User-Controlled GDPR Consent Cookie

From IIW

User-Controlled GDPR Consent Cookies

Thursday 1G

Convener: Andrew Hughes + Doc

Notes-taker(s): Andrew Hughes + Doc

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Andrew H. @IDIMAndrew

When the ad spaces go out to auction, the ad buyers are bidding, and publishing networks are active, they will be able to read users consents recorded in the IAB cookie and do fulfillments according to the instructions. These cookies will be passed down the chain as far as they need to go. 24 bits per site to encode the company.

Iain: They don’t want to expose the 300 entities on the list.

Andrew: Talks about what might go in the dialog boxes. The ad buyers will create a new domain with subdomains. We should hack it as hard as possible. Opening gambit. What if we have some sort of privacy/cookie/consent manager – privacy dashboard – a script or browser plug-in which lets me write these cookies. We’ll know the encoding. We can flip the bits.

Q: It’s your browser.

Q: Depending on what they dictate, if it’s HTTP only, it won’t be accessible to Javascript – except as an add-on.

Q: It’s just like Grease Monkey.

Q: Ad blockers will be able to identify which domains serve this.

Q: If you have this cookie already, the gauntlet won’t happen. The cookie has an identifier that will correlate across sites. Jenny identifier would make everyone show up as the same person. Phone companies stopped issuing this phone number. Any grocery store, key in 867-5309. Known as the Jenny discount. We have the opportunity to get the Jenny discount.

Doc: We could go to the EFF, Privacy Badger, they would be glad to. We need tracking protection to jump out behind the perception as ad blocking. It one ups the awful system Ad Block Plus has, a complex system Google pays us to pass through their stuff alone.

Joe Andrieu: We’re creating an auto-consent, which is undoing GDPR.

Doc: Does this mess with the GDPR in some way, the letter or the spirit? Does this have a simple order that still permits through other forms of advertising? Wendell said one of those six things says this person wants DNT as it was originally intended. But I don’t know.

Joe: What will publishers do when you say no?

Andrew: Wendell does not speak for the IAB. No one knows what’s going to happen. Every European Web site had a popup for cookies.

Doc: If we do this right, the incentive alignment that works for the publishers, who jobbed out income production to ad tech ecosystem, Google said to publishers you’re on your own. The incentive for publishers is you can still have advertising provided no tracking.

Andrew: If you do not consent, you have to have an equivalent experience. So it won’t be like a black screen in most cases.

Adrian Gropper: Another dimension, to the extent GDPR forces them to be more transparent to what happens down the chain, we want to collect this information and make it useful in some way. We should as the spec comes out try to leverage the transparency component to either make it easier to score Web site practices or to identify particularly egregious things going on the chain. Things none of the ad blockers are doing. Privacy Badger is inscrutable. I’m tempted not to change the sliders.

Doc: If we do this in a clear enough way, I can go to Berkman and ask for research to follow up on this.

Andrew: Presumably you can read these cookies and start doing analysis on them.

Q: If the browser can’t send a cookie down, the spec says if not one from browser, they make up “no cookie” signal

Doc: The original purpose of the cookie taken off? A negative thing for a lot of users. We need to throw some conditionality in there.

Sam: The tool just saying no all the time may not be in the best interest of the user.

Doc: Does the first party only condition apply here and solve the remember my state problem.

Q: You could say I will allow you to store a cookie but no tracking, analytics. First party ads only.

Conditionality in the privacy manager, give them the cookie that allows storing cookies only for first parties and no to all third parties coming to the page.

Doc: Puts publisher interest in alignment with ours. Takes the third party ad tech system off the table.

Q: Every time I go to a new publisher, am I going to see this splash screen.

Andrew: That’s why the starting premise is modification rather than blocking.

Q: Say it gets done through Privacy Badger. If it’s big enough, this system will go away.

Doc: It’s not that big, but it could be big if we play it right. Infinite amount of fear on the part of publishers.

Q: If we can convince U Block.

Q: Has Ghostery gone to the dark side?

Doc: Gone to the light side.

Andrew: This is a moving target. I’m sure they’re working on something past day one that will work properly.

Q: How to use verifiable credential to transmit my terms to each Web site.

Sam: You’re preemptively giving them version 2.

Nathan George: I don’t have to interact with the Web site to say my permission has ended. When I revoke, I want all third party stuff to stop tracking me.

Q: Give them a better solution that is user centric. Not only do you get veriability--

Jlinc Q: A lot of people between the person paying for the ad and a customer. You’re disintermediating the ad industry. It’s a good result.

Andrew: Given what they understand, the industry knows users will not want to participate...the question is how do we get a plausible list of carrots to them?

