ensure the web remains a competitive open platform that can compete with other options for advertisers spend.
Alex: and see what we can standardize
… in platforms, clean rooms, etc.
… a good next stage, but we need to prioritize
… and that section being ignored, make as good as possible
… not be bad for user privacy
… be definsible
… we don't own assets
… one of our members owns a browser
… we have 750 members, most of who don't own browsers, a couple own OS
… we couldn't lean in on privacy for technolgies
… for next year; it's pragmatic approach
Benjamin Savage: All these things rely at some point in time understanding who is whom
… depends upon how far that percolates in the supply chain
… one hand, stays on device, other end, goes through whole supply chain
… it is so hard to audit
… sounds like you are working on that
Ben: one relates to establishing min bars for data security
… other piece is concept of seller defined audiences
… relies on footprint
… and use footprint to make cohort or audience attribution
… and roll out to large devices
… and do signal mechanisms with @
… so signals can get audited based on segmentation
… fundamentally different way of acquiring identifier itself
… if that makes sense
Wendy: any other questions or comments?
Aram: I wanted to say thank you for presenting this
… cross-discussion is very useful
… see where both sides are moving towards, the browser and implementation worlds
… thanks for walking us through this
Wendy: Terrific
… thank you Alex and Ben
… if you can make your slides available, I can link them from the minutes
Alex: I can
Wendy: we have got ten minutes left
… we close the one-off session on FLoC origin trials with people still on the queue
… hope you were able to take your questions to Github or other online vneus
Additional FLoC Q&A
Wendy: if there are more questions to raise here, let's put that on agenda
BenS: I asked about FLoC IDs revealing sensitive user IDs
… they sent me to a white paper
… a concept of T closeness
… looked like subtraction difference
… several of us thought it should be a geometric difference
… should you be dividing or muliplying these things instead of subtracting
… no absolute value sign
… seems that could be a problem on absolute value
… and definition of "sensitive" was overly constrained
… I wondered if some other entity had data about characteristics about the race, ethnicity of FLoC that Google Chrome doesn't have access to
… would you consider mechanism to measure baseline prevelance of sensitive site list info
Michael Kleber: Going through Ben's three questions
… T closeness, we used a subtraction rather than geometric; we tried both
… from Bayesian POV
… start out near zero could double chance of believing something
… but adding to probability effect
… if you learn something about a person
… and it's 1.6% likely rather than o.6% seems like we don't want to knock a FLoC out of contention
… when 98% of people don't have this attribute
… so doesn't seem we want to remove a FLoC from consideration
… if arithmatic diff is small
… not end of story, but arithmatic solution seemed more appropriate
… correct we don't have an absolute value
… we are looking for an increase in absolute value
… some areas are senstive
… if converse were also sensitive
… were looking for confluence of sensitive attributes
… and didn't want to throw out a FLoC based on that
… it was a considered choise
… about sensitive attributes
… you are right we can only analyze FloC sensitivity
… based on certain behavior
… agree that is only a first, rough approximation pass
… we would be extremely interested in conversations about alternate approaches
… to help identify sensitive cohorts or ways of analyzing data
… allusion to private intersection
… sounds like the sort of privacy preserving tech to consider using
… sounds like excellent avenue for future discussion; thank you for bringing it up
Alexander: hopefully short, easy question
… how are you treating incognito mode?
… opt out
… what object are you browsing; get sensitive info; how does it change dynamic
Michael: If you are in incognito mode, FLoC is turned off
… or having not viewed pages on enough domains
Alexander: For the current origin trial, still evaluating whether incognito on FLoC
apireno: Determining whether sensitive PII
… or cohort
… people might browse
… if you are discounting
… could make it harder if they should be included
Marshall: It's still early
<btsavage> I suggest random floc ID for private browsing
<btsavage> that reveals the least info
Marshall: reagarding incognito
… happy to hear folks' inputs
… we are still evaluating and discuss and explore the right approaches for private browsing mode
Wendy: Thanks, we are at the end of our time
… Do we have anybody who is
… check if anyone is available to present on the PRAM use cases
… and see about the scheduling of that and with James on SWAN
Angelina: I don't see Michael on chat
… and told him there was an opportunity
… Michael, if you are on, please respond
Wendy: thank you, Angelina, I will coordinate with you on that offline
… please continue with other discussions offline
… see you next week
<wseltzer> [adjourned]