Meeting minutes
<wseltzer> Introductions and Agenda Curation
<wseltzer> _consolidated draft agenda:_
<wseltzer> * agenda+ Introductions and Agenda Curation
<wseltzer> * agenda+ Preparing for the standards track: what's ready to move to a WG, what should be in-scope for charter(s)?
<wseltzer> * agenda+ Update on reconciliation processes for the Aggregate Measurement / Click tracking proposals & TURTLEDOVE / PARAKEET proposals
<wseltzer> * agenda+ Reporting on experiments: learning from origin trials and other experimentation [Thursday]
<wseltzer> * agenda+ Person-driven advertising.
<wseltzer> * agenda+ Standardizing contextual advertising, with reference to IAB Tech Lab's Content Taxonomy 3.0: [Thursday] https://
<wseltzer> https://
<wseltzer> * agenda+ Examining Privacy Signals: GPP, TCF, GPC [Thursday]
<wseltzer> * agenda+ Documentation sprint: improving use cases and documentation of proposal status
Wendy: Welcome to the second session of Improving Web Adv on the Web
… we'll wait a couple more minutes
Wendy: Let's start by looking at items on the agenda and doing some arrangement of those
Introductions and Agenda Curation
Wendy: Lots of topics people are willing to talk about in this second session
… We heard interest expressed in preparing for a standards track
[Wendy reviews agenda topics]
Wendy: We also heard interest in privacy signals, reporting on experiments and standardizing contextual advertising today
… does that match interest of people joining us here today?
… or other topics you wish to recommend that we discuss
… we'll do minuting and share that as usual
… with those who joined the other version of that call
… and of course bring back to our regularly scheduled discussion group
… Seeing no one on the queue
… That suggests maybe we just try to break it up about 20 minutes each for those three subjects
Examining Privacy Signals: GPP, TCF, GPC
Wendy: Since we haven't heard much lately about privacy signals, why don't we start there
Robin: Do we know what people wanted to hear?
Alex: we could start simple, then I'll over-complicate it
… we can go that direction, or reverse it
Robin: I can talk about GPC
… Global Privacy Control, a one-stop shop of 'do-not-sell'/'do-not-share'
… being discussed in California and other places
<wseltzer> https://
Robin: one bit over HTTP and the DOM
… only so much complexity to do there
… has some good institutional momentum
… it's in Brave and DuckDuckGo, and soon in Firefox
… Decent adoption in terms of web sites
<ddabbs> Do we still use IRC queueing?
Robin: four out of five of major consent management tools support it natively
… as a checkbox to add
… NYT, WashPost supports it
… there is a list of sites that support it
… From Times perspective, it's been easy and fun
<alextcone> https://
DavidDabbs: a lot comes out of apps
… if you add header, should recipient abide by it?
Robin: we separate out
… from legal mechanism because we have to
… spec can tell you if operating over HTTP
… can include as a signal
… expectation as I understand it (not legal advice)
… you would have to abide by it because you are getting the signal
… technically idea from regulators is that different contexts might require different signals
… carrier pidgeon, add a foot ring [laughs]
<npdoty> it may generally be hard to add the HTTP header to an app, compared to being able to set it in a browser
Robin: Alex probably has info on how it gets passed on further
BrianMay: I understand how GPC has come about
… a lot of efforts to get something done and get heard
<npdoty> or rather, it might need to be added to each app
BrianMay: But I'm curious based on your experience, what your experience is
… on the expressiveness and richness of conversations
… something that says, 'just don't do this' is having
Robin: In terms of expressivity, good to keep things simple
… we tend to over-think privacy
… it's about 'do not sell', not about a lot of other things being done with data
… first party can do all kinds of things with data, but not have them reuse data in context from which they acquired it
… we have not felt need to have more advanced discussions
… also, how I understand from direct experience, this matches a strong expectation of our readers
… want to have a conversation about value exchange; data for access
… readers never see that value exchange happening
… they see something, they don't want to pay
… so they opt out
… This aligns very well with user research in terms of expectations of our readers
Brian: great answer, thanks
Don: I think it's important in understanding GPC, to break out 2019 from 2020 project
… CafeMedia is one of the companies that launched early support of GPC
… in order to comply with CCPA
