Re: ISSUE-151 Re: Change proposal: new general principle for permitted uses

Chris,

Your comments regarding a meaningless signal also apply equally to the
DAA's mechanism. Someone mentioned that it takes only 13 lines of code to
add a DNT header. Well it only takes 1 line to game the AdChoices approach
(All you have to do is know the final 'set-cookie' sequence that
constitutes the 'opt-out' for any participating member of the DAA
program.) Also it only takes one line of code to 'evaporate' the ads.
From: http://my.opera.com/community/forums/topic.dml?id=1539842 Article
Title: Blocking AdChoices on Yahoo! UK Homepage
 

div.CAN_ad, div.fpad { display: none !important; }
 

That's it. Combine that with the other 1 line of code it takes to set the
Yahoo 'opt-out' cookie on anyone's browser� and not only are you totally
'opted out'� even if any 'AdChoice' based ads slip through they will never
appear in your browser. And YES� those 'TWO lines of code' could just as
easily be 'injected' into the conversation by a ROUTER as with any
standard Browser add-on. Exactly the same way as 'Industry' says DNT
'false signals' are being done right now ( still unproven ).

There are already (free) sites out there that will automatically supply
your Browser with ALL of the required DAA member organization 'opt-out'
cookies� all in one fell swoop� automatically and WITHOUT 'user
verification'. Here is just ONE of those 'automatically opt-out of all
AdChoices' sites� Site: GoYaBi - The First One-Click Global AdChoices
Opt-Out for All Browsers ( Including Mobile Browsers ).
http://m.goyabi.com/how.php



So lets confront reality as it is, and not what we want it to be.

There is no foolproof system/design, so my advice would be to tone down
the 'semantic meaningless signal rhetoric' and move forward with what you
have. The alternative is for the Ad industry to 'put up' (show a complete
solution that solves all the problems) or accept what is already on the
table.

Rigo just tried to say that - and while I disagree with him on most
things, I have to respect him for that.




Peter




On 7/26/13 5:19 PM, "Chris Mejia" <chris.mejia@iab.net> wrote:

