Advertising to Interest Groups without tracking

Tags: #<Tag:0x00007f4c182c2548>

Is there anything cleverer, or any reason to look for such?

Moving both sounds fine to me.

Hi,

SPARROW contributor here.

We’re happy to move forward with WICG as long as the criteria to reach consensus are explicitly shared and acknowledge by all parties and reflect the interest of the open web ecosystem and their users.

2 Likes

Curious meta question: is Brave involved with this? I feel they would definitely at least be interested, as this is basically their entire business model.

Brave’s Pete Snyder expressed interest during this past week’s meeting of the W3C Privacy Community Group, noting the similarity to some of their work (minutes). Also I’ve had some conversations with ex-Braver Tom Lowenthal about variations of the idea here.

But they haven’t had direct involvement with this particular proposal; Brave is not active in the Web Advertising Business Group, which this grew out of.

1 Like

@ablanchard1138 The W3C’s process around consensus and dissent is described here: https://www.w3.org/2019/Process-20190301/#Consensus.

The WICG charter says a little more on the subject, here: https://wicg.github.io/admin/charter.html#decision. The charter goes so far as to consider producing two different proposals, if substantial disagreement remains. But since we’re coming in with two different ideas which we hope to unify, that’s obviously not the goal!

3 Likes

We’re happy to have SPARROW moved to the WICG, get feedback from and have discussions with the community.

Lionel for Criteo

@cwilso Thank you for your advice. Myself and other W3C observers / commentators opted for email to raise the more general issues of governance and trust choices.

Since first commenting the CMA have issued their final report which contemplates a common user IDs as a remedy to competition issues in the digital advertising marketplace. If the W3C were to embrace this recommendation then the need for this proposal, and all associated work would not be required. It would likely result in a focus on transparency and control proposals.

If a better method of filtering proposals at the conceptual stage existed W3C members and stakeholders would collectively save a lot of time and effort.

At RTB House we find both proposals addressing the needs of eCommerce advertising investment supporting a recognizable fraction of the web.

We would like to introduce the product-level perspective extension to both proposals backed with an estimation of a high-level impact on CTR. A detailed description of “Product-level Trutledove” can be found under this repository: https://github.com/jonasz/product_level_turtledove

We invite all feedback, and we’re looking forward to further discussion!

We are also happy to hear what is the practice of extending current proposals on WICG

While I agree that the W3C should pay attention to the CMA report because anticompetitive issues have a history of harming the open Web, we should be cautious not to mix up remedies, and to consider who each component of the ecosystem works for.

The CMA’s report includes common user identifiers as a remedy to anticompetitive practices in electronic ad markets that trade in personal data. From that angle, their recommendation is very sensible. The manner in which electronic ad markets are currently operated by large players would be considered illegal in other electronic markets (notably finance) and I believe there is a very good case to be made that it should be illegal here. To the extent that information enters an electronic ad market, no party should be allowed to self-preference or use it for insider trading.

However, that is the perspective from competition and market policy. The question it answers is: “when information is traded, how should that trade be structured?” What it does not address, however, is the privacy side of the equation, and it does not purport to speak for users. Put differently, it does not address the question of whether a market in personal data should exist at all.

Users are, quite overwhelmingly, clear on what their preference is here. Just citing Eurobarometer, 89% of users expect their browser not to share data to third parties. It is the browser’s job — literally, it’s pretty much it’s one and only legitimate job — to be the user’s agent. That’s why it’s called a user agent: it could be argued that it has a fiduciary duty of agency with respect to the user. Web standards are equally held to this by the Priority of Constituencies which puts users first.

A default that supports third-party tracking is a user-hostile default. A browser that enables third-party tracking by default (or that uses telemetry for purposes other than its own betterment or the Web’s) is a browser that is failing in its fiduciary duties.

To return to the CMA report: when there is a market it has to be fair, but that does not mean that a market should exist. To make a comparison, to the extent that there is a market in organs it should be structured to prevent a single player from using insider information to tilt it in its favour. But that doesn’t mean that the market should exist in the first place. By the same token, if the electronic ad markets switch to trading contextual signals, it would be unfair to use advantage from a proprietary aggregation format or browser telemetry to tilt that market.