… we had to do a project before CCPA went into effect, to enable that 'do not sell' workflow required by that law
… the GPC is a much smaller one
… taking a small piece of information, that GPC setting, and then applying it as if that user had gone through the manual process
… There is a regulatory overheard for compliance with privacy laws
… depending upon activities of what companies do with data, it varies
<Zakim> kleber, you wanted to ask about connection to user intent
Don: on GPC side, just looking for the signal, and if there, just treat it like whatever process you built in 2019
MichaelKleber: Thinking back to the 'Do Not Track'
… last time people in this crowd went through that was somewhat similar to GPC
… remember history of DNt
… one of them was the fact that in DNT it was not clear what people needed to do in response to this header
… GPC does a good job of clarifying
… other thing is concerns about signal becoming divorced from user intent
… Sad history was a set of decisions in which various entities that were at various distances from the user
… deciding to insert DNT as a default
… there was a major browser, a major router, and and ISP decided to add to all traffic coming through from their users
<npdoty> HTTPS is awesome
MichaelKleber: Love to hear your thoughts on GPC and whether it becomes divorced from user signals and user intenet
… and people's willingness to believe it represents the user
Robin: That is always a risk
… at some degree
… whether consent counts as property consented; whether opt-out is debated
… and speak for user when user speaks
… or not it's convenient
… Less likelihood of MITM
… at the time
… not going to ISPs or routers
… however there is a gray area clearly in terms of what browsers should do
… The regulations do speak about fact that if regulators installed something with clear expectations about privacy, then that counts
… Some IAB legal counsel is considering a requirement for specific consent to opt-out, which is more extreme position
… some expectation for browser to install privacy
… Looking at studies, if question is do you expect browser to protect you?
… overwhelming consumers say yes
… So it's not a pure policy discussion
… hotly debated in the current CPRA process
… we'll see some back and forth
… Brave can make case that it gets downloaded for privacy reasons
… can say it's an extension and they can back it up
… will become more interesting with FF
… can they make claim that's enough; love to see what they are going to do
… Will they show a pop-up
… in jurisdictions like CA
… and claim they have clear opt-in
… Don't want to make representations that this is an easy area
… In DNT did say they would address the policy side
… and policy makers said great, 'we'll come back and not do that work until you do'
… situation we don't have today, so hopefully we get it right
Wendy: Adding you, Alex, to broaden the discussion
Alex: I do this at the risk of losing all credibility in W3C circles
… I will show you some screens
… this group probably doesn't like slideware
Wendy: try again
Alex: super basic slides
… talk about global privacy
… and what we are trying to do with new protocol is to encompass all the privacy work coming out of Tech Labs, @ and put into one protocol, plus
Alex: from one standpoint, ad ecosystem we have not covered
… TCF, US privacy are region specific
… would like to broaden that
… building frameworks per block is expensive
<npdoty> +1 for broadening scope for user controls outside of particular jurisdictions
Alex: why are we tracing around edges?
… Would rather not
… but pragmatically that is what drives roadmaps
… privacy and legal folks need a story for complying with the law and what we do
… This basically accepts that reality
… short-term fragmentation approach v. single way of doing it
… things do consolidate in terms of controls given to users
… would be a better world, we can likely agree
… We have the Global Privacy WG, focussing on that problem space
… a protocol for signaling, tooling to support
… some regions have consensus based and some that don't
… what is out is some centralized UI
… not building a @ tool, just a @ mechanism
… or not one policy or contract
… the general makeup of what we are designing is an API with a string
… and some tooling around client and server-side APIs
… a table of contents with sections of regions
… Brain said it really well
… we have this issue of what user has seen or said
… the reality on the ground
… doesn't different from GPC, we need signals to hit...that don't have user facing
… Each region includes encoding presented to users, associated choice
… designing a rubric and recipes
… meet market where it is...Chief Privacy Officers...
