Meeting minutes
<wseltzer> https://
<wseltzer> https://
<wseltzer> proposal status
Wendy: Thank you for offering to provide agenda items today
[reviews agenda]
Introductions and Agenda Curation
Wendy: If we get further, we can look at use cases to see if we have more material to add there, or to call out specific sections
… as we have added to our discussion of proposals and make sure that's reflected there
… Any other business?
… Do we have any new participants who want to introduce themselves?
[Two guests introduce themselves]
Wendy: We take notes and queue up in irc, linked to bottom of agenda emails
Gnatcatcher, Willful IP Blindness Principles
Sam: Hello everyone, I am Sam from @
Wendy: We had a question on the list about Gnatcatcher and Brad from Google offered an update
Brad Lassey: We proposed this for blindness
… at a baseline, provide IP privacy or NAT
… to obscure IP addresses to larger cohorts
… to combine with blindness so there is an opt-out for servers
… and be compliant with a policy to not use IP addresses for tracking
… a couple weeks ago we published a set of principles
… a set of acceptable use cases we see to run a web server and need to be preserved
… and a gray area of additional use cases
… we need feedback and need to understand what the right tradeoffs are between privacy and utility
… I was hoping to get feedback from this group about the gray areas and where to draw these lines
<wseltzer> https://
<jdelhommeau> present
Wendy: thanks, Brad. I hear a request for feedback
… expect you will take feedback in Github repo, list, and here
Brad: we are specifically looking for use cases, justification for those use cases and tradeoffs
… seems that this group would be good to generate that, if there is appetite
Andrew Pascoe: I have some high level questions
… Do you intend to create a working group to push the spec forward
… there was something in October, but nothing since January
… wondering if it was under cared for
… We were surprised to see almost as a footnote in the privacy sandbox
… One do you intend to form a WG; two, is this something that Google is very serious about implementing or is it in an ideation phase?
<wseltzer> Explainer
BradL: there has been discussion around this in IETF, being more network protocol layer
… we ran an interim on IP privacy in January; a document that was generated
… that has been discussed in the last two IETF PEARG meetings
… in IETF112, last week
<wseltzer> [PEARG= https://
BradL: yes, to the extent we are trying to find the right venue, certainly
… that venue looks like IETF right now, but happy to discuss here
… And Chrome, yes, we need to solve for IP privacy in the grand scheme of privacy
… And Gnatcatcher is our best guess for what this could look like...for IP blindness
… that's our current best guess
AndrewP: I haven't been privy to anything at IETF; what were some concerns that came up about breaking functionality
<wseltzer> https://
AndrewP: or make the web more prone to attacks that are masked, things like that
BradL: last January, we sought out folks from anti-fraud, anti-spam areas; heard their concerns and needs at a high level
… message heard that IP is used for anti-abuse
… the document we are working on under the PEARG umbrella
<wseltzer> https://
<npdoty> this draft looks at use cases for IP addresses (as relevant for potential IP privacy work): https://
BradL: is on anti-abuse
… and we have anti-abuse CG in W3C, looking at higher level, not just IP addresses which is more narrowly scoped in IETF
… In last week's discussion there was
… a lot of privacy advocates in PEARG
… wonder why we are preserving geolocation
… I see that as a call to action for a group such as this
… Let's put together a document for why geoIP is an important use case for web, versus privacy tradeoffs
AndrewP: with Gnatcatcher...IP address is somewhat stable
… how stable are the mass IPs supposed to be?
Brad: Somewhat stable; still a question of implementation details
… key bit being stable for first-party interactions
… gets to privacy model of web that Chrome is proposing
… by limiting ability to link ID across first party interactions
… allows for certain amount of anti-abuse interactions
… but not be across parties
AndrewP: thank you
Jrosewell: sustainability
… energy consumption
… and secondly some use cases where this won't apply; what is the governance, appeals process, alignment effectively for that
… does or doesn't have access to IP; could break a business model
BradL: goes to performance and any overhead
… goal to limit that as much as possible
… in terms of understanding which use cases are deemed policy compliant or not, we are looking for that kind of feedback
David_Dabbs: a follow-up to Andrew's comments
… sort of coming out of nowhere
… would be a great help
… where is your repo?