In your AB letter you claim that users should be allowed to choose to be tracked across their digital lives. I personally doubt that they would be interested, but that’s just one person’s doubts. If that statement is true, then there is a way to prove it: why don’t you develop a browser extension that users can install voluntarily, that exposes an identifier to the page, that has terms making it clear that sites cannot force users to use it (otherwise it wouldn’t be consent), and release that to extension stores? Technically, it is not a very complex undertaking. If it sees substantial uptake, it would prove your point the way no appeal to argument could.

2 Likes

@robin Thank you for the good feedback, specifically in relation to the important topic related to the need for a market.

I understand from an article published in May 2020 New York Times (NYT) believe a market in audience segments informed by personal data and identity should exist.

Your colleague Allison Murphy, Senior Vice President of Ad Innovation, is quoted in the article.

This can only work because we have 6 million subscribers and millions more registered users that we can identify and because we have a breadth of content.

This quote acknowledges that the barrier to enter such a market requires a large volume of subscribers and registered users. The article suggests a strategy that is independent of TURTLEDOVE, and other similar cohort based proposals. As such NYT future profits and viability are not dependent on the outcome of the proposals that centralize interest-based marketing into the browser.

Smaller publishers will need to “band together” via the use of suppliers (aka “third parties”) to operate the significant scale needed to compete in this market. If there were not value to a publisher, large or small, in such a market then why would NYT publicly endorse it?

I hope you would agree if small publishers and new entrants are excluded from such a market they will be disadvantaged. The likely outcome is that the variety of information and services available to people will diminish. Access to media will become ever more restricted. This is a key observation of the CMA report which impacts people and society.

The W3C’s purpose specifically prohibits the creation of standards that would lead to such an outcome. The W3C’s governance model needs to be modified to address this problem. The first step is for everyone to agree there is a problem. It is with this in mind the AB letter was sent.

@robin In relation to people’s trust choices and the role of the user’s agent.

The legal framework I’m most familiar with in relation to privacy is GDPR. GDPR does not seek to prohibit choice. A browser vendor that builds a user’s agent must ensure their product and service complies with the law.

Microsoft, among many others, support such choices in their products. The follow is an example of the user interface available to all Microsoft subscribers.

Any change or new feature that impacts so many stakeholders is a policy decision for the proposer’s company and as such should be subject to a great deal of scrutiny.

Fortunately, the impacts of these proposals can be evaluated prior to implementation. Myself, and a number of other stakeholders, have produced a set of success criteria and a self-questionnaire in the same format as other W3C documents to support such a review process.

When a dominate market player progresses a proposal to implementation and trial without acknowledging the impact on stakeholders and identifying appropriate mitigations to these impacts, they are asking many other companies to invest significant amounts of time, which many smaller companies cannot afford.

Unilateral decision making also sends a signal to the market that such a dominate market player has a preference for their own solution and that other proposals are unlikely to receive consideration. This is a problem for the consensus structure of web standards governed by the W3C and should be acknowledged.

These are all examples of the issues I’m seeking to raise explicit visibility of, so we can collectively ensure changes are improving "one web” for everyone, rather than fragmenting it or moving its control into the hands of fewer organizations.

Hi @jwrosewell,

just answering on a few relatively disparate points:

There is an important difference between trading in personal data and trading in data derived from personal data. There are a few companies out there working on enabling this for small publishers in the same way that larger publishers can build for themselves. If I worked in adtech (and given everything exciting that’s happening these days, it’s certainly an interesting industry!) I think I would focus on that kind of innovation instead of trying to prolong the status quo of mostly doing the same thing as Google but at smaller scale.

This is not a big vs small publisher issue — all sizes of publishers are dying under the current régime, only a few are keeping their head out of the water. Change is needed. Thanks to the current evolution of the data economy we are finally seeing innovation in adtech that is bringing it out of the old unsafe, ungoverned, anything-goes model under which publishers lost control over their core advertising asset — access to their audience. I’m very excited about some of the options I’ve seen being developed by small innovative startups.

I am also familiar with the GDPR. One important part of the GDPR is Article 25: Data protection by design and by default. This does not preclude choice and neither are browsers currently preventing choice. They are simply going with the privacy by design and by default that aligns with their users’ expectations. Note that when the browser vendor makes the decision to process data in a manner that is not essential to support the user’s request and that makes it so that the browser is determining the means and purpose, it is arguably a data controller.