Doc: To publishers the carrot is you still get to advertising, and sponsorships. You can’t get sponsorship with ad tech, which is just chasing eyeballs. So sponsorship comes back and a working ad model. And branding can happen again. A trillion dollars has been spent on ad tech without creating a single brand.

Q: It automates compliance and has tamper-proof storage of consent receipt. Reduces risk on ad tech side. We have these verifiable credentials from the user. It’s mitigation of risk on their part.

Doc: Risk mitigation for publishers and advertisers for GDPR compliance. Addresses spirit if not the letter of GDPR. For the IAB, you still get to be interactive and programmatic. You just don’t get to track. You move into intentcasting, customer-qualified leads.

Sam: Annoying to them, if I go buy a widget from Amazon, I will get advertised for the next two weeks. I could say I’m interested in headphones, they can act on that with permission.

Doc: The actual problem there is the dishonesty on the part of Amazon is intentional. Headphone maker has given coop money to Amazon, lies about who a qualified lead is. Incentive for Bose is to pull some of the dishonesty out of the system.

Adrian: What’s Brave going to do?

Doc: He’s adaptable. He needs to be in this conversation.

Q: Need to segment, what some parts of the industry perceive as a carrot others perceive as a threat.

Q; If any one organization steps forward, they’ll get crushed. Tell Mozilla to stop ruining the Internet. It was horrible. Leadership walked away from DNT.

Doc: The other browser makers could have stepped up and they didn’t. The IAB right now is staggering back from the power of the GDPR. And E Privacy is coming along after that. Even though GDPR is watered down, the spirit is exactly what we’re going after here.

Q: How set is the format of that cookie?

Andrew: It’s a spec right now.

Q: Could it go to a macaroon? They could change it in the future.

Andrew: If they view this as a threat, they will use countermeasures. We need to help them find version 2.

Q: If you move in this direction, we can automate GDPR for you.

Doc: Risk is always on the table, especially here. They’re thinking which awful tradeoff? Put intentcasting back on the table. That’s good for advertisers and to a lesser degree publishers.

W3C Q: Once you start getting verifiable claims and blockchain on the table, advertisers are worried about ad fraud. Replacing with something blockchain based has exciting possibilities. Reducing possibility of the site being hacked. Also you can fulfill ads faster. You don’t have to do an HTTP request. You have a local cache of it. You can save a number of milliseconds for every ad.

Q: Ad block speeds up your experience on the Web.

Doc: It’s not that programmatic goes away. Tracking does. Throw intentcasting in there, can be communicated faster.

Q: How do you build an onboarding process that isn’t a PITA. Need a UX/design team.

Q: Let’s call Mozilla. They have a whole team studying this for many years. Reams of information on UX on consent and interaction. Interact with the browser vendors.

Doc: Who’s on board for making this happen and how do we do it? W3C, Mozilla. I can host a list at Project VRM. Linux. Take the energy in this room to hack this thing.

Q: Kantara has been thinking about this. We can do mailing lists, working groups. Hyperledger.

Joe: If we want the browser vendors involved, W3C. A long process, challenge. I chair the credentials community group.

Q: I can offer setting up infrastructure this afternoon. We need the air cover a standards body can provide.

Q: IEEE Privacy Engineering Steering Group.

Doc: Making by the 25th a plug in or add on involving any of these. EFF Privacy Manager?

Dave Crocker: You dont want that many groups. Start with a targeted set to get the initial implementation spec’d and done in 3 weeks.

Sam: First phase is do the cookie hijacking, technically simpler to do. Verifiable claims is longer term.

Adrian: Two aspects to GDPR. Consent/consent receipts/verifiable claims is only half. All the transparency issues built into GDPR compliance have to do with how your privacy information was actually used. Nothing to do with consent. I tend to think Kantara is the place most likely to fit this model. But I don’t want to just pay attention to the consent aspects. Unless we can understand who is responsible for reporting, we’re not dealing with the GDPR.

Q: We should talk about people.

Q: You need a hit squad to do this in this timeframe. The labeling is so important. Cookie anticipation might be a more affirmative label. Talk to the other folks.

Joe: They’re using only 6 bits out of 40 (??). Tell them have a bit for the consent terms you’ve been talking about. Respend to IAB with specific user-asserted terms of consent.

Doc: Who here is fluent in how to do that?

Sam: A huge business advantage to someone who is already in the business doing it.

Doc: Joe’s idea suggests we have a list of who is on board and who/what we need.

Joe: Just respond to the IAB, these are the six terms you should put in that cookie. I can work with you on that. We’ve got a week to do it.

Q: Quoted from IAB document, page 7. Cookies aren’t a long-term solution.

IAB Transparency and Consent Framework.

Doc: And a mobile app.

IIW26 Th 1G User-ControlledGDPRConsentCookies.jpg