Meeting minutes
<wseltzer> feedback from the group on the current state of the proposal vs use
<wseltzer> cases. https://
Introductions and Agenda Curation
<kleber> Thank you!
<wseltzer> https://
<wseltzer> https://
Need for GeoIP use cases https://github.com/w3c/web-advertising/issues/130
<wseltzer> https://
<wseltzer> AramZS: this has come up in anti-fraud and other meetings
<wseltzer> ... I see this group as a great place to generate use cases that can be used by other groups
<wseltzer> ... can we generate that use case in this meeting
<wseltzer> ... I'm not a GeoIP expert
<wseltzer> ... but hear some people using it for anti-fraud
<wseltzer> ... cache fragments
<wseltzer> ... if there are people more familiar, who use or provide GeoIP, it would be valuable to have a full use case description
<npd> is this IP geolocation in particular, or just any signal of location?
<wseltzer> ... requessting input, can someone(s) document this need as basis for new proposals
<wseltzer> blassey: we're documenting these use cases in IETF land
<AramZS> I think IP-based in particular
<wseltzer> ... I'd be very appreciative if people file issues in that repo if there are issues not yet documents
<wseltzer> ... it's in the Privacy Enhancements Resaerch Group in IETF
<wseltzer> ... Ararm, shall we direct contributions there?
<wseltzer> AramZS: I have added a link to that issue
<wseltzer> blassey: as an editor, proposed text is much appreciated
<wseltzer> bmay: also suggest adding a link over in anti-fraud group's github
<wseltzer> AramZS: I'll put that on my todo list
<Zakim> npd, you wanted to comment on compliance
Nick: For PRG group, curious if people have more details on the compliance use cases
… have to know where user is to comply; laws are contradictory
… not provide too much compliance or contradictory?
Aram: I will add that to the repo
blassey: can share my favorite anecdote involving eggs
<Juan> Eggscellent
blassey: In France it's illegal to sell washed eggs; in US it's illegal to sell unwashed eggs
Wendy: yes, I'm familiar with tax laws that vary from jurisdiction
Nick: useful to know the use cases
… If I'm selling eggs, addresses, operating a grocery store
… different HTTP request; if that's illegal, may need different set of mechanisms
Wendy: Excellent, what I think Brad and Aram are inviting
… more detail on use cases you provide
… helps us know where in tech or bus stack where and how to respond to that use case
… We want to use this group to invite information gathering
… participants who are aware or involved with use cases, please take a look at those links to see if those use cases are yet document
Brian: what Nick mentioned just now
… reminded me of an issue I saw recently
… a suggestion in anti-fraud group for carve out for certain pages
… and call out for use as legit anti-fraud reasons
… sounds like that solution may apply if you want to know about someone's IP address or @
… If I find I will post in notes
<npd> there is an API to specifically ask the user for precise geolocation
Kris: When we have looked at this, we have issues with their being slightly different laws and reasons
… things change on locations; we still need to understand where user is to understand what regulations are in place
… for storage, that's what we use it for
<blassey> https://
Brad: Not on the use case conversation, but in terms of solutions
… call people's attention to the geo-hash proposal
… server can do @
… client replies with a fuzzed location
… publishers can reply how accurate they allow to be
… might be a solution in this space
Wendy: Thanks, Aram
<bmay> This is a proposal from the Anti-Fraud CG to allow more specific data which might be applied to GeoIP: https://
Wendy: I see you have added some notes to the issue in our repository, pointing over to the repo that Brad mentioned
… thank you, Brian for sharing a link to the geoIP anti-fraud CG issue
… any other comments or questions here?
Garima: Quick question on geoIP
… any consideration for VPN?
… would Chrome try to parse?
<npd> thanks, blassey, I hadn't seen that geohash draft. does that have a WG or RG home?
Brad: that is what it is...
Garima: thank you
Wendy: Nick asks if that has a research or wg home?
Brad: I think it says Network WG
Nick: I think Network WG is catch-all for the IETF
Brad: Tommy presented this at httpbis
Wendy: Looks like a relatively short draft so far
… We can move onto our third agendum
Check-in, dashboard https://github.com/w3c/web-advertising/labels/agenda%2B https://w3c.github.io/web-advertising/dashboard/
<npd> yes, there is a version at httpbis here: https://
Wendy: anything else from the dashboard, or other open issues that people would like to talk about before we come to bottom of the hour
… and the question of first-party sets
… We can keep irc dialogue going about where draft is represented
… and just note
… this kind of knitting together of groups across venues is one of the key purposes of our discussions in this business group
… making sure people have pointers to where our various organizations are, where topics are on agenda, and where proposals are being developed
<Zakim> npd, you wanted to comment on ad targeting
Nick: since we have extra time
… my main question was about those compliance use cases
… also expect others on call have expertise in targeting
… can understand with user choice and opt-in
… consumers may want to see ads related to their vague or specific location
<Juan> I'd like to chat
<weiler> [Ben Savage has been very articulate about the ad targeting use case in the past]
Nick: are there details about what precision is needed for those geotargeted ads?