The open programmatic ecosystem carries well-known data protection risks since it essentially broadcasts data to a large number of participants with no purpose limitation. I have no objection if users choose to enter their personal data in such a market, but they should do so in full deliberation. This means that the manner in which they decide to participate should be commensurate and well balanced with the risks to their data protection. Things like the TCF and CMP dialogs fall very short of the mark there. But as I suggested above, nothing prevents a company or a group of companies from implementing an extension that users could choose to install in order to return to being tracked across their entire digital lives if that’s what they want. That would make it possible to provide greater notice, and would give a clear way for them to exercise their rights — something which the previous ecosystem failed at.

I don’t disagree that some browser vendors can be unilateral and inconsiderate of others in the ecosystem (you know who you are folks ;). However, what browsers are doing with cookies is in line with existing standards and has been for a very long time. For instance, if we look back to RFC 2965 §3.3.6, from October 2000, it states very clearly:

   When it makes an unverifiable transaction, a user agent MUST disable
   all cookie processing (i.e., MUST NOT send cookies, and MUST NOT
   accept any received cookies) if the transaction is to a third-party
   host.

   This restriction prevents a malicious service author from using
   unverifiable transactions to induce a user agent to start or continue
   a session with a server in a different domain.  The starting or
   continuation of such sessions could be contrary to the privacy
   expectations of the user, and could also be a security problem.

   User agents MAY offer configurable options that allow the user agent,
   or any autonomous programs that the user agent executes, to ignore
   the above rule, so long as these override options default to "off".

Browser vendors made the unilateral decision, against the standards community, to support third-party tracking by default back then. This decision put all publishers at a disadvantage compared to intermediaries and was a direct contributor to today’s crisis.

If you prefer to look at the more recent RFC 6265 §7.1, it had to accept the reality of third-party tracking but still stated:

   Particularly worrisome are so-called "third-party" cookies.  In
   rendering an HTML document, a user agent often requests resources
   from other servers (such as advertising networks).  These third-party
   servers can use cookies to track the user even if the user never
   visits the server directly.  For example, if a user visits a site
   that contains content from a third party and then later visits
   another site that contains content from the same third party, the
   third party can track the user between the two sites.

   Some user agents restrict how third-party cookies behave.  For
   example, some of these user agents refuse to send the Cookie header
   in third-party requests.  Others refuse to process the Set-Cookie
   header in responses to third-party requests.  User agents vary widely
   in their third-party cookie policies.  This document grants user
   agents wide latitude to experiment with third-party cookie policies
   that balance the privacy and compatibility needs of their users.
   However, this document does not endorse any particular third-party
   cookie policy.

   Third-party cookie blocking policies are often ineffective at
   achieving their privacy goals if servers attempt to work around their
   restrictions to track users.  In particular, two collaborating
   servers can often track users without using cookies at all by
   injecting identifying information into dynamic URLs.

As you can see, what browsers are doing today is exactly what the open standards community has been expecting of them to do for twenty years. Everything from ITP to eliminating 3P cookies isn’t just what users want, it’s what the standards actually say should happen. They took a unilateral detour experimenting with third-party tracking. It contributed to the world of excessive concentration, dying publishers, vanished online privacy world that we know.

I for one welcome them back into the fold. Innovation is much better when it is is aligned with users than when it is hostile to them, and we’re already starting to see these changes bear fruit.

2 Likes

@robin - To summarize where we have aligned, a market for data derived from personal data should exist, and is valued by marketers, which indirectly helps improve publisher revenues. Hence your own company’s investments. Access to personal data is needed to trade in data derived from personal data, which is a prerequisite to operate in that market.

I’m unaware of any companies that are proposing a solution that would enable publishers who lack the scale of the NYT to be able to enter such a market, especially if their access to the input data is eliminated. Could you point out the solutions under development which would support this?

I note your colleague quoted in the article states such solutions are impossible. See the following quote.

“While a differentiator and I’m thrilled about it, this isn’t a path available for every publishers, especially not local who don’t have the scale of resources for building from scratch." says Allison Murphy, Senior Vice President of Ad Innovation, [New York Times].

