How THEY Consent to OUR Terms
How THEY Consent to OUR Terms
Notes-taker(s): Scott Mace
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
GDPR made it much worse.
Here are all these Web sites. All of a sudden every one of these has a thing on the bottom or top saying do you consent. In the next session Andrew will have a cool idea for addressing this.
How do we do this right?
Lots of sites obtain your consent. There are ways to obey the letter but not the spirit of GDPR. What happened instead is we’re still stuck in a world where we’re being tracked everywhere. New book, Surveillance Capitalism, another book, Reengineering Humanity. What we’re doing at Customer Commons, for terms, what Creative Commons is doing for copyright. We have a repository where terms we can proffer as individuals can be pointed to. First is #NoStalking. It’s beta, no machine readability built into it yet. Creative Commons is human, machine and lawyer readable terms. We intend this to be a big jump beyond ad blocking. We have so far one publication ready to hear those terms, Linux Journal. The legalese has been written by the Cyber Law Clinic at Harvard Law School. Also Berkman. Rather than this entity always agree to these things, if you’re a publisher, we’re fine with your advertising, just don’t track us. Do not track with teeth. A question last time, on the floor again, because DNT is a gargantuan fail, should we take over DNT? =1. Requesting a file. HTTP header, request they not shove cookies in there. But that’s not obeyed. Several approaches to recording an agreement. In the last IIW, another called JLINC, server to server approach, Victor Gray wrote it, he’s here, also Jim Fournier. An A server, a B server, an information sharing agreement between those two. Salesforce can be the B server. JLINC, but it’s outside the browser. Second approach, we have a cookie we set ourselves as individuals. Server usually gives us a cookie, we could have a cookie that speaks to existing IAB standard in Europe that will say, don’t track me. I don’t consent to being tracked. Doing that in a default way. Had a large session at MIT, hack day, to take apart the downstream. Github. With that spawned, even though Sam was on the road and had a life, a couple developers working with Don Marti at Mozilla came up with the Global Consent Manager. It is a little hard to find but it is on Github. Available for Firefox now. I have it, looks pretty cool, does what we talked about last time. User-controlled GDPR consent cookies. Don at a session at Mozilla’s Mozfest in the U.K. next week. It’s rather large.
Q: I had this concept on consent receipt.
Doc: Kantara doing it. Doesn’t solve it. It memorializes it. I’ve not participated in that conversation. My interest is can we make sure it works the other way. It works both ways. Bravo for that. A very positive thing.
Mary Hodder: The spec has a schema, allows for recording of consents in both directions. There is a section for terms. The entity to some degree under the GDPR has a lot of control. The idea is if there is a set of terms that are offered, there should be a response, and how do you do that.
Q: More a tool for accountability afterward?
Mary: Yeah. It’s a contract. It’s owned by both parties. It’s co-created.
Q: It’s trying to give agency before & during the agreement.
Doc: The system we have now, actually a non-system, it gets fig leaf GDPR compliance. It becomes unmanageable for us. Jim Pasqual wants to do a session on Digi.Me to show all the consents you’ve given. Consent receipt may be involved in that. The problem with the world as we know it now but it doesn’t have to be, in 1995 we settled on client/server, but the Web is underneath inherently peer to peer. We have a way of giving them better signals. It moves into the realm of contract, which by the way most consents are. No reason we can’t have them going the other way and make much better signaling happen. The ad choices thing tells you you’re being tracked, but even if you check all those off, no way of going back and saying what happened there. Start with publishing problem area. The third rail that no journalist wants to touch, they’re just as bad at tracking you too. Getting them out of that business is not hard. Get Oath to serve up ads that are welcomed. One way to start scaffolding up better ways to interact. Wendell: Vocabulary for expressing parts of the consent. I think you guys have that. Been hugely controversial even within IAB. Cross product of that relative to the entities that participate in those things. And the jurisdictional realm.
Doc: One reason we’re focusing on publishing, publishers not willing to track people. If all you’re doing is saying what from the site’s POV is a first-party ad. You’re Nike, want to be on a fitness site. Hiring Oath to place that ad on that site, fine as long as they don’t place a tracking cookie on the site. Let’s start there and work out the ontologies and the rest of it.
Wendell: A lot of people know what that means to have only first-party ads. Given that, we have publishers whose advertisers want to know who saw the ad.
Wendell: Do I get rights to go visit them?