… point to something for compliance
… we have regions we don't expect to come together, but still want to do signaling
… IAB US just put out 12 different regions' laws
… lens of transparency presentations, choices, extra territoriality
<kleber> Robin, your description of GPC made it sound much more like a "contextual integrity" signal than how I've heard it described previously. Is that deliberate? I think of CCPA "Do Not Sell" as being much more commercial than integrity focused
Alex: look at same lens and create matrix of what law says for advertising
… most don't mention adv specifically
… we are using that to design this common encoding rubric
… then one thing I want to call out is other inputs
… I would love for this thing to be policy-agnostic
… especially server-sdie
… to get a GPC signal
… Point is anything that has been communicated to a user in a standardized way, and user has made a choice
… and would be packaged up in this protocol
… Final bit is multi-jurisdictionality
<johnwilander> (I was going to ask a question on GPC but it seems we've departed from that.)
Alex: some laws are extra-territorial
… hit sites that are global but take regional approach; could be collecting across regions
… want to be flexible
… working on client side API, common interface for finding what's in the string for a given request
… and being able to parse that out if you are on the page
… and work on API for library
… for server-side implementations
… I realize we are 30-minutes in on privacy signaling
… we are in draft mode with this
… don't know how to equate it to a W3C rec
… We call things 'final' but we're not there yet
… I'll drop link of the last public version into irc
… That is last time I get to talk in W3C due to the slides [alughs]
<AramZS> This is a very slide friendly group!
Wendy: Slides are helpful to walk through it
Joshua: I wanted to return to Michael's ghost of DNT past point
… one of challenges back then, and not seeing signaling approaches being addressed
… is the value approach
… remember vaguely from DNT, there wasn't guidance when user was signaling
… more importantly, what about site or org specific overrides to signals
… and if that is part of any signaling efforts we are talking about
Robin: That is an easy one
… we separate out signaling from what decisions browser makes
… browser could expose a UI component to exclude something from GPC
… seen some exclusions
<npdoty> DNT did standardize site-specific overrides, that could be triggered from in-site content that explains it and gets user consent. I wasn't aware of any sites that significantly used it or were planning on relying on it.
Robin: I also seen some discussions about whether this could be a setting if an extension could control
… if extension could control, browser could make decisions, have disconnect lists
… and allow forms of some third parties that are GPC friendly
… could be an additional layer
… technically supported, a question of where the UI goes
Brian: a couple things
… one for Alex
… have you looked at advanced data protection control out of the @ project...on consent signaling
<npdoty> https://
Alex: the 'none of your business'?
… am I right?
Robin: yeah
Brian: Schrems3 [joke]
… IAB Europe makes reference to it in documentation
… what I am concerned about and predictable, no one is trusting anyone
… I get that
… in Europe
… maybe to some degree US privacy API, there was more than adtech at the table
… I spent thousands of dollars meeting with publisher in Berlin
… I think that will keep happening
… classic engineering, we built it here
<robin> kleber: I wouldn't say that it implements CI, but it's definitely related within the limits of the origin policy. I think one thing that is confusing in "Do Not Sell" is the idea of "sale." One way to express that idea with less semantic baggage is as no third-party data controller.
Brian: better that we built it is going on on both sides
… I would love to see consolidation around signaling
<npdoty> what are the two sides?
Brian: Let's not do 50 of these
… but figure out how we answer the chief data/chief privacy officer's questions, even if rules are incoherent
Brian: I am intrigued by things @ were talking about
… Question for Robin for global privacy control
… signal says 'don't sell my data to other parties'
… have you discussed impact on people who rely on that data
… and what are the mitigations
… how do people behave when there is a GPC signal?