It’s been a long time since I read those RFCs :blush:. They do highlight how well written IETF documents tend to be, including the clear document history. RFC 2965 took nearly 4 years to become an original technical standard. During that time browser vendors were shipping solutions that become de facto standards. Business models were created around the de facto standard implementation rather than the RFC standard as it was eventually ratified. Web professionals did not have the time to notice the important difference, let alone modify their solutions or business model retrospectively to comply with the standard as ratified.

In seeking to alter implementations to meet the documented standard over 23 years later a lot of disruption occurs. I observe the NYT web site makes extensive use of the de facto standard as implemented concerning cookies in Unverified Transaction. You, your colleagues and suppliers will have to expend effort altering or removing these features. The same will be true of every other publisher large and small. I’m therefore unsure how the de facto implementation “put all publishers at a disadvantage” as publishers, like the NYT, could have chosen not to utilise these techniques within their supply chain.

A governance model which prevents this disruption by operating linearly, as it does in the governance of other technologies used by more than 4,000,000,000 people, is now more important than ever. The example you provide highlights this need perfectly. This issue is at the heart of my original comment in relation to this proposal and a fantastic example of the need for the W3C to change.

I also agree with your comment that “when the browser vendor makes the decision to process data in a manner that is not essential to support the user’s request and that makes it so that the browser is determining the means and purpose, it is arguably a data controller.”

Therefore I think you’d agree it would be more convenient for people to make their choices within the web browser itself, setting defaults at install time, rather than requiring them to download a browser extension to communicate this. Such a model is well understood by people and as I highlighted with the example from Microsoft is used in comparable technologies.

The UK CMA recommend the introduction of a “common user ID” as an appropriate remedy to the dominance of market players. Such a remedy would be implemented as part of the browser.

Ultimately my original comment related to the need for proposers to justify their proposal before progressing with the engineering work to ensure that the concept is a net positive for the web. The bar to incubation needs to be far higher than two people from two organisations agreeing if we are going to address the root cause of the problem.

To help proposers and reviewers myself, and many other contributors named and unnamed, continue to iterate a set of success criteria for improved web advertising. It is open for review. I suspect other concerns of the W3C will need to be similarly documented in time.

@robin – I’m still working through the latest set of comments. Let me know if you would have time for a 121 to time efficiently progress your remaining concerns. This could be co-ordinated with other reviewers.

2 Likes

Hi @jwrosewell,

I’d like to quickly get a few items out of the way to keep the discussion focused:

  • We are not aligned on the idea that trading on information derived from personal data requires access to personal data. The whole point of innovative systems in this domain is to enable this trade without the data being exfiltrated. Presenting this as an either-or is not correct.
  • I am barred from endorsing companies, and I wouldn’t do it in a standards forum anyway — but they’re not being shy about their offerings, I think with some digging anyone can find these innovative companies.
  • I also can’t speak for Allison but I believe that you’re reading way too much into her words so that they align with your expectations. A smaller publisher might not be able to use the exact same method we have been using for this subset of our offering. That is not saying that all targeting options are impossible, they just work differently.
  • I believe that your point that we: “could have chosen not to utilise these techniques within [our] supply chain” is an incorrect characterisation of market dynamics. Because of 3P tracking the ad market has become intermediary-dominated. Publishers are forced to participate on terms set by intermediaries. I have yet to meet a publisher who feels that this market has been built with them in mind. Publishers’ access to audiences is devalued by the removal of scarcity. I don’t think I need to rehash twenty years of publishers being ignored by the IAB and only becoming a convenient consideration when the need to lobby politicians or other standard organisations arises.
  • Indeed, when the Web improves often that requires work and change. Pushing to get HTTPS everywhere is a good example of precedent. That it is work should not prevent us from making progress. The WebKit team has been progressively refining ITP for three years. The Chrome team gave us two years to prepare for the end of third-party cookies. By the time it will have happened the writing will have been on the wall for almost five years. These are responsible time scales.

Having gone through these, I would like to focus on two issues of substance: governance, and publishers.

You mention user choice a lot, as does the letter to the AB. With that in mind, I would like to ask a simple question: of the following companies that signed the letter to the AB, which ones respect the user-chosen DNT signal?

