What is “Do Not Track”?

Let’s start with the definition of “Do Not Track” (or DNT). DNT allows users to opt-out of their online behavior being tracked on websites. 

Unlike other industry or proprietary opt-outs from online “tracking” stored in cookies that can be cleared or are imperfect because they’re stored server-side, in local storage, or elsewhere, the idea behind DNT was to create a simple, universal, and persistent opt-out.

It was supposed to work like this:

Every time your computer sends or receives information over the internet, the request begins with short pieces of information called headers that include information like what browser you’re using and other technical details.

The DNT signal would be included as a machine-readable header indicating a user didn’t want to be tracked. 

Because this signal is a header and not a cookie, users could clear their cookies without disrupting the functionality of the Do Not Track flag.

Where Did DNT Come From?

The idea of sending “DNT” requests in HTTP headers was first suggested around 2009 because of concerns over existing cookie-based and server-side user choice options that were confusing, difficult to use, and “fragile” (e.g., easily cleared or deleted). 

The proposal was an alternative to regulation and was endorsed by the U.S. Federal Trade Commission. In 2011, Safari and Firefox made it possible for users to select this option in their browsers, but websites and their AdTech vendors disagreed on what the signal meant. They, therefore, didn’t alter their behavior in response to it. Around the same time, Internet Explorer turned it on by default for its users.

The inconsistency led to the creation of a working group at the World Wide Web Consortium (W3C) tasked with standardizing the technical interaction and setting an agreement on what websites should do on receipt of the signal (the “Policy”).

The working group included publishers, AdTech companies, browser and software companies, and user advocates. There was hope for a compromise, but given competing commercial interests, the working group stalled in 2012.

How Did it End?

The umbrella online advertising trade organization, the Digital Advertising Alliance (DA,A), pulled support.

In 2014, Yahoo! dropped support from all of its websites, saying the standards were too murky to be helpful with their privacy team stating, “Right now, when a consumer puts Do Not Track in the header, we don’t know what they mean… Privacy is not a one size fits all thing.”

In 2015, Microsoft reversed its position clarifying that Internet Explorer would no longer send DNT signals to websites by default. By then, however, it was too late.

Why Did the “Do Not Track” Fail?

Because the parties at the table couldn’t agree on the policy underlying the signal. By all accounts for four main reasons:

• Opt-in or opt-out: Microsoft argued the browser should set it by default, and users could turn it off (opt-in). Others argued it should be actively set by the users (opt-out).
• Messaging: Who controls explaining this choice (and the value exchange) to consumers? Browsers? Publishers?
• Applicability: Should the signal apply uniformly to all parties, or should its application be different for different parties (e.g., could first parties like Google, Microsoft, and Yahoo ignore it for both their explicit content and third-party ad businesses) while third-party AdTech had to honor the choice?
• Proper response: What should parties stop doing on receipt of the signal? No data collection or use? No building or enhancing third-party profiles? Could they still run a contextual auction? Ad delivery using publisher audience data? Ad delivery using advertiser data? Frequency and recency capping? Fraud? Security detection? Something else?

Privacy Issues and Concerns

If this all sounds familiar, it’s because it’s the same issues we hear day-in and day out in the news, from regulators, from our clients and partners, in contract negotiations, and in industry working groups interpreting and solving for GDPR, CCPA/CPRA, Privacy Sandbox, etc. including the ads working group at W3C, the Global Privacy Control, IAB Transparency, and Consent Framework, IAB CCPA Framework, NAI Code, DAA Principles, AdChoices, etc.

Should users have to opt-in or out to ad tracking? What does “ad tracking” even mean? Should parties treat their direct consumer relationships differently? Is it up to gatekeepers such as Apple, Android, and ePrivacy to control consumer communications at the device level? Should gatekeepers control access to that data and not share it (Privacy Sandbox, Ads Data Hub)? Is there an overall better way to serve and measure ads?

How Can Identity and Data Protection Coexist?

This isn’t going away anytime soon. Look at history for those who think these conversations are new and can be easily solved with another opt-out or opt-in. Learn from the mistakes that have been made. Listen to those who’ve been down this path before. Acknowledge not all interests are aligned. Ideally, simplify as much as possible. Maybe even fundamentally change how things work.
Online advertising is going through drastic changes, and we can dive deeper into how privacy is changing digital advertising.

The post Do Not Track: A look at the DNT’s What, Whys and WTFs appeared first on TripleLift.

TripleLift is active in the various W3C (World Wide Web Consortium) working groups. The Improving Web Advertising Working Group, the Privacy Community Group, and the Private Advertising Technologies Working Group (PATCG).

Some are well-known proposals, like FLEDGE and PARAKEET. Still, one that hasn’t received as much attention is the Cookies Having Independent Partitioned State or CHIPS proposal in the Privacy Sandbox.

What is CHIPS?

CHIPS is part of Google Chrome’s efforts to deprecate support for third-party cookies. It’s a middle ground that permits third-party cookies to operate, but not across sites.

Today, third-party cookies permit the owner to see the same cookie ID across different sites the user visits. This lets the third party see that it’s the same user across multiple sites. CHIPS proposes the browser instead isolate the third-party cookies through the first-party scope. From the third-party perspective, their third-party cookies still permit them to identify users within a site. But they can no longer link the users across sites. 

Why Permit Some Third-Party Functionality? 

