Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Processing of attribution reports by third-party vendors #22

Closed
abebis opened this issue Aug 19, 2019 · 1 comment
Closed

Processing of attribution reports by third-party vendors #22

abebis opened this issue Aug 19, 2019 · 1 comment

Comments

@abebis
Copy link

abebis commented Aug 19, 2019

Given that

  1. publishers and advertisers may not have the capacity to process attribution reports sent by browsers

  2. advertisers will probably want/need to verify attribution reports provided by publishers (especially if the publisher and the ad network are controlled by the same entity, like Google search or Facebook),

it seems reasonable to provide a way for publishers or advertisers to specify a third-party vendor that would receive a copy of the attribution reports directly from the browser.

I am aware that this option is clearly excluded in the original Webkit blog post,

https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-for-the-web/

Only websites that users visit should be involved in measuring ad clicks and conversions. This means that opaque third-parties should not receive ad click attribution reports and we enforce it by requiring that the ad link is part of a first-party webpage and by only reporting on which first-party website a conversion happened.

but what are the concrete reasons, privacy or data-leakage concerns, behind this choice? Is the browser neutral enough (that may not be the case with Chrome) not to need any external verification?

Also, both proposals from the Web Advertising Business Group and Google Chrome seem to acknowledge the need for independent measurement and verification.

https://github.com/w3c/web-advertising/blob/master/admetrics.md

Browser providers may choose to add a reference to a controlled or externally recognized metrics server to act as an overall check of the validity of the aggregated metrics.

Without any option for permission delegation, I guess publishers and advertisers will rely more on CNAME records, which seems more opaque to the user and raise more security (cookie sharing?) issues than keeping domains separate?
@abebis
Copy link
Author

abebis commented Feb 12, 2020

This was later answered in #20

First, there are reasons for not sending attribution data to third parties:

The user perspective. Users need to have a reasonable chance of understanding to whom data is shared about their activities on the web, even if there are privacy preserving protections in place. Users don't know about the numerous third parties that are involved in online ads. What they do know is that they visited news.example or search.example and clicked/tapped an ad there to go to shop.example.
First party control. We've already discussed in #7 that third parties should be able to provide the link metadata adDestination and adCampaignID. If we were also to send attribution data to third parties, first parties would have no control over who claims what on their website. Even worse, if third parties were abusing PCM, first parties wouldn't have a way to detect it. All the data would flow to other players. We want first parties to get in control of attribution. In addition, first parties should be able to make business deals to have their attribution data analyzed. If they never see the data, they can't.

Ongoing discussion in #31

@abebis abebis closed this as completed Feb 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@abebis