I am not asking to score a cheap point: this is directly relevant to the issue of governance. The W3C has its warts and it’s had its rocky patches, but over the years it has demonstrated pretty solid governance. In regulator circles, I’ve often heard it touted as an example. Let us consider what has happened in adtech governance:

  • The FTC made a deal with the adtech industry that involved adtech producing self-regulation. Twenty years on, nothing whatsoever has happened.
  • The W3C tried to find a workable consensus position with adtech through DNT. I think everyone involved at the time, on any side, can attest that this did not happen in good faith on the adtech side.
  • AdChoices

So I ask with sincere respect, but nevertheless firmly: what reasons would people here have to believe that adtech companies are acting in good faith this time around, what reasons would people here have to believe that there will be strong governance for universal IDs when it didn’t happen with previous identifiers, and is it reasonable to expect any institution to take governance lessons from an industry that has systematically shunned the very idea?

Again, I am not making rhetorical points here. I have spent much of my career seeking consensus and I would love to do it again on this difficult topic. But to put things frankly: the suggestion that we should rely on adtech companies for good governance and entrust them with universal identifiers has a serious fool-me-once problem.

Now to switch to the question of publishers. You keep trying to return to the idea that somehow privacy might be good for big publishers and bad for small ones, maybe hinting that us big publishers have it easy advocating this but we’re not thinking about the little guy.

I think there’s a very simple way to put this: if being irresponsible with personal data were in publishers’ interest we’d be rolling on mountains of cash. The idea that if publishers were only to violate privacy just a bit more with universal IDs, then this time it’ll work doesn’t feel all that credible in the middle of a journalistic mass extinction.

Changes to the data economy are difficult for publishers large and small. Our trade associations are working hard to make sure as many of us as possible make it to the next year, and hopefully more. But I don’t think there’s a case to be made that what we need is more of the same. The solution might not be TURTLEDOVE, it of course has to be dissected and threat modelled, and I’m sure that @michaelkleber expects no less, but we’ve tried third-party identifiers: they don’t work.

3 Likes

Hi @Robin,

Before I address the specific issues of governance and publishers please consider the following observations which I make in this comment.

From the work I’ve been doing on the success criteria document, my understanding is that advertisers and the agencies they employ favour both scaled and focused engagement as well as accurate measurement of the outcomes from their advertising. Small publishers by definition lack scale on their own. They need to be able to “band together” to achieve the equivalent scale of large publishers or dominant platforms. If the standards of interoperability needed to “band together” are replaced with solutions inferior to those available to the dominant platforms and large publishers, this will be impossible to achieve. This is how I interpret Alison’s quote.

As an example, a dominant platform operating essential services might require acceptance of terms of service which default to tracking activity. People will have to accept those terms of service to use these essential services. It may also be possible for such a dominant market player to request this consent once and avoid asking for consent again. A smaller player that needs to work with technologies provided by others to offer similar content or services in a similar frictionless manner as the dominant market player may be forced to request a more personal form of identifier, such as an email address. Not only is this process more clunky, but this seems the antithesis of actually improving people’s digital privacy. The foreseeable outcomes are far fewer publishers and less quality content, as marketers will understandably pay less to publishers who provide them with inferior control and measurement, compared with the dominant platforms which do. Indeed, it is also likely that even the large publishers who cannot provide cross-publisher control (e.g. frequency capping) will provide an inferior service to dominant platforms and will therefore earn less revenue as marketers receive comparatively less value.

I’m unaware of any technology solutions being proposed that would support a level playing field. Whilst I understand you cannot name specific companies could you provide insight into the techniques you consider viable?

When speaking to companies who operate in the space, I’m yet to find one with a solution that will achieve the frictionless experience offered by dominant market players that also provides essential services. The CMA’s final report recognises this imbalance and the harms caused to society and people if competition is reduced and freedom for non-vertically integrated publishers to operate is diminished. Remedies might include the introduction of a common user identifier or restricting the operations of dominant market players. Rapid consultation is needed to determine which of these will be pursued. As the most significant technical standards body for the web the W3C must recognise its role in the problem and eventual solution.

For there to be a market in data derived from personal data some form of user identifier will be needed. The question is therefore not whether to remove user identifiers, but how people consent to using these identifiers, how they are informed about usage, how bad actors are identified and sanctioned. Very little work is happening around these important areas. Until this “tussle” is settled, progressing specific solutions that have such negative outcomes for the open web seems undesirable.