>Peter,
>
>There is no agreement that the default setting for DNT = 0.  In fact, I
>believe most TPWG folks have agreed that default should = unset.
>Additionally, I have not seen a browser company or other UA offer DNT = 0
>as a choice for users.  There is no agreed upon DNT specification today,
>so let's not make assumptions about what we *think* (or hope) the spec
>will be in the end-- it's been a moving target all along. Furthermore, I
>have never agreed (in the 1.5-years that I have been intimately involved
>with this TPWG) that 3rd parties should be responsible for "policing" the
>validity of the DNT settings via user agents, rogue or otherwise. I've
>pointed out all along, that false signals are the Achilles heel to DNT,
>and until that problem is solved, DNT will likely remain a (practically
>speaking) meaningless signal.
>
>I cannot speak for DAA, nor do I believe DAA as an organization made that
>proposal.  However, my read of the industry consensus proposal you cited
>below is that it represents what companies would be willing to do for DNT
>users, despite uncertainty around the validity of how DNT signals are set
>(in other words, it's what they can agree to do, working in the constraint
>that the signal is polluted-- and still significant costs are born with
>the enablement of that proposal).  And hey, I don't think it's
>particularly productive to shoot down well intentioned efforts to save
>DNT-- to make it meaningful to users in the context of reality.
>
>All of the issues you cited around the draft DNT spec seem valid-- so why
>again should 3rd parties be responsible for sorting out a confusing and
>faulty spec and bearing the costs of testing it every time they see a new
>UA sending the signal?  Why should 3rd parties, the mom & pop websites
>they represent, and the users who will be adversely affected by rising
>costs (and diminishing content) of sorting this all out on the back end,
>be responsible for a well intentioned, but ill-concieved specification?
>
>Perhaps I wasn't clear before: I'm personally for a reasonable and
>workable DNT spec, based on individual user choice. I wouldn't have spent
>1.5-years working on this to see it go nowhere-- in fact, I only agreed to
>work on this for industry, in good faith of finding a workable solution.
>Please don't read anything else into my comments to Rigo in this thread.
>My response to him was, the solution needs to be REASONABLE, WORKABLE, and
>based on INFORMED USER CHOICE.  Of course, if we can't agree to being
>reasonable, the spec isn't workable, and it's not based on informed user
>choice, then I believe it's faulty. If that ends up being the case in the
>end, it will likely fail, but not because of me.
>
>You also must have missed the part where I encouraged W3C to test user
>agents in order to validate the setting of DNT signals.  Serious proposal.
> Why not?
>
>Regarding user granted exceptions (UGEs), my personal opinion is that they
>represent a biased mechanism that primarily benefits big name parties over
>relatively unknown smaller entities.  Users who know (and trust) the big
>known players are much more likely to grant those big players exceptions
>for their work in the 3rd party context.  But what about the relatively
>unknown 3rd party ad networks that monetize thousands of smaller web
>publishers through audience aggregation across unaffiliated sites, in an
>effort to compete with the big known players-- all in honest fashion?  If
>you don't understand the competition issue this creates, ping me offline
>and I'll be happy to go into more detail. But I don't think this is an
>equitable solution.
>
>Finally, it pains me that people believe privacy should be a "competitive
>differentiator".  It's not. Providing reasonable privacy safeguards is
>something we do for all users (today), simply because it's the right thing
>to do.  If a company is "competing on privacy," God help them-- no one
>browses the web looking for privacy solutions-- the vast majority of
>people browsing the web are looking for quality content on the Web--
>content is how publishers compete.  Despite this market reality, we
>provide reasonable and effective privacy protections, again, because it's
>just the right thing to do for our users-- and because we are good
>corporate citizens.  We also provide reasonable security and fraud
>protection to users, not because we "compete" on these tenants, but
>because it's the right thing to do.  If you think I'm wrong about user
>desires, go look for the words "V-chip" on television set ads today.  And
>don't get me wrong, privacy is important, very important-- and that's why
>I want a good DNT spec.
>
>Chris
>
>
>
>
>On 7/26/13 3:11 PM, "Peter Cranstone" <peter.cranstone@3pmobile.com>
>wrote:
>
>>Chris,
>>
>>You may be jumping the gun just a touch here. The default setting for DNT
>>is '0'. The implication is that if it is turned on that a user must have
>>done it, and that's what you have to go with until you can get an
>>exception. You've had that in front of you for over 2 years now. It's
>>hardly the time to say that we didn't understand it - when it's the core