Brad: it's not in WICG
… it's private right now
… no adoption yet
David_Dabbs: anything you can put in the current repo to links to where people can see where this is being discussed and germinated
<AramZS> Reflecting this request for a use case in regard to GeoIP in a issue on our repo - https://
David_Dabbs: is this pay to play? Open?
<npdoty> IETF does not have membership
Wendy: IETF is an open organization. People participate as individuals and anyone can sign up to mailing lists and sign up for Github repos and register for meetings
… and like W3C they capture minutes of meetings
… I put some links into the minutes for PEARG
… thank you, Nick, for adding link to drafts under discussion
DavidD: limiting to first party; will that be limited to first party sets
… and won't be limited to players large enough to have established a first party set
Brad: not yet determined but that would make sense
BrianMay: you mentioned use cases
<npdoty> there may be interest in IP address privacy even from the first-party destination server
BrianMay: are those referred to in the IP Blindness use case doc, or captured somewhere else
BradL: yes, and that same framing is in PEARG
BrianM: general discussion about moving this to PAT CG
… is this something you are considering?
BradL: I don't think this fits in PAT CG
… that was established to focus just on Advertising
… this is broader
BrianM: that makes sense
AlexCone: Has there been any discussion that you can share
… or any thinking on how this can compare
… or come in line with private relay from Apple, or this can align or integrate with that for a similar outcome
… seems like an unfortunate place to be
… wondering if there is any discussion if you can conform or if Apple conforms, particularly with IETF
BradL: when we laid out Gnat, we used MASQ proxy
… some differences in how they are being applied, that are more...
<npdoty> MASQUEUE: https://
BradL: carve out abstract connections under policy
… and that doesn't exist under private relay right now as I understand it
Valentino: use cases for geolocation
… every country has a different privacy law
… how to process what data is received, even from first party
… would be a minimum requirement for us to satisfy the local laws
BradL: that is already set out
… for acceptable compliance for country level or jurisdictions of 500K people
… and adhere to that with Gnat/proxy as well
Valentino: do @ have listing of why it should be preserved?
BradL: the PEARG doc on privacy discusses uses of geoIP
… I actually wrote most of that
BradL: if I got anything wrong, or missing, please chime in
… we are taking issues for that on Github
… and the proposed principles lays that out
<Zakim> AramZS, you wanted to comment on PATCG
BradL: Looking at PEARS and Principles docs, we want discussion and feedback
<alextcone> decent video documentation of Apple's Private Relay - https://
<alextcone> super basic implementation guidelines of Apple's Private Relay - https://
<Zakim> npdoty, you wanted to comment on geolocation of privacy law
Wendy: Aram, did you want to speak?
ErikTaubeneck: hey Brad
… Do you know if Android is considering a similar standard that would adhere to the IETF standard?
BradL: I don't have anything on that now
NickDoty: Thanks for the overview
… I am trying to keep track of the different locations
… presume some users use VPN
… companies maintain legal compliance
… any recommendations or suggestions where there are conflicting laws and it's not possible to comply with two jurisdictions at once
… with conflicting...
… don't know where they are
… is there some administrative division?
<npdoty> no problem, I'll try to reach out on github to find out more
BradL: Would be great to get those concrete examples
… I do recall some examples, but cannot recall at this time
James: will this change affect all web traffic from the browsers
… if one party is dealing with another party for legal compliance
… but first party doesn't need to understand true IP of the device
… is that handled by all traffic, irrespective of supply chain of publisher, or more detail?