The role of intermediaries in advertising came about because both advertisers and publishers wished to make use of their services. They were therefore added to the supply chains of both. I can only assume this happened because there were benefits to both parties in operating such a market. Any market player, publisher or marketer are free to choose which parties they work with, only when there is competition. No one was forced into anything.

In relation to “the IAB”. There are in fact many IABs that operate independently. Some at a national level, others regional and there is also the IAB Tech Lab which sets technical standards used within digital advertising. Perhaps they are best described as a loose federation of IABs. Some IABs are very effective, and others less so. Like the W3C they are heavily influenced by dominant market players. The subject of IAB governance is not one for this topic. I do believe the IABs also need to consider their role and governance model, in particularly their relationship with publishers and the W3C. I have expressed this view to those that I have engaged with at IABs. Perhaps another WICG topic should be associated with the engagement the W3C should have with other bodies.

In relation to third party cookies used on the NYT website. Here is a list of domains that utilise 3P cookies today when accessed from Chrome in the UK.

In addition to the above domains the following Google operated domains used by NYT also receive the X-Client-Data header when accessed via Chrome. X-Client-Data is an exclusive HTTP header only available to Google within Chrome. I understand it is used to help Google improve their services and is not available to any other participant.

Some of these domains appear to relate to advertising. Others relate to surveys and payments. The domain ownership indicates that at least three suppliers (Google, Samplicio and IterateHQ) to NYT will need to modify their services. This will have a cost to them and likely also to the NYT who will need to make modifications to support them. It is therefore important to ensure that these changes are indeed supporting the mission of the W3C before they are implemented.

WebKit and Mozilla state such impacts are examples of acceptable unintended consequences. Google may well have already, or will shortly, do the same. Apple and Mozilla “jumped the gun” in making these changes unilaterally. Google are doing the same.

Hi @Robin,

Turning to the specific subject of governance publishers and taking the questions or issues in the order you presented them.

In relation to Do Not Track (DNT), I can confirm my company supports the DNT HTTP header. I also observe that when accessing https://nytimes.com with the DNT header enabled tracking identifiers are still written by the endpoint https://a.et.nytimes.com/track. I assume these are not used for tracking in this instance, but it would be preferable to have them removed entirely.

I cannot answer for the other signatories.

I also observe that DNT is another excellent example of the failure of a standards body. The technical standard was not ratified prior to implementation. I assume there would be more voices advocating its continued development if it was considered a success. However, it does demonstrate that placing consent choices within the browser user interface could be a very positive step in capturing consent preferences more generally.

My business and my background are not in the field of ad tech. My business counts publishers, advertisers and ad tech supply chain vendors among its many and varied users. I continually try to understand my user’s business models and the role we play in supporting them. I joined the W3C in April 2020 following the announcement of Privacy Sandbox because I was deeply concerned about the unintended consequences associated with some of the changes contemplated. Specifically, the alteration to de facto standards of interoperability used to provide important client device data to optimise the web, inform analysis, and improve performance. Not only does such a proposal risk breaking the web, it will require significant work for all website owners. This effort will be even higher if proposals are not adopted universally. Given the lack of stakeholder alignment these changes risk fragmenting the web and contravene the TAG Ethical Web Principles. Overall, I believe a handful of dominant market players controlling the de facto web standards is an existential threat to the future of the open web.

I have in the course of engaging with other W3C members, CMA and, IABs been educated by others from many sectors. You have a provided a lot of history and perspective in these comments. Thank you. However I also find the following extracts from other publishers interesting and point to differences across publishers.

“Google’s decision to render third-party cookies obsolete – which involved no pre-consultation of other stakeholders or ad tech players – is a telling example of how Google can unilaterally interpret the meaning of privacy and reshape industry standards as it sees appropriate.” – News UK – Paragraph 3.11

“Google are now phasing out third-party cookies in Chrome, their dominant web browser. The move will have a massive impact on the ad tech ecosystem, since the third-party cookie is the backbone of advertising on websites. At the same time, advertising on Google’s own properties will not be affected, as it relies on first-party cookies.” – DMG Media – Page 8

“The market is changing rapidly with Apple, Mozilla and now Google making moves to ban third party cookies and web wide tracking within browser environments. We agree that these charges will largely not ‘affect Google or other companies, such as Facebook or Amazon, which can rely on users’ log-ins.’” – Guardian Media – Page 2

I do not believe the ad tech sector, or any sector, should take the lead on good governance. In this we are aligned. We are also likely aligned in other areas. It is not yet clear to me how this difficult topic should be resolved.