Joel: to that point, it is used a lot of advertising
… DMA is smallest region targeted which I think corresponds to a city
… US state, city, zip
… all I can add now
<wseltzer> [DMA=Designated Market Area"
Juan: For geotargeting or designated market area (DMA) goes back to how to buy TV
<wseltzer> s\"\]
Juan: some can do country, state, city and zip
<weiler> [I've heard Ben advocate for finer-grained geo targeting; I don't know what's in use.]
Juan: some companies have retail locations
… can accomplish that with some IP address info
… I'm at DemandBase, a B2B marketing company
… we can identify where people work, what company they are apart of, and we can leverage part of that data for marketing
Angelina: for retailers they do black market testing
… spend money on some zipcodes and exclude others and see the different lifts
… both online and instore
… from finance standpoint, different interest rates by regions
… weather ads by region
… I live in Long Island, they may target me to travel locally to PA
… used for creative and for targeting
… sometimes it's a national buy with certain creatives for each market
… sometimes it's targeting a specific geo region with a specific message
Woody: To build off what Angelina said
… from media and adtech perspective
… country is always macro level
… insurance cos are state dependent
<cbstarr> Some cars are only available in certain markets...another geotargeting use case. e.g. Hydrogen Fuel Cell cars are only being sold in California and New York at this time.
Woody: why that's diffferent from DMA is it can go across states
… think country, state, then DMA
… then how deep...county, city, zip code
… and companies like FourSquare, Blis or CNAME
… us latlong data from phone, or IP address location based off a cell tower
… it can get very granular
… I have worked with clients that wanted to give a consumer a coupon in the store on their phone
<kleber> Kaustubha Govind from FPS is now on the call
Woody: can get super granular based on polygrams
Aram: I think he answered way I would
… as precise as possible
… what is the most precision that they want
… from the targeting use case
… existing in-market use cases down to the indiv store level and FourSquare type cos that make their living
… about data leveraged through the IP address
… certainly, about what people desire, about as much precision as they are allowed to have
Kris: I was a developer on a campaign that used geoIP data that transferred to LatLong
… to understand the weather for a user
… for a coffee chain
… help determine if they should sell hot or cold coffee
… and used people's IP addresses to help understand that
Angelina: There are some advertisers that have legal requirements as to who they can target specific messages to
<npd> thanks all, I appreciate this quick sharing of different uses
Angelina: if they target outside of the boundary of places they can target, they will get fined
… such as health, insurance, rate
… could be considered a 'bait and switch' if they provide the wrong offer to users
bmay: I don't think anyone mentioned census block to identified
… I have worked in applications for auditing redlining
<AramZS> Sorry census block as a basis for targeting you mean?
bmay: for selling credit cards or home loans
… also used in fraud detection
… if info you are seeing contradicts what you are seeing in browser, may indicate you are not seeing real traffic
Aram: I think these are all useful
… trying to document on the issue
… also brought up the inverse of an earlier use case
<kris_chapman> +1 heavily to the fraud detection use - and load balancing
Aram: negative geofencing
… where you target an ad so it's NOT shown in an area
… such as ads about smoking to be accessed from a public school, an obvious example
… I have worked with advertisers who have set things up
… for people who said stuff, if you have more details, please add it as issue or PR on the draft
… if you need help, I can aid anyone in building out a PR for their use case for that document so that we capture everything here
Wendy: Thanks, Aram for that offer
… and feel free to bring back updates to the group
<npd> have to run to a conflicting call, but thanks all
A review of the state of First Party Sets and request for
Brian: just occurred to me since IP is used to translate into lots of data structures
… could be good to have all the things one can derive from an IP address such as country code, block, zip code, etc.