Brad: possible to have first party that would be blind; third party that is proxied; one of principles
… if blind, you do not share info to be policy compliant
James: registerable domain and if willfully blind or not; thanks for clarification
Wendy: I closed the queue to wrap up this segment
… it seems, Brad, you are inviting further feedback in this group; in the repo, and looking for input on the use cases and needs
… so that we can have a conversation about where IP blindness would fit into existing apps, or where it needs considerations to be brought to our attention
… and how to develop a stack to work with this and other privacy tech and features that we have been discussing
Brad: other info beyond use cases themselves is the value of them
… measure privacy and utility impacts
Wendy: great, thank you
… one of the values that this diverse group can bring, is that people see different things
… and can help explain those differences to us
… so they can be considered and iterated on in proposals
… and just as Andrew asked for us to discuss this today
… and we welcome anyone to bring it back for conversation
BrianM: are you asking about value that won't work in different use cases?
Brad: if talking about anti-abuse, there is a big carve out, but understanding what classes of attacks
… in terms of geoIP, what is the value of that to users, publishers, what does it bring to the user experience
Wendy: not as a dollar value, but what function, need, or benefit or value is made available by not having IP available
Brad: value is pretty generally definted
s/defined
Wendy: Thank you for pointers to various documents to find more
PUFFIN
<wseltzer> https://
<wseltzer> https://
Wendy: Don, you wanted to share some updates on PUFFIN
DonMarti: yes, hello
… really briefly there are two contradictory problems with third party tracking in web advertising
… first is third party tracking enables publishers to achieve additional ad revenue for their content
… this has been covered in Prof. Johnson's papers
… other issues is third party tracking impressions that otherwise would not be monetizable
… to get filled with high value adv
… in old web system, we take good with bad
… take revenue boost from legit along with revenue leakage
<wseltzer> https://
DonMarti: with sites they are not engaged with
… What seems to be an underreported advantage
… of moving realtime bidding for adv in the browser
… is now that ad placement is being run
… by the user agent and can be run in the user's interest
… PUFFIN is what I expect will be first of a family of proposals to somewhat tweak the rules
… so the user can buy the maximum quantity of ad content
… in exchange for minimum cost in resources and attention
… the specs are in repo I linked to
… that proposal is a fairly simple way to minimize the number of high value ads that show up in low engagement sites
… we have already had a few issues come up on PUFFIN
… I encourage future issues and pull requests, and I am available to take questions
<wseltzer> https://
Wendy: thank you
MichaelKleber: thank you, Don
… I am trying to think through the implications of this proposal
… in the model you are proposing
… you are trying to prevent certain transactions from happening when user goes to site one
… prevent some sale from advertiser and publishers
… based on some action user did on site two
… do I understand that correctly?
DonM: yes
… and site two could be
… would in normal use site two would be a large number of sites that the user had previously interacted with
… the actual PUFFIN value will reflect interactions across entire history with that category of add-on
MichaelK: the thing you are trying to prevent, in case of added price floor
… is not meant to increase user's privacy
… it's meant to be a browser intervention to change the flow of money?
DonM: it depends upon the definition of privacy and the number of channels of influence you are willing to look at
… a significant risk for privacy enable advertising...people who run @ and fraudulent sites
… those bad actors have incentive to send out a large number of links to their sites
… in hopes of getting some traffic
… when user goes to those sites, their browser will show an ad
… and bad actor receives revenue for that ad
… when I look at problem of moving ad decision making into the browser
… one of areas I want to make sure is not incentivized
… is giving those problem sites ability to get more users by having their ad slots filled in by the browser
MichaelK: thank you
… my initial reaction is that privacy sandbox has generally been an intervention
… preventing building of profiles by users
… this seems somewhat out of scope for Chrome privacy sandbox
… I feel like it would require some heaving lift to incorporate into model
… for what UA...provides...decision for privacy safe way
… If I understand correctly, the browser should prevent them from doing so
… seems like a heavy lift for the browser to provide this
DonM: right
… the browser is the agent of the user
… realistically, realtime ad placements are more complicated than the user would be able to resolve themselves
… No one will click through to their morning news and act as own auctioneer for any ad they will be seeing
… browser is responsible for making decisions user would have made if user had the time to understand the adv market and resolve rules by what they chose
… when you have a system where a low-engagement site
… where some user would not choose to engage with if they knew before clicking what they were about to click on
… then the browser's implementation of and advertising market
… has to reflect those choices that the user would have made
… otherwise an intervention at one hop distance, causes one small privacy benefit
… could cause a bigger harm
… by bombing that user with deceptive links
MichaelK: thank you for this interesting conversation
DonM: I am happy to bring this up in whatever form is appropriate
<Zakim> npdoty, you wanted to comment on user choice
Wendy: This is a different angle on the needs and wants that the user may be trying to express
NickDoty: I may have a similar question; what choices would the user want to make
… not just that a user wants to see a certain ad
… its' that the user wants to distribute revenue, attention
… I go to this blog a lot, and I want to support them, and instead of using micropayments
… I will distribute how much I am willing to see through targeted ads
… if that's not it, how is user making that choice?