Robin: That is a broad question
… I cannot answer for the industry
… I see it as a more intelligent cut than options we have today
… technical level of enforcement is either no third parties at all
… or just like broadcasting is around
… GPC says you can work with any number of suppliers but they cannot use data in other ways; cannot be leaking
<npdoty> I think maybe dmarti had described earlier that companies may have already considered how to comply with CCPA (or CPRA), and that GPC doesn't make something new
Robin: third parties conceptually similar to first party
… is that the ideal cut, I don't know, but it's an improvement on everything we've had so far
… for impact, a lot still to be done in this world
… removes significant problems...best trade-off at that level of simplicity
Brian: I understand first part of answer
… but when we take it away, and people who rely on no contract, no data sending relationships, where do they go next?
Robin: I am struggling to answer question without more specifics
… if you are talking about pipes
… we already don't have time in this session, but I am happy to go through a series of use cases with potential negative impact
<AramZS> Is the question, what happens when people who track users are faced with a clear signal to not track users?
Robin: happy to go and see what negative impact may be
Brian: I take it from that answer that you did not think a lot about the side effects?
Robin: We did, and I do
… but you are not being specific
<Zakim> npdoty, you wanted to comment on user-initiated vs downstream
Robin: side effects and impact are very different
… 'people who touch data' is too vague
Wendy: This is a longer conversation that we should come back to
Nick: Thanks for both of those presentations
… I was particularly curious about potential interactions
… with lots of server to serve comms
… going to be lots of server side comms
… that need to pass on signals that were received
… are these just two different parts of protocol
… needs for users and for adtech to communicate downstream?
Alex: on our side I can say yes
… OpenRTB is widely adopted for adtech
… not only piece
… Disney makes announcements they are working with Snowflake and @@
… outside server side requests
… that is definitely in our desire, our mandate at IAB
… Robin mentioned a conservative output on GPC
… in that same document we mention what Tech Lab can do to pass along signaling wise
… we got that in there; it needs to happen
… If you don't have a mechanism for reading it
… or everyone doing different things in passing it
… My understanding is Google manager doesn't send it out
… gives us window to define it
… get that signal and send requests outside
… but it is definitely in scope
Robin: GPC is designed to work with this
… hook it
… WaPo doing it that way
<AramZS> Can confirm and answer questions about how WaPo is doing it
Nick: Is there some place to continue that conversation?
… is it here? At next Web Adv meeting?
Robin: Privacy CG has discussed as well; here is ok too
… both work
Wendy: Let's see...
<Zakim> kleber, you wanted to comment on fingerprinting risk
<npdoty> great, I'll consider that as both a privacycg and web-adv discussion item
MichaelKleber: listening to Robin's and Alex's presentations
… Alex, signal you are talking about seems to contain a wealth of info
… and as browser person, that raises question of finger printing
… is there policy or tech...being unique user identifier and being a tracking vector by non-scrupulous players?
<npdoty> if the consent-string is only server-to-server, then it might not implicate client-side fingerprinting
Alex: It's definitely come up
… as far as mitigation goes
… what I would love to see
<robin> kleber: there is overlap with CI in that it implements the idea that the 1P can work with other parties but the important thing is that those parties should not then bring this to other contexts. The alignment between CCPA, CI, GPC, and The Times's "sole controllership/origin sovereignty" policy is real, but I wouldn't say it was all designed at once.