The majority of advertisers, publishers and ad tech participants in the development of the advertising-funded open web behaved responsibility. However, some did not to the detriment of the web. All three groups did not sanction these bad actors effectively. This is a systemic failure of governance that cannot be placed at one party’s door alone.

Regulation and law have now finally caught up. So long as publishers wish to fund their businesses using advertising, and advertisers wish to reach audiences via the open web, it is in everyone’s interests to establish a robust governance model that complies with the laws that now exist to protect people, whilst also providing people choice. The outcome must be a set of standards that endure and are functional for everyone.

If an individual publisher wishes to avoid certain technical standards, or suppliers, or adopt policies that differ to their peers, they should be free to do so. Likewise people must be free to choose who they trust and not have these choices dictated to them via W3C technical standards, or de facto standards implemented by dominant market players who are also W3C members and presumably subscribe to the mission and purpose of the W3C. Western societies and people must be protected from oligopolies in any industry sector.

The UK CMA recognise this, as does the European Commission. They appear ready to act, and in historically short timeframes. As highly credible national and regional regulators the W3C must be aware of their proposed remedies if technical standards are to emerge that permanently solve these problems.

As such I neither support or reject TURTLEDOVE. Nor do I reject or support the use of personal identifiers. A remedy I would find acceptable would be to remove directly identifiable personal identifiers from all parties, including the dominant market players and publishers like the NYT, where it relates to advertising use cases.

My original comment on this topic was, and has always been, that no work should be carried out on TURTLEDOVE, or any other proposal until the conceptual issues are addressed and a governance model established. Agreeing an evaluation process has to be the starting point. To do otherwise wastes significant amounts of time and energy at a time when none of us have this to spare. For my part I have not been idle. I have led the construction of a set of success criteria for improved web advertising, which is gaining more contributors and input each week.

The fact we have both committed our time to the debate via these comments is evidence disagreements need to be resolved and consensus reached, if we want an outcome that truly improves the web and web advertising. If we turn a blind eye to the foreseeable impacts of the proposals, I fear we will be wasting time, or recreate problems of the past which you highlighted. This fear is heightened by the lack of investigation into how to architect a better “common user ID” than that implemented with private IDs stored in third-party cookies today. Given this “common user ID” is likely to be mandated within the EEA in the coming months, I hope we can begin discussions around how we could better balance all stakeholder interests to support the open web.

Perhaps we could progress via a conversation and then provide a joint update to this topic?

This discussion has migrated rather far from my original intent. But just to pull it back a little, I must disagree with your assertion, @jwrosewell, that

For there to be a market in data derived from personal data some form of user identifier will be needed.

This is wrong: TURTLEDOVE and SPARROW exactly show that it is possible to have a market in data derived from personal data without any user identifier.

I understood TURTLEDOVE and SPARROW perform optimally when a first party user identifier is available. Is this not a correct understanding of the proposals?

There are lots of proposals for different ways to build interest groups, including ways that don’t need any identifier. No identifiers are used in the simplest possible approach, ad described in the original TURTLEDOVE explainer.

But also it seems like you just dramatically moved your goalposts, from “For there to be a market in data derived from personal data some form of user identifier will be needed” to “…perform optimally when a first party user identifier is available”. There’s a world of difference between “X is impossible” and “X is sub-optimal (for my definition of optimal)”.

Hi Michael, James,

We do agree that a first party user identifier is not strictly needed per se, but we think that cohort creation will greatly benefit from the presence of it. Indeed, without user identifier on first party, we would be limited to create interest group based on only one page information, and we think this would be greatly detrimental to performance. It is for instance extremely useful to know if the user has already bought on the website, whatever the current product it is viewing.

It is however possible to reproduce this in SPARROW without first party tracking, thanks to the meta interest groups, described here provided there is no limit to interest group numbers. Indeed we could create interest groups based on current web page and with a timestamp (rounded) and then recreate fully anonymously user journey using combination of such interest groups. It would increase overall complexity but it would be possible.

1 Like