DonM: a pure scraper or arbitrage site with vanishing or low value and can only get traffic through deception
… these sites are out there
… they copy content from a legit site
… they throw net in water and try to catch a high value ad
… the browser is in a position
… to shift the rules just a little bit
… in order to lower the returns on that kind of deceptive
… or unproductive activity
Nick: just seems like user doesn't know when they are going to a low-value site
… if I click on a site, I didn't know if was low value
DonM: yes, someone sends you a link and you click and bam, ad for Ford Explorer
… but somewhere there is another site missing ad impression due to a market failure
… in ad-supported media, people trade ad resources for content
… in places where high value ad ends up on low value content, you have a market failure
… with today's system, browser is less able to ameliorate that than where the ad auction does it
Nick: where user thinks it turns out to be high value?
DonM: we are stepping out of scope of PUFFIN proposal
… an example is Google Chrome has a site engagement score
… might be a positive choice for that browser on behalf of its user to adjust the advertising market based on what it knows about user engagement
Nick: Helpful clarification, thank you
<jrosewell> I have a general concern about browsers making decisions about user engagement and how that might hinder new entrants ability to gain market share.
AramZS: thank you for bringing forward the proposal; a lot here
<npdoty> I think my concern is that users still want ad benefits to go to sites they haven't visited much, or smaller sites that don't get a lot of traffic, etc.
AramZS: seems it may be beyond the targeting, anti-fraud measure
… a degree of anti-fraud due to privacy invasive features to keep things off low value sites
… currently works, to fulfill that promise
… uses privacy techniques
… and sandbox ....replace in such a way to
… look at it from trying to prevent fraud from low value sites
… and replace some of functionality that will be going way
<kleber> Chromium already has a notion of user engagement with a site -- see some info at https://
AramZS: when anti-fraud features no longer availabe
… would this help enhance?
DonM: not impossible challenge but we need to keep in mind
… some of these discussions are broken up across multiple Github repos and multiple meetings
… in Anti-fraud there is a promising trust tokens
… seem to be doing what you descrivbe
… coming up with a way that advertisers can address fraud problems without risky third party tracking
<npdoty> but we could see that users could make different decisions and that could be valuable. maybe I prefer my attention/revenue go towards smaller businesses, or I want to boycott a certain company whose other practices I don't like, etc.
DonM: and at the same time, trust tokens have the same scraper site or arbitrage site or low value site problem
… that other proposals do
… in that id doesn't seem to be very hard for a low engagement site to quickly redeem a trust token
… if you mistakenly click on a site, that site can grab the valuable eyeballs and say, 'give me a valuable ad'
… and that user sees a couple seconds of an expensive car ad before they bounce from the site
<kleber> yup agreed, understanding a user's goals for what sites they want to support is not straightforward!