Alex: I have talked with Aram
… right now, the most verbose part of signaling is coming from TCF
… designed to restrict publishers restrictions
… built to do a restriction but creates a large service area from bits
… desire from that policy side, IAB Europe has tech signals WG
… to reduce complexity
… anything to reduce length
… in practice, you don't get a lot of different in what people are choosing
… hope we can consolidate on signals
… we already see that; people making similar kinds of choices
… a whole rabbit hole of dark patterns, but they are not wildly unique
… maybe Don thinks they are
… they haven't been wildly unique and we want to mitigate it
Achim: had a discussion about that yesterday
… opportunity to reduce complexity of number of bits transferred
… also discussion on how regulators look at that
… could reduce complexity of choices
… and reduce...most comes with third party controls in TCF
<npdoty> I'm happy to help with the fingerprinting analysis if this gets specifically proposed as a browser/client implementation. I know sometimes it seems like there might not be high entropy, but it's worth considering, especially if it's passive/in every HTTP request
Achim: I would pick purposes, legal bases, a specific set of third parties I want to work with
… less complex info; could also do time based
… or always realtime
… huge potential keeping this format
… and carve them out through policy
… and come up with 20 possible strings that might come out of that
Aram: Techincal barriers
… already is complex enough including TCF string
… and Google's consent vendor's list
… @ hits limits on size of ad request
… if you flip on every setting in TCF, you max out cookie space
… Idea of system that supports multiple legal frameworks is going to have to consolidate by necessity
<npdoty> ha, I like the idea that we're considering if there's too much entropy if there's so much detail that it can't fit inside an HTTP cookie
Aram: by technical necessity will need to figure it out by adoption
Wendy: I thought we would get to more subjects on this call
… we have ten minutes remaining, so let's keep going through the queue
… and maybe other items for next meeting
David: I think Michael already touched on initial response
… put a PING spin on your slides
… someone posted an IETF that pervasive monitoring is an attack
… our use of high entropy signals is going to appear suspect in protocols
… important to find a balance if possible
… that's it
<wseltzer> https://
DonMarti: Just go back to Robin's point on how much signal users actually understand and have time to make choices about
… the way that GPC is being presented to end users
… is as general message from you to the companies you do business with, is all kinds of uses of your data
… outside of WebRTD, it applies to all kinds of actions
<dmarti> https://
DonMarti: WashPost mentioned @ but not webads
… from users seeing this as a signal, more about me as a company rather than what kinds of ads I get
Wendy: given the interest
… sounds as though, Alex, we should talk with you on places where people should follow up on the IAB Tech Lab work
… Robin, you mentioned GPC is being discussed in Privacy CG
… is that work that might come to W3C in some form? Is there a role for W3C to play in that beyond adding to the discussion
… as individuals see fit
… Aram, I closed the queu
s/queue
<dmarti> from that Washington Post story: "it should help cut down on junk mail, calls and faxes"
Aram: Alex got ahead of me
… and I added my thought
Alex: was not meaning to disparage anything
… I acknowledge the complexity and entropy
… function of two things; this world of engineering roadmaps and people asking their CPO/DPO what to do
… that is the tracing and compliance mentality
… ironically, other thing is aside from ecosystem
… using TCF as mechanism to fight back
… publishers fighting back
<robin> https://
Alex: resulted in a metric ton of complexity
… to Wendy's question on how to engage
… our current work modality is we put out open comment docs
… that anyone can respond to, not on Github
… to my chagrin
… I can send Wendy some follow-up information
… for those of you in our working groups
… please put this feedback on our upcoming agendas
… thanks for the platform
Wendy: Feel free to share links
… and documents
… my apologies to Ben who was going to share information on Content Taxonomy 3.0
… hope you will come back to a Tuesday meeting
… we have talked a lot about targeted advertising
… but what about contextual, and where are the standards that are helping to improve contextual advertising
… so getting an update on Content Taxonomy will be helpful
… and apologies for Charlie and Josh who offered to share updates on experiments on origin trials
… I'd like to put that on a future agendum
… as we've seen, experiments in the wild
… we'd like to get feedback on what new guidance do we have for thinking about standards paths
… and where else to hear input for designing
… and what starts to be ready to move towards standardization
… I have closed the queue
… we are about at the end of our time here
… Glad we got some items queued up for further discussion
… I see lively chat in Zoom and in irc
… thanks everyone for putting up with our TPAC technology
… and for joining us in this forum
… finally, if you haven't had enough advertising discussion yet this week
… we have the Private Advertising CG launching and meeting tomorrow, 29 October
<npdoty> can we use the mailing list for more info on the contextual advertising and potential Recommendation-track work items?
Wendy: it's on the TPAC home page and schedule
… Thanks for the good discussion
Wendy: Feel free to ask questions on the improving web adv mailing list, on Github repo
<npdoty> applause for Karen on excellent scribing
Wendy: Karen asks for filling in gaps in the scribe notes today
… thanks to Karen for capturing lots of complex conversation
… thank you and next week we'll be back to regularly scheduled meetings
[adjourned]