The CHIPS proposal outlines three core use cases CHIPS should enable: 

1. SaaS providers offer as a widget to a publisher that requires identifying different users within the scope of the first party but not across sites. 
2. Headless Content Management System providers, such as platforms, make it easy to manage blog content as a service. At the same time, let the first party control the actual blog content presentation on their first-party page. 
3. Sandbox domains serve untrusted user content, such as googleusercontent.com, a domain where Google users can upload content. Therefore, Google wishes to ensure the user-uploaded content can never be accessed by the cookies in the google.com domain. 

Limitations and Implementation of CHIPS 

To set cookies partitioned to the first party, third parties should add the new “Partitioned” attribute to the cookie. This signals to the browser the third party expects and intends to scope the cookie to the current first-party domain. Chrome proposes all partitioned cookies must be secure, including the Secure attribute and __HOST prefix. 

Looking Forward 

The CHIPS proposal is, on balance, an elegant solution. By continuing to rely on the technical rails of third-party cookies but limiting their scope to single sites, CHIPS threads the needle to help third parties move towards the first-party-scoped contexts for cookies that we expect to see when the Privacy Sandbox is fully implemented for all cross-site channels.

The post W3C Proposals Explained: Privacy With a Side of CHIPS appeared first on TripleLift.

The major browsers, Chrome (65% market share), Safari (19% market share), Edge (3% market share), and Firefox (3% market share), are making significant changes to how the web operates in the name of privacy. Some of these changes happen in secret, and some in the open, if you know where to look. The browsers regularly chat in meetings organized by the W3C to reach broad adoption and standardization. 

Chrome’s Privacy Sandbox and Topics — What’s the Latest?

Google’s Chrome, the largest browser by market share, has been very open about its goals and methods to achieve them. This includes responding to critical feedback with product changes. The core goal of Chrome’s efforts is to end the “pervasive cross-site tracking that has become the norm on the web and on top of which much of the web’s ability to deliver and monetize content has been built.” While Google recently announced that the third-party cookie deprecation will be postponed until 2024, its aim remains. That is, to improve people’s privacy while giving businesses the tools to succeed on the open web. 

The goal is to ensure that Chrome can isolate a user’s activity within Chrome. Usually, per a first-party website, the website the user is visiting. The challenge is that advertisers have poured money into online advertising because of the ability to measure ad effectiveness across sites. This removes the ability to attribute ad effectiveness across sites and might cause advertisers to only fund a few sites. Chrome, and Google, recognize that a large part of the diversity of the web owes to the ease with which a new website can quickly monetize content. Removing cross-site attribution would reduce the number of new websites. 

Is Safari the Privacy King of Web Browsers?

Safari’s goal is a subset of Apple’s goal to ensure everything stays on the device. Apple sells devices. Apple’s primary customers are iPhone purchasers. Apple sees itself as a gatekeeper to access those device users, and keeping user data on the device is a cornerstone of that belief. Safari, the default web browser on iOS devices, aggressively removes cross-site linking capabilities. Safari essentially removed support for third-party cookies and is working on permitting some limited coarse advertising attribution that prevents cross-site user behavior correlations from being linked. As a result, Apple’s Private Relay will obscure Apple users’ IP addresses when they visit websites, making IP addresses unreliable to use to reach users. 

How Microsoft Edge Does Privacy (And Drives Revenue for Publishers)

Microsoft’s Edge browser is working to increase user privacy without breaking site monetization. Edge has worked with partners and users to develop variable levels of traffic blocking. Users can choose from several levels of content blocking. Depending on the user’s convenience/privacy preferences, they range from permissive to very strict. In addition, Edge has been working in the W3C to propose technical standards that protect user privacy using differential privacy mechanisms, most notably PARAKEET. Some of this computation will occur on the device, and others may be on a server trusted to calculate minimum privacy guarantees. 

Microsoft Edge has been making rapid improvements to upgrade its privacy bona-fides. Recently, Edge has added support for more nuanced third-party cookie handling, a revamped user privacy settings page, and a few other valuable enhancements in a nod to the growing importance of consumer privacy. 

Firefox — Cookieless By Design

Finally, Firefox has made its core selling point its privacy benefits compared to the other browsers. So Firefox’s dedication to privacy issues is core to its survival. Firefox has taken an aggressive stance concerning third-party cookies and has used a list of known advertising companies to block traffic and content. In addition, Firefox introduced the idea of “containers,” an early move to isolate first-party relationships from third-party relationships, now a common theme amongst browsers. 

They also recently implemented the “Total Cookie Protection.” This offers enhanced protection against online tracking by limiting a website’s ability to read third-party cookies. This new feature goes along the lines of Mozilla’s privacy-focused development strategy, which sharply contrasts with Google Chrome. 

What Do Web Browsers Have in Common? 

Each web browser comes at the issue of privacy a bit differently. Still, they converge in one essential respect: to isolate a user’s activity on one web property to only the browser and that web property. This means that cross-site linking of individual users is in the path of the browser bulldozer and won’t survive the next few years. Without cross-site linking of ad exposure and conversion, determining where to spend ad dollars will become increasingly difficult for brands that want to buy ads across the web or support smaller websites. 

This trend isn’t limited to web browsers; we expect devices like mobile phones, IoT devices, video-playing hardware, etc., to follow a similar trend of keeping data on devices. However, by leaning into the new reality and preparing now, advertisers and publishers can better prepare themselves for the future. TripleLift has been working with publishers and advertisers and compiling best practices and what-to-expect guides. As well as for the forward-thinking partners we work with. With third-party cookies going away, it’s time to get pragmatic. 

The post How Web Browsers Aim to Save Tracking and Preserve Privacy appeared first on TripleLift.