Wendy: let's see if we can get those into the discussion
… thank for joining us
… and Michael for calling that out
… Aram asked that we look at first-part sets
… and what we should think about on where proposal is right now
… and what sorts of participants are interested in using that
… Aram, I invite you to introduce the questions
Aram: Glad to see question answered, interested in what use cases think they satisfy
<AramZS> https://
Aram: Nick sent a good email sent a good email summarizing
… noting two of major issues and where the discussions are happening
… so people can check as well
… I am always trying to understand these proposals
… I feel like I am missing something
… Like to hear from the BG
… what questions they have, what their understanding is
… people here, what are you thinking regarding first-party sets as it continues to move forward
… I am explicitly inviting as many people to speak to it and how they use it for busdev
… so we can understand it better
Wendy: so users or potential users of first party sets, use cases
… Brian, on this topic?
Kris: I am not exactly new
… Salesforce is interested in first-party sets
<wseltzer> FPS intro
Kris: we have a lot of domains under Salesforce
… we want to see how it works for us with a number of domains
… ideally we would like
… what we are looking at
… Salesforce is a SAS provider
… we collect data on behalf of first-party
… we are a service for the site owner
… they can purchase multiple services from us
… we are most interested to adapt our third-party cookie usage to provide a first-party set
… if site personalization and anlytics
… or a layover about those services, or
<AramZS> This is a really useful thread with more detail about Kris's use case for folks who want to read in detail on this - https://
Kris: if our domains within Salesforce, and are domains owned by SF
… and other domain
… we are interested in regarding third-party sets
… ID Federations
<wseltzer> Nick's email, Re: First-Party sets and user benefits
Kris: FedCM is federated login
… looking at single signon
… when client has bought services and they login to use those services
… we want to give them a single user interface to log in
… so we are looking at first-party sets to provide that functionality
… we are looking at a couple things when Chrome stops supporting third-party cookies
… we would prefer first-party sets
… other things like CNAME are being discussed
… we don't like as much; it's more overhead and doesn't give consumers clarity on whom they are interacting with
Don: the thing that's been really appealing to
… me at CafeMedia so far about first-party sets
… is the existence of the independent enforcement and site reputation
… look at industry standards trying to show some kind of user engagement or reputation or honest practices of a site
… with IEE in picture
… evaluating first-party sets and rules
… seems like higher reputation sites can stand out
… such as value-added publishing
… where is that IEE going to come from; how will IEE be supported; what is state of selecting what org is responsible for selecting that
… thank you
Wendy: thanks
… if someone wants to queue for status updates, please do
Chris, BBC: our web site
… we have a dot .co.uk and a dot com for rest of world
… we send traffic to world depending upon where you are
… I mention...we want to offer a personalized user experience
… person can sign on using either domain
… if you go to .co.uk, will redirect to the .co.com
… we want to recognize the same user whether they visit the .co.uk or the .co.com site
… treating as same domains as part of first party would be convenient for us
… given our current setup
Aram: I think there were two interesting cases that came up
… this is what I wanted to dig into
… Don, it seems you are most interested in the reputational feedback, associated with first party sets, might create
… might be done for security boundaries, greater privacy, other things that require same type of entity
… for Don, first-party sets...is it what you can accomplish?
… and for Chris, wondering why need different domains in an abstract
… is there an advantage to doing so and why
… beyond personalization which could be accomplished....a domain
Don: sure
… if someone was willing to build for web an independent enforcement entity
… for world being contemplated for first-party sets
… it would enable higher reputation sites to stand out in the ad marketing
… we would be happy to have that IEE there
… currently the proposal with the IEE attached to is first-party sets
… if we want the whole
… package choice
… I would say yes, the IEE is a positive
… for the web
… and I'm looking forward to having one out there and working with one
Aram: Thanks
<Zakim> cpn, you wanted to reply to aram
Aram: I'd love to hear from Chris
ChrisN: so why are things the way they are?
… part of it is historical, developing our site over the last 20-odd years
… the way things work currently
… another reason is to some extent it's part of our online identity
… if you are on our .co.uk site, then you know it's the BBC experience
… where the bbc.com is the rest of the world
… if in the UK, we don't show you advertising, so a different user expectation that is there
… whether this could be handled differently
… there would be a huge cost
… one of arguments, is to consolidate onto a single domain
… the amount of content we have under both those domains is a huge lift to reconfigure
… I think there is...the key thing
… is that aspect being part of our identity
… and the decision to change that would need to be taken at the highest levels in the organization; it's quite impactful for us
Wendy: Thanks, Chris
Kris: there is definitely security concerns on side, as to why we have different domains doing different things, and to limit what people can access
… fairly rare, but Salesforce is a large company that acquires other companies, and startups working under their own domains
… if we merge their domains, it pushes out ability to do acquisitions and switch clients into new environments
… it's considered fast if we do in a year
… we have 400 domains
… looking at a five-year plan to do that kind of consolitation
… it's a huge step if we cannot consolidate domains
… or have it understood that they are all under a Salesforce umbrella
Aram: I'm curious for people looking at the cost of consolidation, including Chris from BBC
… from publisher perspective, to extent that these costs are around changes to third-party cookies
… certain cookies give us money; make many domain systems accessible
… some of them would no longer be available under first-party sets; or would only be available under Chrome
… wonder how this impacts the monetary decision-making
… when cost is compared across inability to access particular cookies, does it make more sense to do so?