>>design you've all been discussing for so long. Sure there are hacks - but
>>for 95% of the population they wouldn't know how to pull those off.
>>
>>Secondly as I watch the DAA come up with their approach to
>>http://news.cnet.com/8301-1023_3-57595191-93/do-not-track-opt-out-icon-co
>>m
>>i
>>ng-to-mobile-browsers/ I have to shake my head. Exactly how does the DAA
>>expect to validate in 100% of the cases that the user clicked on the
>>icon?
>>I actually tried it on my desktop browser. First of all I had to enable
>>3rd party cookies and then it found 155 people tracking me which after I
>>opted out resulted in a technical failure where it could not update the
>>database. Result was consumer frustration and a distinct lack of trust
>>with advertisers. Secondly they expect to release a mobile version next
>>year. Great - exactly how do they expect to plug in to a mobile browser
>>when no one else can. Secondly, if I set the app to send a DNT signal how
>>will you know if I did it or I installed an app in front of the outgoing
>>request to add a DNT signal.
>>
>>Rarely do I find myself agreeing with Rigo - but in this case I do. The
>>only approach that is workable is a standard, otherwise there will be a
>>fragmented marketplace with confusion and lack of trust. DNT is not going
>>back in the box. It's shipped and with todays announcement by Pinterest
>>http://bits.blogs.nytimes.com/2013/07/26/pinterest-allows-users-to-opt-ou
>>t
>>-
>>of-being-tracked/ the content providers are climbing on board.
>>
>>Privacy is going to be a competitive differentiator going forward and
>>everyone is now supporting DNT as a very simple Opt-Out mechanism. The
>>UGE
>>is critical as it will allow users to build a more trusted relationship
>>with content providers based on access to their data. Currently there are
>>probably half a billion browsers that support DNT and just Mozilla users
>>send over 4 trillion signals a month (currently not being heard).
>>
>>I'd say it's a foregone conclusion that DNT is here to stay. Because as
>>Aleecia says - you're not going to like the alternative which in itself
>>will also require a technology solution. Right now the DAA's approach
>>only
>>has 2 million users and is basically still in alpha. It will be tough to
>>gain much momentum when all the browser OEMs are already supporting a
>>competing approach.
>>
>>But you never know.
>>
>>
>>
>>
>>Peter
>>
>>
>>
>>On 7/26/13 3:40 PM, "Chris Mejia" <chris.mejia@iab.net> wrote:
>>
>>>Rigo, you stated: "If W3C would stop having a process and discussions
>>>about a process and either throw out the industry, the consumer or the
>>>privacy experts, respectively, we could advance within weeks."
>>>
>>>I hope you are not suggesting that the way to reach consensus is to
>>>simply
>>>kick out your paying members and invited experts, then do the work on
>>>your
>>>own?  That doesn't sound right to me...  Working group members, in both
>>>camps, have brought valid concerns around process and are seeking
>>>clarity
>>>and accountability from the co-chairs and staff-- I don't think it's
>>>constructive to effectively respond with "put up or shut up" (I'm
>>>paraphrasing, of course, but that's what I took from your reply to
>>>Shane).
>>>
>>>Shane wrote: "DNT can be set easily by any technology with access to the
>>>page request header outside of user control" and you responded "...your
>>>assertion is just wrong."
>>>
>>>Shane is actually right, the DNT header CAN be easily set by any tech
>>>with
>>>access to the page request header, outside of user control (e.g. private
>>>or corporate routers can do this) -- it IS a valid technical concern
>>>that
>>>we currently have no way to validate how DNT was set-- whether it was an
>>>informed user choice or not.  Check it out with any tech expert, Shane
>>>is
>>>right.  Until this is solved, it's virtually impossible to distinguish
>>>true signals through the noise of bad signals, and that's a problem for
>>>DNT.
>>>
>>>Shane wrote: "we'll likely have a high percentage of DNT=1 traffic on
>>>the
>>>internet" and you responded "Does that mean you fear that the opt-out
>>>system could actually work?"
>>>
>>>Please define "could actually work".  If you mean high DNT rates =
>>>works,
>>>then your prejudice is clear.  In this case, I guess you'd argue that
>>>low
>>>DNT rates = broken.  What if only individual human users could enable
>>>DNT
>>>based on sound education regarding it's enablement, and they decided not
>>>to.  Would that define a broken state/mechanism to you, simply because
>>>people chose not to send DNT?  Or would you say those are broken users?
>>>I
>>>for one advocate for USER EDUCATION and INDIVIDUAL USER CHOICE-- don't
>>>you?  Btw, per the rest of your argument, there is absolutely nothing
>>>today stoping German publishers from "opting-back-in" users who employ
>>>ad
>>>blockers; likewise, there is absolutely nothing preventing the same
>>>publishers from only serving their content to those users who do not use
>>>ad blockers.  DNT doesn't solve this problem, so let's not conflate
>>>issues.
>>>
>>>Your wrote "the issue is the unrest in the marketplace."