<npdoty> I'm not quite sure how we're going to distinguish between "mistakenly clicked on a bad site" and "clicked on a site to a blog for the first time that answers a particular question and then leaves"
DonM: when we talk about relevant ads...like to talk about where in PUFFIN
AramZS: different targets of anti-fraud
… anti-fraud also with spammy sites
… when barrier between inside/outside of iframe is increased
… things used for brand safety or avoiding low quality sites, those will not continue to function
… this might be a way to solve that problem
… there is not a way to solve that in way there is to solve for fraud with trust tokens
DonM: there are users out there
… whose main impact is now I'm getting more spam links to sites that can pick up a high value ad
… from POV of browser, addressing need for users not to be monetized on sites they would not choose to visit is an important point
AndrewP: I have a couple questions, Don
… first you couch this as user supporting sites
… the way market works today is advertising supported sites
… I wonder why you are shifting to this user thing
… Second question is...
… an assertion
… Aram just said we don't have mechanisms for dealing with fraudulent sites; I don't think that's the case
… In FLEDGE we get domain; in PARAKEET...
… we evaluate site quality
… if things are not engaging, or don't convert, through ML
… we lower price on ads willing to pay for those
… which supports the market dynamic
… on FLEDGE, weird to separate the @ and @
… can be passed to the bidding groups and say 'don't bid' if you are not comfortable with that domain
… why do you think that problem is not solved? I don't see it
DonM: first, from user and advertiser supporting sites
… it's certainly the adv is providing money for the site
<AramZS> Yeah, I agree, distinguishing between mistakenly clicked on a bad site and entered a blog for the first time is difficult. That's the biggest issue. Though theoretically they might have higher ad floors for quality reasons that can get them into the PUFFIN group?
DonM: but advertiser is paying for an impression reaching an audience
… user visits site, becomes part of a revenue producing audience...
… comes in exchange for users' attention
Andrew: sets price based on quality of audience
DonM: right
… as a user I might have different preferences
… and norms on ad placements from some of the advertisers who are trying to reach me
… so the user
… not every person shopping for a car, agrees with every ad agency with a car client on what sites they want to support
… there ends up being a difference of opinion and a difference in interest
… between the user and some of the other parties in the system
… the browser is the agent of the user
… and because the browser has a duty to
<alextcone> the interest being solved for here is that of the publisher who doesn't find themselves on the browser's blacklilst
DonM: act in the user's interests, sometimes there is going to be an ad placement that some advertiser is willing to pay for, but the user doesn't consider in their interest
… always going to be there
… users who want to get the most ad-supported content for the amount of attention they put into it
… they will want to influence
AndrewP: what other media channel operates like this?
… If I see an ad on a billboard, TV, radio...etc. I don't have a say in the pricing
<AramZS> I mean... no other channel targets individual users in the way digital advertising does...
DonM: right
… that is something where there is no such market
… in print media, the printing press is the agent of the newspaper publisher
<blassey> On the queue just to say that I don't see Trust Tokens as the be all, end all of Anti-Fraud and abuse. So proposals that address other forms of abuse would be interesting to discuss in the anti-fraud CG https://
DonM: I don't have a printing press that I signed an agreement to let local paper print my news on
… with the web there is this tech that is an extension of me, the UA
… that same
<AramZS> Right, no other advertising technology consumes the user's resources in the way we are proposing browser-mediated ads do.
<npdoty> if we are interested in requiring analogs to other media systems, I think there are many different privacy impacts on print and billboard ads compared to ubiquitous online tracking for behaviorally-targeted ads
DonM: piece of tech is also being asked take on the role of auctioneer and market operator for an advertising market
AndrewP: thank you
Wendy: We are at the end of our time
… you have opene up some interesting questions for people
… please add more questions to list or bring up to another discussions
… we will not meet next week but return on November 30th
… when we have the content taxonomy 3.0 queued for discussion
… as well as other subjects
… to those in the US, Happy Thanksgiving
<kleber> 🦃
Wendy: and to those outside US, a happy lighter email period :)
<AramZS> thanks all!
[adjourned]