DonM: short-term use case of ad impressions
… of ad coming in
… ad inventory crunch
… where some of lower engagemet, less human inventory out there
… is not going to be as viable in the ad market because it doesn't have a user ID attached to it
… definitely a supply and demand issue
… work in favor of the higher reputation publishers that sell ad impressions based on own context and data
… challenge for publishers is to make sure you are on the high reputation, ad value side of that line
… everything you can do/say to users, 'we have data stewardship practices in line with what you expect'
… and share agents on behalf of users
… and share data practices, that's a win
… details of how IEE does it's work are going to be really important here
<AramZS> dmarti: so do you think that even wit FPS you might end up compressing domains?
DonM: Looking forward to understanding more about the resourcing and selection of that IE
Wendy: Wanted to give Kaustubha a chance to speak
Kaustubha: invite this group to give feedback on User Agent policy
… thank you, Don, for introducing concept of the IE
<wseltzer> https://
Kaustubha: we thought a web site could search...same or same party
… idea is not new...was introduced with DNT, a W3C Rec
… an array of domains...self attestation
… we heard in Privacy community that a s@ could be prone to abuse
… like to keep it as light weight as possible
… organ makes that attestation, opens them up to regulatory view
… transparency log maintained by IEE
… user or external entity could flag a set...that this doesn't conform to the policy
… we have to build in process for the revocation
… where sets can be resolved
… perhaps there needs to be a notice period
… we are getting questions about the policy
… you run these web sites and have perspectives on which are feasible or not
<wseltzer> https://
Kaustubha: just a couple days ago, question if all domains should have the same privacy policy
… interesting for me to hear that may not be always feasible
… Privacy folks feel like it's a good requirement
… please open up issues or comments on github
Wendy: just posted link for those discussion
<kaustubhag> This is the UA policy document that we'd love feedback on: https://
Brian: I wanted to speak to Aram's suggestion that people consolidate their web sites
… that can be very disruptive to historical data sets
… it's extremely painful and rarely successful
… regarding privacy policies
… could we have it be consistent across the third-party set and not across the entire privacy policy
Wendy: encourage you to raise that in an issue
Kris: responding to Aram
… other browsers not supporting it, that's true
… but doesn't change our math
… there are certain services
… people being able to chat
… we have to say, 'sorry on Safari we don't support this service, use another browser'
… depending upon the functionality, we try to point people to a browser that supports the service we are providing
… weight is so heavy to do a lot of different changes that way
… we are one of those orgs
… not prone to have the same privacy policy across all domains
<AramZS> This is very interesting to me, because I've run domain rollups before and while it is def complicated it is usually not something that has ended up prohibitive in the orgs I've worked with.
Kris: because privacy policies are very specific to the services
… if you give us your email via CRM
… is different than getting it via Tableau for example
… instead of a broad umbrella policy, does users a disservice
… if we see your email address, we might market to you
… in Tableau, we could grab an email address, and that is concerning with privacy policies being very broad
Brad: one thing I wanted to mention
… while Chrome is pursuing first-party sets, Firefox and Edge are using entities list
Tess: not be interpreted as support
Brad: One solid difference
… JSON used as an exception to the resource blocking that Edge and Firefox are doing
<AramZS> That was my understanding as well, in regard to Firefox
Brad: folks have said they aspirationally want to get rid of JSON
<AramZS> Thanks!
Wendy: That takes us to end of the hour
… thank you for several vibrant discussions
… lots of use cases of to hammer out
… and good complexity to help us understand what proposals we need
… to meet the business needs
<wseltzer> [adjourned]
Wendy: Hope that others on the call are listening and figuring out where your use cases might fit in
… and where unique needs might be called out
… please add to BG agenda discussions
… next meeting is March 15th
… thanks all