>>>
>>>I don't see any evidence of widespread "unrest" in the marketplace;
>>>quite
>>>the contrary, as evidenced by growing web statistics.  Take online
>>>purchasing as an indicator of market health; the year over year growth
>>>of
>>>online purchasing is staggering-- I don't believe anyone will argue
>>>otherwise.  So, if there were so much "unrest" in the online marketplace
>>>as you propose, would you expect that consumers would still choose to
>>>make
>>>their purchases more and more online?  I wouldn't-- it's not logical.
>>>Our
>>>industry has invested heavily in brokering trust with our users and this
>>>is clearly evidenced in the numbers-- we don't need DNT to "fix"
>>>anything-- broadly speaking, user trust already exists despite your best
>>>efforts to convince the marketplace otherwise.  Now of course there are
>>>some individuals (a relatively small number, comparatively speaking)
>>>that
>>>don't trust.  Our industry, and browsers alike, have gladly provided
>>>those
>>>INDIVIDUAL USERS the mechanism to opt out-- no problem, we respect an
>>>INDIVIDUAL's right to CHOOSE.
>>>
>>>Shane wrote "This means sites will need to ask users if they set the DNT
>>>signal and/or ask for a UGE for a large majority of visitors" and you
>>>responded "You don't. You just test the user agent... And you need a
>>>lawyer to tell you what to do? Come on!"
>>>
>>>You may be on to something here Rigo.  If the W3C TPWG can not come up
>>>with a real technical solution to this problem (something that works in
>>>real-time, on a 100% of server calls), I propose that the W3C take on
>>>the
>>>infrastructure and costs associated with providing a "DNT user agent
>>>vetting registry service".  The TPWG can set requirements for user
>>>agents,
>>>then YOU (W3C) test the user agents, posting the results to a globally
>>>accessible registry.  Companies can then poll this registry (daily) for
>>>updates, and will only honor DNT when it's been determined that a user
>>>agent has met the required criteria for setting DNT: an informed user
>>>choice.  User agents that want to send DNT should apply for
>>>certification
>>>from the W3C, and if they meet the requirements, be added to the
>>>registry.
>>> In providing this service, you should agree to an industry & consumer
>>>advocate oversight committee to monitor your work, as well as regular
>>>independent 3rd party audit/accreditation of your service (may I suggest
>>>MRC-- they are good at this).  Easy, right?  And you need a technologist
>>>to tell you what to do? Come on :)
>>>
>>>Shane wrote "This is an "opt-in" paradigm - which we agreed in the
>>>beginning was inappropriate (DNT=<null>, user makes an explicit choice)"
>>>and you responded "Who is responsible for DNT:1 spitting routers? W3C?"
>>>
>>>Yes, W3C is responsible, it's your spec.  See "DNT user agent vetting
>>>registry service" (above) for next steps on cleaning up the marketplace
>>>mess that's been created.
>>>
>>>You wrote "If you can't distinguish between a browser and a router, I
>>>wonder about the quality of all that tracking anyway."
>>>
>>>Rigo, this is why you are a lawyer, and not a technologist. Technically
>>>speaking, we are not talking about distinguishing between browsers and
>>>routers, we are are talking about distinguishing between validly set DNT
>>>signals and ones that aren't.  You'd need to understand how HTTP header
>>>injection works to fully appreciate the technical problem. The best
>>>technologists on both sides of this debate have not been able to
>>>reconcile
>>>this issue. Neither have the lawyers.
>>>
>>>You wrote "I do not believe, given the dynamics of the Web and the
>>>Internet, that we can predict the percentage of DNT headers for the next
>>>3
>>>years; let alone the percentage of valid DNT headers."
>>>
>>>True, no one has working crystal ball technology that I'm aware of, but
>>>we
>>>do know that despite there being no agreed upon specification in the
>>>marketplace, user agents are sending DNT header signals today.  No
>>>matter
>>>how many signals are sent, if you want DNT signals to be meaningful to
>>>users, industry adoption is key.  Please stop asserting that our
>>>technical
>>>and business concerns are trivial or ill informed-- they are not.  Most
>>>of
>>>your replies below are not helping us get closer to a workable DNT
>>>solution-- you are only further exacerbating our concerns.
>>>
>>>Chris 
>>>
>>>
>>>
>>>
>>>On 7/25/13 12:40 AM, "Rigo Wenning" <rigo@w3.org> wrote:
>>>
>>>>On Thursday 25 July 2013 04:39:35 Shane Wiley wrote:
>>>>> Rigo,
>>>>> 
>>>>> I feel like we're talking past one another.
>>>>
>>>>We are not. The DAA tells the world that "the World Wide Consortium
>>>>sputters and spits trying to negotiate a Do Not Track standard to
>>>>protect consumer privacy online, the digital advertising business is
>>>>forging ahead with expanding its self-regulation program to mobile
>>>>devices."
>>>>http://www.adweek.com/news/technology/ad-industry-expands-privacy-self-
>>>>r
>>>>e
>>>>g
>>>>ulation-mobile-151386
>>>>
>>>>This is unfair. If W3C would stop having a process and discussions