Doc: This gets to a division between two types of advertising. In analog world, go to a bar, watch a game, it doesn’t know who is watching. I know Ford makes trucks called Ford Tough. That’s to their benefit. That’s branding. Brand advertising doesn’t need to know who everybody is. Direct marketing is. There’s the notion that the only worthwhile ad is one that’s fully accountable. With this case, there are number of publishers and operators, like PRX, willing to participate in this. Other publications would like to be able to that. Who’s the third party who could help us with that. Maybe Oath could help with that. Love to have it. Linux Journal, though they have a sales person, if there were an ad agency that wanted to do #NoStalking advertising, like Intel, we’re fine with telling them how many people saw the ad.
Q: Heard of the Cloudal Network? They were an ad network that did no tracking. He was losing the battle against tracking. Maybe he could become our engine.
Doc: There was an American ad agency that did non-tracking based stuff. We met them through Mozilla. I think Blog Ads when Henry Copeland ran it was similar. We’ve had a land rush to direct marketing. We expected enforcement of GDPR. That didn’t happen. Instead the user experience is much worse. Andrew came up with a clever idea.
Wendell: We can talk about why the DNT header fell down, could be asked and answered in your browser, never leave your machine, well received at W3C. A stream a lot like a preferences page, ask and answer these questions. A lot of sympathy now. ITP blocks third-party cookies. IAB questions, asking and answering in browser is a good deal. (??) Your idea is a good one. Get browser vendors to put it into a release. Not get involved with what happened to DNT. Then don’t have to have the current body of work is a lot of engineering.
Doc: The key is if we get some uniformity across the browser makers, that makes it easier for you guys.
Wendell: The taxonomy of your permissions is good. Controversy in IAB about what permissions shall be. You have one in Customer Commons. Get that into one of the mainline browsers or make your own browser using like Electron. Then send that out as a header and exhibit what a client side should do. From the server side, it’s a much easier conversation to have something to expect.
Doc: Make this as concrete as we possibly can.
Wendell: You have how many things you can consent to?
Doc: Right now it’s one. Consent is a thing because GDPR made it a thing. Basically it’s an invitation. We’re saying to the Web sites, be like it is in the physical world. Vogue, I had no problem with advertising. Just don’t track me off the site. That’s normative enough for pretty much everybody to understand. Trying to think what a browser maker would install that would do just that. DNT, advertiser wasn’t on the table, it’s just tracking.
Wendell: In order to show this is a choice, you have to have an affordance in the browser, they could have it turned on. There was an instance where Microsoft turned it off (??). Conversation with Brave at W3C user consent workshop, Thomas, PM of the Brave browser, you are expecting and consenting to no tracking. All these defaults turned on. If you want a secondary screen, turn the other way, okay, but it’s not going to be easy. It’s only when there’s not the control…
Doc: The IABs and Oaths of the world are cool with that?
Wendell: Yes. As opposed to browsers having no control. ITP, blocks single-page web apps with open id connect, and reasonable experience for non-tech consumers who have a multi-domain experience. i.e. Oath, multiple domains serving content. More collateral damage than I think they expected. One design for DNT that was abandoned was a separate cookie jar, separate pop-up. Header sent out to websites as communication ordered, website was ordered to respect that. We could make enticements to turn that on, other side could say don’t do that, and that’s fine. But your idea is a great one. A lot of sympathy at this point to build that into the very browser.
Joyce: So now there’s an opening. If DNT showed up right now, much more openness to allowing it to be there.
Wendell: They were fighting the default. When a browser is installed, sign on first launch, would ask you all these questions, squirrel away all this knowledge never to be seen again. PC vendor would answer all these questions first. Or the used browser problem, and no way to go see that. Current environment is different law and different technical affordances. A lot of debates from the past 5 years could be replayed with a different outcome. A lot more education at this point. More sophistication on our side with chains of custody, tracking through the pipelines.
Doc: If DNT had never been invented, but came along now with that simple thing, there would be more friendliness to hearing that on the part of advertising.
Wendell: Publishers are proud people. Some are not so proud and operate differently. Some of us believe we have the privilege of asking the consumer base for their data. Might grant tracking to Yahoo and friends. Who are these friends? Current regulations, you have to list them. But also anyone you might do business with. That’s a giant list. That’s puzzling to people. The proposal of the header needs to express who else can get this. You could ask, on yesterday afternoon, did that data actually get over to that company?
Doc: Interesting, could watermark data in a way that’s traceable.
Q: I’m uncomfortable with the European Court being the arbiter of Web settings.
Doc: Don Marti found this, before Google started fudging their Google Trends graphs, a linear correlation between searches for retargeting and ad blocking. Ad blocking took off when retargeting took off. The Onion, woman stalked across 8 Web sites by obsessed shoe advertiser…intent casting. Project VRM Wiki, 20 some companies doing intent casting. Amazon is making big gains in the advertising world right now.