>>>>about
>>>>a process and either throw out the industry, the consumer or the
>>>>privacy
>>>>experts, respectively, we could advance within weeks. No more sputters
>>>>and spits. 
>>>>
>>>>> 
>>>>> 1.  DNT can be set easily by any technology with access to the page
>>>>> request header outside of user control
>>>>
>>>>The french call that "dialogue de sourds", the dialog of the deaf. If
>>>>you can test the presence of an UGE mechanism, your assertion is just
>>>>wrong. Repeating it doesn't make it become true.
>>>>
>>>>> 2.  This means we'll likely
>>>>> have a high percentage of DNT=1 traffic on the internet (some say as
>>>>> high as 80%) 
>>>>
>>>>Does that mean you fear that the opt-out system could actually work?
>>>>And
>>>>that you are deeply concerned that users could opt-back in? If we
>>>>stall,
>>>>you can time-travel into the next 5 years and talk to the people from
>>>>German IT-publisher Heise: They lost large parts of their revenue due
>>>>to
>>>>blocking tools. It will be 80% of blocking tools instead of
>>>>DNT-Headers.
>>>>They would LOVE to have a way to opt their audience back in. IMHO, if
>>>>the industry ignores the golden bridge of DNT, they will have to cross
>>>>the rocky valley a few years later. As I said, the issue is the unrest
>>>>in the marketplace, that people will buy whatever promises them more
>>>>privacy, even a DNT-spitting router. To your point: you may see 80% of
>>>>DNT:1 headers, but how many of them will be valid according to the W3C
>>>>Specifications?
>>>>
>>>>> 3.  This means sites will need to ask users if they set
>>>>> the DNT signal and/or ask for a UGE for a large majority of visitors
>>>>
>>>>As I explained: You don't. You just test the user agent. We both know
>>>>that DNT has two technological enemies: 1/ Cookies + implied consent
>>>>and
>>>>2/ DNT:1 spitting routers and dumb extensions. Now the united internet
>>>>expertise in this group can't distinguish between those and a valid
>>>>browser? And you need a lawyer to tell you what to do? Come on!
>>>>
>>>>> 4.  This is an "opt-in" paradigm - which we agreed in the beginning
>>>>> was inappropriate (DNT=<null>, user makes an explicit choice)
>>>>
>>>>Who is responsible for DNT:1 spitting routers? W3C? Is this conformant
>>>>to the current state of our specifications? Nobody in this group wants
>>>>DNT:1 spitting routers. That's why we have ISSUE-151.
>>>>> 
>>>>> To adopt DNT under the Swire/W3C Staff Proposal (aka June Draft),
>>>>> industry would be agreeing to shift to an opt-in model vs. agreeing
>>>>> to support a more hardened opt-out choice for users that is stored in
>>>>> the web browser safely away from cookie clearing activities (which
>>>>> remove opt-out cookies today unless the user has installed an opt-out
>>>>> preservation tool).  This is a significant shift and will not likely
>>>>> be supported by industry.  Hence the reason we're pushing back so
>>>>> hard on the current situation.
>>>>
>>>>Your assertion of an opt-in model is a myth and a perceived danger, not
>>>>a real shift in the Specification. The routers are shifting, not the
>>>>Specification. This is just the first sign of market unrest. If you
>>>>can't distinguish between a browser and a router, I wonder about the
>>>>quality of all that tracking anyway. Are we discussing giant dumps of
>>>>rubbish quality data? If so, consumers and privacy experts may relax a
>>>>bit. For the moment, they assume that you can do profiles and things
>>>>and
>>>>distinguish between users and their devices etc.
>>>>> 
>>>>> I believe I'm being as fair, open, and honest about the core issue.
>>>>
>>>>And I do not question that. We even agree that there is an issue. And
>>>>we
>>>>have a number for that issue. I tell you that your conclusions and
>>>>suggestions will lead to a totally nullified DNT, not worth our time.
>>>>And I encourage you to consider a reasonable solution to the problem,
>>>>not a short-circuiting of the system with an industry-opt-out behind.
>>>>
>>>>> Hopefully we can work together to look for solutions to this
>>>>> unfortunate outcome (unfortunate for industry as I can imagine some
>>>>> on the advocate side would be very happy with an opt-in world).
>>>>
>>>>Again, opt-in/out is a myth. DNT installs a control, a switch. This is
>>>>much more than opt-in/out. BTW, I do not believe, given the dynamics of
>>>>the Web and the Internet, that we can predict the percentage of DNT
>>>>headers for the next 3 years; let alone the percentage of valid DNT
>>>>headers. 
>>>>
>>>>Finally, the only ways a company can be forced to honor a DNT:1 header
>>>>is: 
>>>>1/ By our feedback making a promise it does
>>>>2/ By a self-regulation like DAA or Truste or Europrise
>>>>3/ By law
>>>>
>>>>I would be totally surprised by a law that would force you to accept
>>>>"any" DNT:1 header.
>>>>
>>>>So lets work on distinguishing the good from the bad headers. We had
>>>>very good discussions in Sunnyvale with the browser makers. They are
>>>>also interested in a solution. There must be a way.
>>>>
>>>> --Rigo
>>>>
>>>>
>>>
>>>
>>
>

Received on Saturday, 27 July 2013 15:44:02 UTC